{"_fn":["SubjectUserSid","SubjectUserName","SubjectDomainName","SubjectLogonId","TargetUserSid","TargetUserName","TargetDomainName","TargetLogonId","LogonType","LogonProcessName","AuthenticationPackageName","WorkstationName","LogonGuid","TransmittedServices","LmPackageName","KeyLength","ProcessId","ProcessName","IpAddress","IpPort","ImpersonationLevel","RestrictedAdminMode","RemoteCredentialGuard","TargetOutboundUserName","TargetOutboundDomainName","VirtualAccount","TargetLinkedLogonId","ElevatedToken","Security_ID","Account_Name","Account_Domain","Logon_ID","Status","Failure_Reason","Sub_Status","Logon_Type","Logon_Process","Authentication_Package","Workstation_Name","Transited_Services","Package_Name_NTLM_only","Key_Length","Caller_Process_ID","Caller_Process_Name","Source_Network_Address","Source_Port","Object_Server","Object_Type","Object_Name","Operation_Type","Handle_ID","Accesses","Access_Mask","Properties","Parameter_1","Parameter_2","Task_Name","Task_Content","Task_New_Content","CategoryId","SubcategoryId","SubcategoryGuid","AuditPolicyChanges","ClientProcessId","ClientProcessStartKey","MemberName","MemberSid","TargetSid","PrivilegeList","Dummy","SamAccountName","DisplayName","UserPrincipalName","HomeDirectory","HomePath","ScriptPath","ProfilePath","UserWorkstations","PasswordLastSet","AccountExpires","PrimaryGroupId","AllowedToDelegateTo","OldUacValue","NewUacValue","UserAccountControl","UserParameters","SidHistory","LogonHours","OldTargetUserName","NewTargetUserName","OpCorrelationID","AppCorrelationID","DSName","DSType","ObjectDN","ObjectGUID","ObjectClass","AttributeLDAPDisplayName","AttributeSyntaxOID","AttributeValue","OperationType","RuleName","UtcTime","ProcessGuid","Image","ImageLoaded","FileVersion","Description","Product","Company","OriginalFileName","Hashes","Signed","Signature","SignatureStatus","User","SourceProcessGuid","SourceProcessId","SourceImage","TargetProcessGuid","TargetProcessId","TargetImage","NewThreadId","StartAddress","StartModule","StartFunction","SourceUser","TargetUser","LogFileCleared.SubjectUserSid","LogFileCleared.SubjectUserName","LogFileCleared.SubjectDomainName","LogFileCleared.SubjectLogonId","LogFileCleared.ClientProcessId","LogFileCleared.ClientProcessStartKey","MessageNumber","MessageTotal","ScriptBlockText","ScriptBlockId","Path","NewProcessId","NewProcessName","TokenElevationType","CommandLine","ParentProcessName","MandatoryLabel","Privileges","SAM_Account_Name","Display_Name","User_Principal_Name","Home_Directory","Home_Drive","Script_Path","Profile_Path","User_Workstations","Password_Last_Set","Account_Expires","Primary_Group_ID","Old_UAC_Value","New_UAC_Value","User_Account_Control","User_Parameters","SID_History","Logon_Hours","DNS_Host_Name","Service_Principal_Names","ObjectType","ShareName","ShareLocalPath","RelativeTargetName","AccessMask","AccessList","AccessReason","CurrentDirectory","LogonId","TerminalSessionId","IntegrityLevel","ParentProcessGuid","ParentProcessId","ParentImage","ParentCommandLine","ParentUser","SourceProcessGUID","SourceThreadId","TargetProcessGUID","GrantedAccess","CallTrace","EventType","PipeName","TargetLogonGuid","TargetServerName","TargetInfo","Transaction_ID","PrivilegesUsedForAccessCheck","Restricted_SID_Count","Process_ID","Process_Name","ObjectServer","ObjectName","HandleId","ResourceAttributes","Supplied_Realm_Name","User_ID","Service_Name","Service_ID","Ticket_Options","Result_Code","Ticket_Encryption_Type","PreAuthentication_Type","Client_Address","Client_Port","Certificate_Issuer_Name","Certificate_Serial_Number","Certificate_Thumbprint","Failure_Code","Logon_GUID","PackageName","Workstation","Operation","Consumer","Filter","ServiceName","ImagePath","ServiceType","StartType","AccountName","Device","TargetFilename","CreationUtcTime","Hash","Contents","DeploymentOperation","PackageFullName","MountPoint","TargetPlatform","SystemVolume","StorageId","IsCentennial","PackageType","IsPackageEncrypted","DeploymentOptions","IsStreamingPackage","IsInRelatedSet","IsPackageUsingBDC","MainPackageFamilyName","CallingProcess","IsOptional","PackageFlags","PackageFlags2","HasWin32alacarte","HasFullTrust","ExternalLocation","PackageSourceUri","PackageDisplayName","LogFileCleared.Channel","LogFileCleared.BackupPath","ServiceFileName","ServiceStartType","ServiceAccount","EnabledPrivilegeList","DisabledPrivilegeList","Group_Name","Group_Domain","ProcessID","Application","Direction","SourceAddress","SourcePort","DestAddress","DestPort","Protocol","InterfaceIndex","FilterOrigin","FilterRTID","LayerName","LayerRTID","RemoteUserID","RemoteMachineID","OriginalProfile","CurrentProfile","IsLoopback","HasRemoteDynamicKeywordAddress","Initiated","SourceIsIpv6","SourceIp","SourceHostname","SourcePortName","DestinationIsIpv6","DestinationIp","DestinationHostname","DestinationPort","DestinationPortName","TargetObject","Details","Name","Type","Destination","QueryName","QueryStatus","QueryResults","IsExecutable","Archived","ObjectValueName","OldValueType","OldValue","NewValueType","NewValue","SID_List","Caller_Workstation","Status_Code","PreviousCreationUtcTime","Configuration","ConfigurationFileHash","EventIdx","EventCountTotal","GroupMembership","OldSd","NewSd","Service","MasterKeyId","RecoveryServer","RecoveryKeyId","FailureReason","Key_Identifier","Recovery_Server","Recovery_Key_ID","TargetName","CountOfCredentialsReturned","ReadOperation","ReturnCode","ProcessCreationTime","ErrorCode","IsInPlaceUpdate","ErrorFileInfo","DetailedMessageInfo","RollbackErrorFileInfo","RollbackDetailedMessageInfo","TaskName","TaskContent","RpcCallClientLocality","FQDN","TemplateInternalName","TemplateVersion","TemplateSchemaVersion","TemplateOID","TemplateDSObjectFQDN","DCDNSName","TemplateContent","SecurityDescriptor","Domain_Controller","Template_Content","Security_Descriptor","AuditSourceName","EventSourceId","Source_Name","Event_Source_ID","ProfileChanged","RuleId","ProviderKey","ProviderName","FilterKey","FilterName","FilterType","FilterId","LayerKey","LayerId","Weight","Conditions","Action","CalloutKey","CalloutName","UserSid","UserName","ChangeType","ProviderContextKey","ProviderContextName","ProviderContextType","State","Version","SchemaVersion","EventNamespace","Query","Origin","ApplicationPath","LocalPorts","RemotePorts","Profiles","LocalAddresses","RemoteAddresses","RemoteMachineAuthorizationList","RemoteUserAuthorizationList","EmbeddedContext","Flags","Active","EdgeTraversal","LooseSourceMapped","SecurityOptions","ModifyingUser","ModifyingApplication","RuleStatus","LocalOnlyMapped","Caption","Message","EventOrginal","SidList","jobTitle","jobId","jobOwner","processPath","processId","ContextInfo","UserData","Payload","PreviousTime","NewTime","Domain_Name","Domain_ID","Trust_Type","Trust_Direction","Trust_Attributes","SID_Filtering","GroupTypeChange","Change_Type","CallerProcessId","CallerProcessName","SessionId","Session_ID","User_Name","Domain","RequestId","Requester","Attributes","Request_ID","Subject","SubjectAlternativeName","CertificateTemplate","RequestOSVersion","RequestCSPProvider","RequestClientInfo","AuthenticationService","AuthenticationLevel","DCOMorRPC","Disposition","SubjectKeyIdentifier","SKI","SerialNumber","TreeDelete","SchemaFriendlyName","Schema","Resource","Identity","PackageSid","DeviceId","DeviceDescription","ClassId","ClassName","VendorIds","CompatibleIds","LocationInformation","PackageMoniker","Caller_Computer_Name","NewName","Product Name","Product Version","Old Value","New Value","CryptAcquireCertificatePrivateKey","Value","Request_Type","RequestType","AuthenticationPackage","DataDescription","ProtectedDataFlags","CryptoAlgorithms","DomainPolicyChanged","DomainName","DomainSid","MinPasswordAge","MaxPasswordAge","ForceLogoff","LockoutThreshold","LockoutObservationWindow","LockoutDuration","PasswordProperties","MinPasswordLength","PasswordHistoryLength","MachineAccountQuota","MixedDomainMode","DomainBehaviorVersion","OemInformation","SourceUserName","Session_Name","Client_Name","SettingType","SettingValue","FileName","BackupFileName","HardwareIds","EventXML.User","EventXML.SessionID","EventXML.Address","Operation_EssStarted.NamespaceName","Operation_EssStarted.Query","Operation_EssStarted.User","Operation_EssStarted.Processid","Operation_EssStarted.Provider","Operation_EssStarted.queryid","Operation_EssStarted.PossibleCause","Operation_ESStoConsumerBinding.Namespace","Operation_ESStoConsumerBinding.ESS","Operation_ESStoConsumerBinding.CONSUMER","Operation_ESStoConsumerBinding.PossibleCause","param1","param2","Binary","ServiceSid","TicketOptions","TicketEncryptionType","RequestTicketHash","ResponseTicketHash","PuaCount","PuaPolicyId","HardwareChecks","ADDomainJoin","AADDomainJoin","Data","HRESULT","UserId","LicenseId","AssociateId","Arguments","API","Result","CompatibilityFixEvent.ProcessId","CompatibilityFixEvent.StartTime","CompatibilityFixEvent.FixID","CompatibilityFixEvent.Flags","CompatibilityFixEvent.ExePath","CompatibilityFixEvent.FixName","RegisterUninstallStringEventData.UninstallStringLength","RegisterUninstallStringEventData.UninstallString","RegisterUninstallStringEventData.UninstallerPathLength","RegisterUninstallStringEventData.UninstallerPath","RegisterUninstallStringEventData.ProcessNameLength","RegisterUninstallStringEventData.ProcessName","RegisterUninstallStringEventData.SessionId","RegisterUninstallStringEventData.SubSessionId","RegisterUninstallStringEventData.Status","PackageId","Error","Source","TaskId","TaskCount","Expression","Function","File","Line","IsSpecialUserProfile","InstallPackageList","RemovePackageList","ErrorText","ErrorMessage","CategoryName","SummaryError","SourceFolderPath","DestinationFolderPath","PathOne","PathTwo","HResult","Options","Bundle","AppDataVolume","RegistryKeyName","EndOfLifePackageList","MainPackageFullName","BiometricSensor","SensorAdapter","EngineAdapter","StorageAdapter","DatabaseID","SensorMode","SensorPool","IsolationLevel","IsolationSensorAdapter","IsolationEngineAdapter","IsolationStorageAdapter","AvailabilityInfo","LocalizedText","fileCount","bytesTransferred","bytesTransferredFromPeer","program","parameters","RemoteName","LocalName","FileNameLength","FileNameBuffer","ProcessNameLength","ProcessNameBuffer","RequestedPolicy","ValidatedPolicy","MasterKeyGUID","UserStorage","EncryptCredID","EncryptCredKey","CredKeyIdentifier","KeyName","AlgorithmName","KeyModificationType","KeyFileName","ThreadId","ServiceTag","DeletionType","Client","BindingStatusCode","BindingStatusString","InstanceBindingAttempts","ImageBindingAttempts","ActiveInstances","ActiveInstancesMax","InstancesLifetime","Default SD String:","PolicyActivityId","PrincipalSamName","IsMachine","IsDomainJoined","IsBackgroundProcessing","IsAsyncProcessing","IsServiceRestart","ReasonForSyncProcessing","DCName","DCIPAddress","MachineRole","NetworkName","PrincipalCNName","PrincipalDomainName","DCDomainName","DescriptionString","GPOInfoList","InfoDescription","OperationParameter1","ErrorDescription","SupportInfo1","SupportInfo2","ProcessingMode","ProcessingTimeInMilliseconds","NumberOfGroupPolicyObjects","InitialAllocationNumaPolicy","ApplicationId","ExecutionState","AppState","AppId","PhaseFlags","Process Name","Module Name","Build Name","DiagCode","InitState","StatusCode","FailureAddress","ReferenceAddress","ReasonCode","Position","Phase","EnableDisableReason","VsmPolicy","VolumeDeviceGuid","PeriodDurationMicroSec","EventSamples","TotalNumberOfMappedVacbs","TotalPartitionSamples","TotalVolumeSamples","TotalPagesYetToWrite","TotalDirtyPages","TotalAvailablePages","TotalNumberWorkerThreads","TotalNumberActiveWorkerThreads","TotalAverageAvailablePages","TotalAverageDirtyPages","CcCopyReadCalls","CcAsyncCopyReadCalls","CcCopyWriteCalls","CcSetValidDataCalls","CcFlushCacheCalls","NumberOfNUMANodes","MaxDirtyPages","TotalDirtyPageThreshold","TopDirtyPageThreshold","BottomDirtyPageThreshold","DirtyPageSamples","LazyWriterCalls","TotalLazyWriterLatency","TotalLazyWriterPagesFlushed","LazyWriterAvgPagesPerSecond","TotalPagesQueuedToDisk","MaxPagesQueuedToDisk","PagesQueuedToDiskSamples","TotalLoggedPagesQueuedToDisk","MaxLoggedPagesQueuedToDisk","LoggedPagesQueuedToDiskSamples","ReadTotalBytes","ReadPagedInTotalBytes","ReadAheadTotalBytes","CacheHitRatio","TotalWrites","TotalHardThrottleWrites","TotalSoftThrottleWrites","TotalSynchronousReadIoCount","TotalSynchronousNonBlockingReadIoCount","TotalFailedSynchronousNonBlockingReadIoCount","SynchronousReadIoMaxLatency","SynchronousReadIoNonBlockingMaxLatency","TotalSynchronousWriteIoCount","TotalSynchronousNonBlockingWriteIoCount","TotalFailedSynchronousNonBlockingWriteIoCount","SynchronousWriteIoMaxLatency","SynchronousWriteIoNonBlockingMaxLatency","TotalAsynchronousReadIoCount","AsynchronousReadIoMaxLatency","SynchronousReadIoCountsBucket1","SynchronousReadIoCountsBucket2","SynchronousReadIoCountsBucket3","SynchronousReadIoCountsBucket4","SynchronousReadIoCountsBucket5","SynchronousReadIoCountsBucket6","SynchronousReadIoCountsBucket7","SynchronousReadIoCountsBucket8","SynchronousReadIoCountsBucket9","SynchronousReadIoCountsBucket10","SynchronousReadIoCountsBucket11","SynchronousReadIoCountsBucket12","SynchronousReadTotalLatencyBucket1","SynchronousReadTotalLatencyBucket2","SynchronousReadTotalLatencyBucket3","SynchronousReadTotalLatencyBucket4","SynchronousReadTotalLatencyBucket5","SynchronousReadTotalLatencyBucket6","SynchronousReadTotalLatencyBucket7","SynchronousReadTotalLatencyBucket8","SynchronousReadTotalLatencyBucket9","SynchronousReadTotalLatencyBucket10","SynchronousReadTotalLatencyBucket11","SynchronousReadTotalLatencyBucket12","SynchronousReadNonBlockingIoCountsBucket1","SynchronousReadNonBlockingIoCountsBucket2","SynchronousReadNonBlockingIoCountsBucket3","SynchronousReadNonBlockingIoCountsBucket4","SynchronousReadNonBlockingIoCountsBucket5","SynchronousReadNonBlockingIoCountsBucket6","SynchronousReadNonBlockingIoCountsBucket7","SynchronousReadNonBlockingIoCountsBucket8","SynchronousReadNonBlockingIoCountsBucket9","SynchronousReadNonBlockingIoCountsBucket10","SynchronousReadNonBlockingIoCountsBucket11","SynchronousReadNonBlockingIoCountsBucket12","SynchronousReadNonBlockingTotalLatencyBucket1","SynchronousReadNonBlockingTotalLatencyBucket2","SynchronousReadNonBlockingTotalLatencyBucket3","SynchronousReadNonBlockingTotalLatencyBucket4","SynchronousReadNonBlockingTotalLatencyBucket5","SynchronousReadNonBlockingTotalLatencyBucket6","SynchronousReadNonBlockingTotalLatencyBucket7","SynchronousReadNonBlockingTotalLatencyBucket8","SynchronousReadNonBlockingTotalLatencyBucket9","SynchronousReadNonBlockingTotalLatencyBucket10","SynchronousReadNonBlockingTotalLatencyBucket11","SynchronousReadNonBlockingTotalLatencyBucket12","AsynchronousReadIoCountsBucket1","AsynchronousReadIoCountsBucket2","AsynchronousReadIoCountsBucket3","AsynchronousReadIoCountsBucket4","AsynchronousReadIoCountsBucket5","AsynchronousReadIoCountsBucket6","AsynchronousReadIoCountsBucket7","AsynchronousReadIoCountsBucket8","AsynchronousReadIoCountsBucket9","AsynchronousReadIoCountsBucket10","AsynchronousReadIoCountsBucket11","AsynchronousReadIoCountsBucket12","AsynchronousReadTotalLatencyBucket1","AsynchronousReadTotalLatencyBucket2","AsynchronousReadTotalLatencyBucket3","AsynchronousReadTotalLatencyBucket4","AsynchronousReadTotalLatencyBucket5","AsynchronousReadTotalLatencyBucket6","AsynchronousReadTotalLatencyBucket7","AsynchronousReadTotalLatencyBucket8","AsynchronousReadTotalLatencyBucket9","AsynchronousReadTotalLatencyBucket10","AsynchronousReadTotalLatencyBucket11","AsynchronousReadTotalLatencyBucket12","SynchronousWriteIoCountsBucket1","SynchronousWriteIoCountsBucket2","SynchronousWriteIoCountsBucket3","SynchronousWriteIoCountsBucket4","SynchronousWriteIoCountsBucket5","SynchronousWriteIoCountsBucket6","SynchronousWriteIoCountsBucket7","SynchronousWriteIoCountsBucket8","SynchronousWriteIoCountsBucket9","SynchronousWriteIoCountsBucket10","SynchronousWriteIoCountsBucket11","SynchronousWriteIoCountsBucket12","SynchronousWriteTotalLatencyBucket1","SynchronousWriteTotalLatencyBucket2","SynchronousWriteTotalLatencyBucket3","SynchronousWriteTotalLatencyBucket4","SynchronousWriteTotalLatencyBucket5","SynchronousWriteTotalLatencyBucket6","SynchronousWriteTotalLatencyBucket7","SynchronousWriteTotalLatencyBucket8","SynchronousWriteTotalLatencyBucket9","SynchronousWriteTotalLatencyBucket10","SynchronousWriteTotalLatencyBucket11","SynchronousWriteTotalLatencyBucket12","SynchronousWriteNonBlockingIoCountsBucket1","SynchronousWriteNonBlockingIoCountsBucket2","SynchronousWriteNonBlockingIoCountsBucket3","SynchronousWriteNonBlockingIoCountsBucket4","SynchronousWriteNonBlockingIoCountsBucket5","SynchronousWriteNonBlockingIoCountsBucket6","SynchronousWriteNonBlockingIoCountsBucket7","SynchronousWriteNonBlockingIoCountsBucket8","SynchronousWriteNonBlockingIoCountsBucket9","SynchronousWriteNonBlockingIoCountsBucket10","SynchronousWriteNonBlockingIoCountsBucket11","SynchronousWriteNonBlockingIoCountsBucket12","SynchronousWriteNonBlockingTotalLatencyBucket1","SynchronousWriteNonBlockingTotalLatencyBucket2","SynchronousWriteNonBlockingTotalLatencyBucket3","SynchronousWriteNonBlockingTotalLatencyBucket4","SynchronousWriteNonBlockingTotalLatencyBucket5","SynchronousWriteNonBlockingTotalLatencyBucket6","SynchronousWriteNonBlockingTotalLatencyBucket7","SynchronousWriteNonBlockingTotalLatencyBucket8","SynchronousWriteNonBlockingTotalLatencyBucket9","SynchronousWriteNonBlockingTotalLatencyBucket10","SynchronousWriteNonBlockingTotalLatencyBucket11","SynchronousWriteNonBlockingTotalLatencyBucket12","NTStatus","SessionName","LoggingMode","OldTime","TimeDeltaInMs","Reason","CmosTime","TimeZoneBias","RealTimeIsUniversal","SystemInCmosMode","UpdateReason","EnabledNew","CountNew","CountOld","VolumeGuid","VolumeNameLength","VolumeName","DeviceInstanceId","DriverName","ClassGuid","DriverDate","DriverVersion","DriverProvider","DriverInbox","DriverSection","DriverRank","MatchingDeviceId","OutrankedDrivers","DeviceUpdated","ParentDeviceInstanceId","LowerFilters","UpperFilters","Problem","VetoType","VetoName","DeviceCount","ElapsedTimeMs","ShutdownActionType","ShutdownEventCode","ShutdownReason","Group","Number","IdleStateCount","IdleImplementation","NominalFrequency","MaximumPerformancePercent","MinimumPerformancePercent","MinimumThrottlePercent","PerformanceImplementation","ShimSource","ShimCount","AppliedGuids","DeviceName","DeviceClass","FlagSource","FunctionName","cid","MachineEnvironment","Parameter","InterfaceGuid","IfLuid","Family","Capability","CapabilityChangeReason","PreviousCapability","CurrentOrNextState","Guid","Category","ProfileGuid","ErrorCodev4","ErrorCodev6","Context","VolumeCorrelationId","VolumeIdLength","VolumeId","VolumeLabelLength","VolumeLabel","DeviceNameLength","DeviceGuid","VendorIdLength","VendorId","ProductIdLength","ProductId","ProductRevisionLength","ProductRevision","DeviceSerialNumberLength","DeviceSerialNumber","BusType","AdapterSerialNumberLength","AdapterSerialNumber","Vcb","MountDurationUs","MountDuration","LongestStage","LongestStageDuration","LongestStagePercentage","SecondLongestStage","SecondLongestStageDuration","SecondLongestStagePercentage","RestartApplied","IsBootVolume","Stage1DurationUs","Stage2DurationUs","Stage3DurationUs","Stage4DurationUs","Stage5DurationUs","Stage6DurationUs","Stage7DurationUs","Stage8DurationUs","Stage9DurationUs","Stage10DurationUs","DurationUs","InputFlags","MediaType","RunsCached","LongestRunCached","LongestRunCachedStr","MostPopulatedBinCount","MostPopulatedBinMinLength","MostPopulatedBinMinLengthStr","MostPopulatedBinMaxLength","MostPopulatedBinMaxLengthStr","TotalCachedRuns","CachedRunsLogged","CachedRunsAlignment","RunsInCachedRuns","LongestRunInCachedRuns","MostPopulatedBinCountInCachedRuns","MostPopulatedBinMinLengthInCachedRuns","MostPopulatedBinMaxLengthInCachedRuns","ElapsedSeconds","AvailabeSpaceMinStr","AvailabeSpaceMaxStr","AvailabeSpaceDeltaStr","AvailableClustersMin","AvailableClustersMax","UnallocatedClustersMin","UnallocatedClustersMax","ReservedClustersMin","ReservedClustersMax","TxfAbortReservedClustersMin","TxfAbortReservedClustersMax","PageFileSizeInBytes","PageFileSizeStr","VolumeSizeInBytes","VolumeSizeStr","ClusterSize","CachedRunsMissCountForMft","CachedRunsMissCountForMftZone","CachedRunsMissCount","MaxLatencyMs","FileIdHigh","FileIdLow","IoType","IoTypeStr","IoSize","FileOffset","LatencyMs","StartingLcn","ClustersCount","SecondsElapsed","HighLatencyCount","FailedWriteCount","FailedReadCount","BadClusterHotfixCount","ValuesCount","HighLatencyArray","FailedWriteArray","FailedReadArray","BadClusterHotfixArray","StatusArray","TableIndexArray","IntervalDurationMs","IntervalDurationStr","VcbExAcquireCount","VcbExMaxWaitDurationMs","VcbExAvgWaitDurationMs","VcbExMaxHoldDurationMs","VcbExAvgHoldDurationMs","VcbExMaxCombinedDurationMs","VcbExAvgCombinedDurationMs","UserFileReads","UserFileReadBytes","UserDiskReads","UserFileWrites","UserFileWriteBytes","UserDiskWrites","MetaDataReads","MetaDataReadBytes","MetaDataDiskReads","MetaDataWrites","MetaDataWriteBytes","MetaDataDiskWrites","MftReads","MftReadBytes","MftWrites","MftWriteBytes","Mft2Writes","Mft2WriteBytes","RootIndexReads","RootIndexReadBytes","RootIndexWrites","RootIndexWriteBytes","BitmapReads","BitmapReadBytes","BitmapWrites","BitmapWriteBytes","MftBitmapReads","MftBitmapReadBytes","MftBitmapWrites","MftBitmapWriteBytes","UserIndexReads","UserIndexReadBytes","UserIndexWrites","UserIndexWriteBytes","LogFileReads","LogFileReadBytes","LogFileWrites","LogFileWriteBytes","LogFileFull","LogFileFullReasonBucket1","LogFileFullReasonBucket2","LogFileFullReasonBucket3","LogFileFullReasonBucket4","LogFileFullReasonBucket5","LogFileFullReasonBucket6","LogFileFullReasonBucket7","LogFileFullReasonBucket8","LogFileFullReasonBucket9","LogFileFullReasonBucket10","LogFileFullReasonBucket11","LogFileFullReasonBucket12","LogFileFullReasonBucket13","LogFileFullReasonBucket14","LogFileFullReasonBucket15","DiskResourceFailure","VolumeTrimCount","VolumeTrimTime","VolumeTrimSize","AvgVolumeTrimTime","AvgVolumeTrimSize","VolumeTrimSkippedCount","VolumeTrimSkippedSize","FileLevelTrimCount","FileLevelTrimTime","FileLevelTrimSize","AvgFileLevelTrimTime","AvgFileLevelTrimSize","NtfsFillStatInfoFromMftRecordCalledCount","NtfsFillStatInfoFromMftRecordBailedBecauseOfAttributeListCount","NtfsFillStatInfoFromMftRecordBailedBecauseOfNonResReparsePointCount","FromSize","ToSize","VolumeSizeChangeOperation","VolumeSizeChangeRequestType","CombinedDurationMs","Stage1DurationMs","Stage2DurationMs","Stage3DurationMs","SummaryId","HighLatencyMs","HighLatencyStr","HighLatencyIoCount","TotalIoCount","TotalIoTimeNs","AverageIops","AverageLatencyNs","AverageLatencyStr","MaxLatencyNs","MaxLatencyStr","LatencyBuckets","IoCount0","IoCount1","IoCount2","IoCount3","IoCount4","IoCount5","IoCount6","IoCount7","IoCount8","IoCount9","IoCount10","IoCount11","IoCount12","IoCount13","IoCount14","IoCount15","TotalTimeNs0","TotalTimeNs1","TotalTimeNs2","TotalTimeNs3","TotalTimeNs4","TotalTimeNs5","TotalTimeNs6","TotalTimeNs7","TotalTimeNs8","TotalTimeNs9","TotalTimeNs10","TotalTimeNs11","TotalTimeNs12","TotalTimeNs13","TotalTimeNs14","TotalTimeNs15","PeriodDurationMicrosSec","OperationCount","RepostedOperationCount","FailedOperationCount","OperationRangeCount","OperationByteCount","OperationLongRangeByteCount","UnalignedRangeCount","BytesInUnalignedRanges","OperationTrimExtentCount","NonBlockAlignedTrimByteCount","ReclaimedByteCount","ByteCountLabelsLength","ByteCountLabels","OperationCountBuckets1","OperationCountBuckets2","OperationCountBuckets3","OperationCountBuckets4","OperationCountBuckets5","OperationCountBuckets6","OperationCountBuckets7","OperationCountBuckets8","OperationCountBuckets9","OperationCountBuckets10","OperationCountBuckets11","OperationCountBuckets12","OperationByteCountBuckets1","OperationByteCountBuckets2","OperationByteCountBuckets3","OperationByteCountBuckets4","OperationByteCountBuckets5","OperationByteCountBuckets6","OperationByteCountBuckets7","OperationByteCountBuckets8","OperationByteCountBuckets9","OperationByteCountBuckets10","OperationByteCountBuckets11","OperationByteCountBuckets12","OperationBytesReclaimedBuckets1","OperationBytesReclaimedBuckets2","OperationBytesReclaimedBuckets3","OperationBytesReclaimedBuckets4","OperationBytesReclaimedBuckets5","OperationBytesReclaimedBuckets6","OperationBytesReclaimedBuckets7","OperationBytesReclaimedBuckets8","OperationBytesReclaimedBuckets9","OperationBytesReclaimedBuckets10","OperationBytesReclaimedBuckets11","OperationBytesReclaimedBuckets12","OperationLatencyBuckets1","OperationLatencyBuckets2","OperationLatencyBuckets3","OperationLatencyBuckets4","OperationLatencyBuckets5","OperationLatencyBuckets6","OperationLatencyBuckets7","OperationLatencyBuckets8","OperationLatencyBuckets9","OperationLatencyBuckets10","OperationLatencyBuckets11","OperationLatencyBuckets12","LatencyBucketLabelsLength","LatencyBucketLabelsLabels","OperationCountLatencyBuckets1","OperationCountLatencyBuckets2","OperationCountLatencyBuckets3","OperationCountLatencyBuckets4","OperationCountLatencyBuckets5","OperationCountLatencyBuckets6","OperationCountLatencyBuckets7","OperationCountLatencyBuckets8","OperationCountLatencyBuckets9","OperationCountLatencyBuckets10","OperationCountLatencyBuckets11","OperationCountLatencyBuckets12","OperationCountLatencyBuckets13","OperationCountLatencyBuckets14","OperationCountLatencyBuckets15","OperationFailureStatusCode1","OperationFailureCount1","OperationFailureStatusCode2","OperationFailureCount2","OperationFailureStatusCode3","OperationFailureCount3","OperationFailureStatusCode4","OperationFailureCount4","OperationFailureStatusCode5","OperationFailureCount5","DismountReason","JournalId","MaximumSize","AllocationDelta","CurrentUsn","RunspaceId","ProcessUserSid","ProcessAppPackageFullName","OldSettingValue","NewSettingValue","Component","Area","SubArea","ID","Justification","TestCode","Message1","Message2","LineNumber","ChannelsExist","GroupPolicyValue","MDMPolicyValue","PowerEventType","IsEnabled","Verb","TrID","Namespace","CorrelationVector","Bytes","ConnectionType","KaValueType","KaValue","KaMinLimit","ChannelId","AppUserModelId","AppSettings","AppType","RB_IoReadBytes","RB_CacheHitBytes","RB_PrefetchBytes","RB_CacheHitPercentage","RB_IoReadCount","RB_CacheHitCount","RB_PrefetchReadCount","RB_PrefetchDiskTimeUs","RB_SyncPrefetchIoBytes","RB_SyncPrefetchIoCount","RB_SyncPhaseDurationUs","RB_PostSyncPhasePendCount","RB_Flags","BootPlanTimestamp","Duration (ms)","DiskAssessmentTimestamp","VolumeUniqueId","OldRdbAttachState","NewRdbAttachState","OldHbdrvAttachState","NewHbdrvAttachState","VolumePath","UniqueIdLength","The_server_has_initiated_a_multitransport_request_to_the_client_for_tunnel","The_multitransport_connection_finished_for_tunnel","Idle2","AVC_available","Initial_profile","Server","GPOList","NotificationPackageName","SecurityPackageName","LocalMMPrincipalName","RemoteMMPrincipalName","LocalAddress","LocalKeyModPort","RemoteAddress","RemoteKeyModPort","KeyModName","FailurePoint","MMAuthMethod","Role","MMImpersonationState","MMFilterID","InitiatorCookie","ResponderCookie","Local_Principal_Name","Principal_Name","Network_Address","Keying_Module_Port","Keying_Module_Name","Failure_Point","Authentication_Method","Impersonation_State","Main_Mode_Filter_ID","Initiator_Cookie","Responder_Cookie","LinkName","TransactionId","Source_Handle_ID","Source_Process_ID","Target_Handle_ID","Target_Process_ID","TargetProcessName","User_Right","KerberosPolicyChange","AccessGranted","AccessRemoved","MembershipExpirationTime","LoadOptions","AdvancedOptions","ConfigAccessPolicy","RemoteEventLogging","KernelDebug","VsmLaunchType","TestSigning","FlightSigning","DisableIntegrityChecks","HypervisorLoadOptions","HypervisorLaunchType","HypervisorDebug","Forest_Root","Forest_Root_SID","Operation_ID","Entry_Type","Top_Level_Name","DNS_Name","NetBIOS_Name","Domain_SID","CertificateSerialNumber","RevocationReason","Serial_Number","NextUpdate","NextPublishForBaseCRL","NextPublishForDeltaCRL","Next_Update","Publish_Base","Publish_Delta","IsBaseCRL","CRLNumber","KeyContainer","NextPublish","PublishURLs","Base_CRL","CRL_Number","Key_Container","Next_Publish","Publish_URLs","ExtensionName","ExtensionDataType","ExtensionPolicyFlags","ExtensionData","CertificateDatabaseHash","PrivateKeyUsageCount","CACertificateHash","CAPublicKeyHash","Certificate_Database_Hash","Private_Key_Usage_Count","CA_Certificate_Hash","CA_Public_Key_Hash","PropertyName","PropertyIndex","PropertyType","PropertyValue","Property","Index","TableId","RowsDeleted","Table_ID","Rows_Deleted","RoleSeparationEnabled","Role_separation_enabled","New_Template_Content","Old_Template_Content","NewTemplateContent","OldTemplateContent","Destination_DRA","Source_DRA","Source_Address","Naming_Context","GroupPolicyApplied","Profile","OperationMode","RemoteAdminEnabled","MulticastFlowsEnabled","LogDroppedPacketsEnabled","LogSuccessfulConnectionsEnabled","ProfileUsed","ReasonForRejection","ActiveProfile","RuleAttr","NewState","ResourceManager","ConnectionSecurityRuleId","ConnectionSecurityRuleName","ClientCreationTime","KeyType","KeyFilePath","NewSecuritySettings","OldRemark","NewRemark","OldMaxUsers","NewMaxUsers","OldShareFlags","NewShareFlags","OldSD","NewSD","ProviderType","SubLayerKey","SubLayerName","SubLayerType","CalloutType","CalloutId","SubjectUserDomainName","ObjectCollectionName","ObjectIdentifyingProperties","ModifiedObjectProperties","ObjectProperties","ProcessPathLength","ProcessPath","ProcessCommandLineLength","ProcessCommandLine","ProcessCreateTime","ProcessStartKey","ProcessSignatureLevel","ProcessSectionSignatureLevel","ProcessProtection","TargetThreadId","TargetThreadCreateTime","RequiredSignatureLevel","SignatureLevel","ImageNameLength","ImageName","UInt1","Int1","Last_HTTP_error_code","pollingInterval","acPowerState","batterySavingState","batteryLowState","batteryCriticalState","battery_saver_mode","battery_low_state","battery_critical_state","requestType","errorCode","HTTP_error_code","CbsPackageInitiateChanges.PackageIdentifier","CbsPackageInitiateChanges.InitialPackageState","CbsPackageInitiateChanges.InitialPackageStateTextized","CbsPackageInitiateChanges.IntendedPackageState","CbsPackageInitiateChanges.IntendedPackageStateTextized","CbsPackageInitiateChanges.Client","CbsUpdateChangeState.UpdateName","CbsUpdateChangeState.PackageIdentifier","CbsUpdateChangeState.ErrorCode","CbsUpdateChangeState.Client","Command","EventXML.xmlns:auto-ns2","EventXML.Param1","EventXML.Param2","EventXML.Param3","Detection ID","Detection Time","Unused","Unused2","Threat ID","Threat Name","Severity ID","Severity Name","Category ID","Category Name","FWLink","Status Code","Status Description","Source ID","Source Name","Detection User","Unused3","Origin ID","Origin Name","Execution ID","Execution Name","Type ID","Type Name","Pre Execution Status","Action ID","Action Name","Unused4","Error Code","Error Description","Unused5","Post Clean Status","Additional Actions ID","Additional Actions String","Remediation User","Unused6","Signature Version","Engine Version","SettingValueSize","SettingValueDisplay","SettingValueString","Store Type","PolicyAppId","updateTitle","updateGuid","updateRevisionNumber","serviceGuid","Data_0","Data_1","Data_2","Data_3","Data_4","Data_5","Data_6","Faulting_application_name","version","Faulting_module_name","Faulting_application_path","Faulting_module_path","Report_Id","Faulting_package_full_name","Faulting_packagerelative_application_ID","ApplicationName","FlagsHigh","runningAppsList","directlyServicedPackagesList","indirectlyServicedPackagesList","numAttempts","isSessionLocked","subjectName","PossibleDetectionOfCVE","Additional_Information","CertNotificationData.ProcessName","CertNotificationData.AccountName","CertNotificationData.Context","CertNotificationData.CertificateDetails","EventWriteData","PackagePath","Line Number","HiveNameLength","HiveName","KeysUpdated","DirtyPages","IfGuid","IfIndex","AdapterName","ResetReason","ResetCount","DriveName","CorruptionActionState","CallerPID","ClientLUID","ClientUserName","ClientDomainName","MechanismOID","Calling_process_PID","Calling_process_name","Calling_process_LUID","Calling_process_user_identity","Calling_process_domain_identity","Mechanism_OID","PluginDllName","ResolverFiredEvent.ExePath","ResolverFiredEvent.ResolverName","AppID","Priority","ActionName","TaskInstanceId","EnginePID","ResultCode","Timestamp","SID","ProductName","ProductVersion","Changed Type","ChangedType","packageFullName","ServiceShutdown","param3","param4","Backup_Type","CustomLevel","DetectionTime","SecurityintelligenceVersion","EngineVersion","RuleType","TargetCommandline","ParentCommandline","InvolvedFile","InhertianceFlags","process","payload","AppName","AppVersion","StartTime","TerminationTime","ExeFileName","ReportId","PackageRelativeAppId","HangType","PackageFamilyName","FoundState","statusFound","transferId","name","Id","url","peer","hr","fileTime","fileLength","bytesTotal","proxy","peerProtocolFlags","AdditionalInfoHr","PeerContextInfo","bandwidthLimit","ignoreBandwidthLimitsOnLan","server","job","scheme","user","Provider_Name","Key_Name","Key_Type","Algorithm_Name","Return_Code","InterfaceLUID","OBTAIN_LEASE__AdapterName","Interface_LUID","UMDFHostDeviceArrivalBegin.LifetimeId","UMDFHostDeviceArrivalBegin.InstanceId","LifetimeId","InstanceId","UMDFHostDeviceRequest.LifetimeId","UMDFHostDeviceRequest.InstanceId","UMDFHostDeviceRequest.RequestMajorCode","UMDFHostDeviceRequest.RequestMinorCode","UMDFHostDeviceRequest.Argument1","UMDFHostDeviceRequest.Argument2","UMDFHostDeviceRequest.Argument3","UMDFHostDeviceRequest.Argument4","UMDFHostDeviceRequest.Status","MajorCode","MinorCode","Argument1","Argument2","Argument3","Argument4","ResourceURI","Created","Expires","TokenType","AuthRequired","RequestStatus","HasFlowUrl","HasAuthUrl","HasEndAuthUrl","InProc","PID","Process","Logon_type","Mechanism","ComputerName","TimeStamp","GeneratingComponent","DetectionLocation","NumberOfParameters","Params","Recovery_Reason","RecoveryReason","FailureId","Logon_Account","Source_Workstation","Error_Code","Original_Security_Descriptor","New_Security_Descriptor","Device_Name","Silo_Name","PolicyName","SiloName","Enable","EnableRestrictedPermissions","RestrictedPermissions","Special_Groups","Subcategory","Subcategory_GUID","Changes","OldObjectDN","NewObjectDN","FullyQualifiedSubjectUserName","SubjectMachineSID","SubjectMachineName","FullyQualifiedSubjectMachineName","CalledStationID","CallingStationID","NASIPv4Address","NASIPv6Address","NASIdentifier","NASPortType","NASPort","ClientName","ClientIPAddress","ProxyPolicyName","NetworkPolicyName","AuthenticationProvider","AuthenticationServer","AuthenticationType","EAPType","AccountSessionIdentifier","LoggingResult","Value1","Value2","Value3","Global_perpattern_state_changed_State","pattern","ActionType","ActionId","error_code","upload_result_code","ActionPhase","Action_phase","Data_7","SubjectName","AdditionalInformation","QueryType","QueryOptions","PhysicalPath","ConfigPath","EffectiveLocationPath","EditOperationType","TDO_Domain_SID","Filtered_SIDs","TdoDirection","TdoAttributes","TdoType","TdoSid","FailureCode","Operation_StartedOperational.ProviderName","Operation_StartedOperational.Code","Operation_StartedOperational.HostProcess","Operation_StartedOperational.ProcessID","Operation_StartedOperational.ProviderPath","Operation_ClientFailure.Id","Operation_ClientFailure.ClientMachine","Operation_ClientFailure.User","Operation_ClientFailure.ClientProcessId","Operation_ClientFailure.Component","Operation_ClientFailure.Operation","Operation_ClientFailure.ResultCode","Operation_ClientFailure.PossibleCause","Operation_TemporaryEssStarted.NamespaceName","Operation_TemporaryEssStarted.Query","Operation_TemporaryEssStarted.User","Operation_TemporaryEssStarted.Processid","Operation_TemporaryEssStarted.ClientMachine","Operation_TemporaryEssStarted.PossibleCause","Data_8","Data_9","Data_10","Data_11","Data_12","Data_13","Data_14","Http_transport_error_Status","Correlation_ID","Target","Enterprise_STS_Logon_failure_Status","CorrelationID","RuleAndFileData.PolicyNameLength","RuleAndFileData.PolicyName","RuleAndFileData.RuleId","RuleAndFileData.RuleNameLength","RuleAndFileData.RuleName","RuleAndFileData.RuleSddlLength","RuleAndFileData.RuleSddl","RuleAndFileData.TargetUser","RuleAndFileData.TargetProcessId","RuleAndFileData.FilePathLength","RuleAndFileData.FilePath","RuleAndFileData.FileHashLength","RuleAndFileData.FileHash","RuleAndFileData.FqbnLength","RuleAndFileData.Fqbn","RuleAndFileData.TargetLogonId","RuleAndFileData.FullFilePathLength","RuleAndFileData.FullFilePath","PolicyNameLength","PolicyNameBuffer","RuleNameLength","RuleNameBuffer","RuleSddlLength","RuleSddlBuffer","FilePathLength","FilePathBuffer","FileHashLength","FileHash","FqbnLength","Fqbn","FullFilePathLength","FullFilePathBuffer","FilePath","Sha1Hash","Sha256Hash","USN","Sha1CatalogHash","Sha256CatalogHash","UserWriteable","TotalSignatureCount","PublisherNameLength","PublisherName","IssuerNameLength","IssuerName","PublisherTBSHashSize","PublisherTBSHash","IssuerTBSHashSize","IssuerTBSHash","DesiredStatus","CurrentStatus","ContainerName","ContainerId","PsmFlags","From","To","Username","Package","Elapsed","ResumeAt","AttemptAfter","Task","ExitCode","IsIdle","filename","PackageMoniker2","PackageVersion","PackageVersion2","SourceFilePath","LinkDestinationPath","Architecture","FullFilePath","SettingSyncEnabled","DependencyPaths","DeploymentState","NextDeploymentState","Summary","StatusToClear","StatusToSet","CallOrigin","DependencyName","DependencyPublisher","DependencyArchitecture","DependencyMinVersion","IsInstalled","ApplicationUserModelId","Uri","PeriodicUpdateRecurrence","NumberOfFiles","SearchString","HresultCode","String","MainPackageMoniker","ResiliencyFilePath","namespace","IdentificationGUID","VolumeMountPoint","AlgorithmType","Identification_GUID","Protector_GUID","The_source_for_these_PCRs_was","The_SHA256_hash_of_the_WIM_file_is","jobName","isRoaming","URL","CertGetCertificateChain.Certificate","CertGetCertificateChain.AdditionalStore","CertGetCertificateChain.ExtendedKeyUsage","CertGetCertificateChain.Flags","CertGetCertificateChain.ChainEngineInfo","CertGetCertificateChain.CertificateChain","CertGetCertificateChain.EventAuxInfo","CertGetCertificateChain.CorrelationAuxInfo","CertGetCertificateChain.Result","WinVerifyTrust.ActionID","WinVerifyTrust.UIChoice","WinVerifyTrust.RevocationCheck","WinVerifyTrust.StateAction","WinVerifyTrust.Flags","WinVerifyTrust.CatalogInfo","WinVerifyTrust.DigestInfo","WinVerifyTrust.RegPolicySetting","WinVerifyTrust.SignatureSettingsFlags","WinVerifyTrust.SignerInfo","WinVerifyTrust.CertificateChain","WinVerifyTrust.TimestampInfo","WinVerifyTrust.TimestampChain","WinVerifyTrust.EventAuxInfo","WinVerifyTrust.CorrelationAuxInfo","WinVerifyTrust.Result","CertNotificationData.Action","CertNotificationData.OldCertificateDetails","CertNotificationData.NewCertificateDetails","BackupProfileId","IsDelete","Cv","UpdateCount","SecureRequired","RequestedSigningLevel","Settings","Exemption","CacheState","Hash Size","PageHash","SignatureType","ValidatedSigningLevel","VerificationError","PolicyBits","NotValidBefore","NotValidAfter","PolicyIdLength","PolicyIdBuffer","PolicyGUID","PolicyHashSize","PolicyHash","OptionsV2","Message3","Message4","HexInt1","HexInt2","HexInt3","Prop_CoreServiceMode","Prop_Event_Window_Seconds","Prop_UpTime_Seconds","Prop_WorkTime_MilliSeconds","Prop_RetryCycleCount","Prop_DeviceName","Prop_ContainerId","Prop_TaskCount","Prop_PropertyCount","Prop_Seconds","Prop_DeviceId","Prop_DeviceInstanceId","Prop_PackageId","Prop_DevnodeId","Prop_MilliSeconds","Address1","HWLength","HWAddress","Address2","DwordVal","DUIDLength","DUID","NewHWLength","NewHWAddress","NewDUIDLength","NewDUID","ScenarioId","OriginalActivityId","DiagnosticModuleImageName","DiagnosticModuleId","ResolutionId","ResolutionSID","ResolutionSessionId","ResolutionExpirationDate","CounterSetGuid","InstanceName","CounterId","PackageID","RootCauseCount","hc_stateid","BootTsVersion","BootStartTime","BootEndTime","SystemBootInstance","UserBootInstance","BootTime","MainPathBootTime","BootKernelInitTime","BootDriverInitTime","BootDevicesInitTime","BootPrefetchInitTime","BootPrefetchBytes","BootAutoChkTime","BootSmssInitTime","BootCriticalServicesInitTime","BootUserProfileProcessingTime","BootMachineProfileProcessingTime","BootExplorerInitTime","BootNumStartupApps","BootPostBootTime","BootIsRebootAfterInstall","BootRootCauseStepImprovementBits","BootRootCauseGradualImprovementBits","BootRootCauseStepDegradationBits","BootRootCauseGradualDegradationBits","BootIsDegradation","BootIsStepDegradation","BootIsGradualDegradation","BootImprovementDelta","BootDegradationDelta","BootIsRootCauseIdentified","OSLoaderDuration","BootPNPInitStartTimeMS","BootPNPInitDuration","OtherKernelInitDuration","SystemPNPInitStartTimeMS","SystemPNPInitDuration","SessionInitStartTimeMS","Session0InitDuration","Session1InitDuration","SessionInitOtherDuration","WinLogonStartTimeMS","OtherLogonInitActivityDuration","UserLogonWaitDuration","NameLength","FriendlyNameLength","FriendlyName","VersionLength","TotalTime","DegradationTime","PathLength","ProductNameLength","CompanyNameLength","CompanyName","ShutdownTsVersion","ShutdownStartTime","ShutdownEndTime","ShutdownTime","ShutdownUserSessionTime","ShutdownUserPolicyTime","ShutdownUserProfilesTime","ShutdownSystemSessionsTime","ShutdownPreShutdownNotificationsTime","ShutdownServicesTime","ShutdownKernelTime","ShutdownRootCauseStepImprovementBits","ShutdownRootCauseGradualImprovementBits","ShutdownRootCauseStepDegradationBits","ShutdownRootCauseGradualDegradationBits","ShutdownIsDegradation","ShutdownTimeChange","GroupName","ErrorString","MinimumPasswordLength","RelaxMinimumPasswordLengthLimits","MinimumPasswordLengthAudit","param5","param6","param7","param8","param9","param10","param11","AddressLength","Address","ClientPID","VirtualizationID","Lookup","ReplicationScope","ZoneFile","Zone","PropertyKey","NAME","TTL","BufferSize","RDATA","ZoneScope","Setting","Scope","UMDFDeviceInstallBegin.DeviceId","UMDFDeviceInstallBegin.FrameworkVersion","UMDFServiceInstall.ServiceName","UMDFServiceInstall.CLSID","UMDFServiceInstall.MinimumFxVersion","UMDFServiceInstall.Upgrade","UMDFDeviceInstallEnd.FinalStatus","AuditEventsDropped.Reason","EventID","PublisherGuid","EventProcessingFailure.ErrorCode","EventProcessingFailure.EventID","EventProcessingFailure.PublisherID","PubID","message","FinalStatus","DeviceVersionMajor","DeviceVersionMinor","DeviceTime","SupportedFeatures","CSEExtensionId","CSEExtensionName","IsExtensionAsyncProcessing","IsGPOListChanged","GPOListStatusString","ApplicableGPOList","IsMachineBoot","CSEElaspedTimeInMilliSeconds","GpsvcTimeElapsedInMilliseconds","GpsvcInitTimeElapsedInMilliseconds","SessionTimeElapsedInMilliseconds","NumberOfGPOsDownloaded","NumberOfGPOsApplicable","GPODownloadTimeElapsedInMilliseconds","PolicyDownloadTimeElapsedInMilliseconds","PolicyProcessingMode","NextPolicyApplicationTime","NextPolicyApplicationTimeUnit","IsPolicyConfigured","MaxTimeToWait","TimeWaitedAtStartup","PrevAvgWaitTimeout","NewAvgWaitTimeout","DidWaitTimeout","NotificationType","DCDiscoveryTimeInMilliSeconds","PolicyApplicationMode","WinlogonReturnTimeElapsedInMilliseconds","BandwidthInkbps","IsSlowLink","ThresholdInkbps","LinkDescription","PolicyElaspedTimeInSeconds","IsConnectivityFailure","Url","ReserveStatus","ExecutablePath","UrlGroupId","VmlEventLog.SystemId","VmlEventLog.ErrorMessage","VmlEventLog.ErrorCode","VmlEventLog.Result","VmlEventLog.Parameter0","VmlEventLog.Parameter1","OperationName","OperationId","ExecutionTimeMS","QueuedTimeMS","SLAThresholdMS","ContextType1","ContextInfo1","ContextType2","ContextInfo2","ContextType3","ContextInfo3","BuildNumber","BuildArch","BuildBranch","Debug","Official","Date","Time","EntryCount","LastShutdownGood","LastBootGood","LastBootId","BootStatusPolicy","BootMenuPolicy","BootType","BitlockerUserInputTime","EfiTimeZoneBias","EfiDaylightFlags","EfiTime","MajorVersion","MinorVersion","BuildVersion","QfeVersion","ServiceVersion","BootMode","StopTime","OriginalSize","NewSize","NewBias","OldBias","ExitReason","CurrentBias","CurrentTimeZoneID","TimeZoneInfoCacheUpdated","FirstRefresh","DriverNameLength","FailureNameLength","FailureName","TargetState","EffectiveState","ValidBatteryCount","ErrorBatteryCount","AbandonedBatteryCount","BootId","PreviousSessionId","PreviousSessionType","PreviousSessionDurationInUs","PreviousEnergyCapacityAtStart","PreviousFullEnergyCapacityAtStart","PreviousEnergyCapacityAtEnd","PreviousFullEnergyCapacityAtEnd","NextSessionId","NextSessionType","PowerStateAc","MonitorReason","AdaptiveTargetState","IsUnattended","PerfStateCount","ThrottleStateCount","ErrorSourceCount","ErrorRecordFormat","ErrorSourceTableLength","ErrorSourceTable","Owner","Length","RawData","hrError","FolderId","ScopeOfSearch","SearchFilter","DistinguishedName","AttributeList","EventXML.param1","EventXML.param2","EventXML.binaryDataSize","EventXML.binaryData","NewLanguage","PrevLanguage","ExtendedFlag","ReturnValue","String1","NewInternetConnectionProfile","ConnectionCostChanged","DomainConnectivityLevelChanged","NetworkConnectivityLevelChanged","HostNameChanged","WwanRegistrationStateChanged","TetheringOperationalStateChanged","TetheringClientCountChanged","DiskNumber","Characteristics","IsSystemCritical","PagingCount","HibernationCount","DumpCount","BytesPerSector","Capacity","Manufacturer","Model","Revision","Location","ParentId","Socket","Slot","Bus","Adapter","Port","Lun","IoctlSupport","IdFlags","DiskId","AdapterId","RegistryId","PoolId","FirmwareSupportsUpgrade","FirmwareSlotCount","StorageIdCount","StorageIdCodeSet","StorageIdType","StorageIdAssociation","StorageIdBytes","WriteCacheType","WriteCacheEnabled","WriteCacheChangeable","WriteThroughSupported","FlushCacheSupported","IsPowerProtected","NVCacheEnabled","BytesPerLogicalSector","BytesPerPhysicalSector","BytesOffsetForSectorAlignment","IncursSeekPenalty","IsTrimSupported","IsThinProvisioned","OptimalUnmapGranularity","UnmapAlignment","NumberOfLogicalCopies","NumberOfPhysicalCopies","FaultTolerance","NumberOfColumns","InterleaveBytes","HybridSupported","HybridCacheBytes","AdapterMaximumTransferBytes","AdapterMaximumTransferPages","AdapterAlignmentMask","PortDriver","UserRemovalPolicy","PartitionStyle","PartitionCount","PartitionTableBytes","PartitionTable","MbrBytes","Mbr","Vbr0Bytes","Vbr0","Vbr1Bytes","Vbr1","Vbr2Bytes","Vbr2","Vbr3Size","Vbr3","Library","Win32Error","Sleep_Time","Wake_Time","Wake_Source","MaxRunspaces","MinRunspaces","DefaultPrinterSelectedBySpooler","OldDefaultPrinter","NewDefaultPrinter","Module","RenderJobDiag.JobId","RenderJobDiag.GdiJobSize","RenderJobDiag.ICMMethod","RenderJobDiag.Color","RenderJobDiag.XRes","RenderJobDiag.YRes","RenderJobDiag.Quality","RenderJobDiag.Copies","RenderJobDiag.TTOption","JobId","GdiJobSize","ICMMethod","Color","XRes","YRes","Quality","Copies","TTOption","PrinterName","NewConsentValue","ConsentID","AppPackageFamilyName","SettingName","Migrated","Suppressed","ExitingProcessId","InitiatingProcessId","HostName","OldIndex","OldAddressFamily","NewIndex","NewAddressFamily","NewPhysicalMediumType","SocketError","UserType","Object","Endpoint","QueuedTileCloses","QueuedTileCleanups","TrackingId","MessageId","SessionErrorCode","IntValue","SecondIntValue","ConnectionName","SessionID","PromptForCredentials","PromptForCredentialsDone","GfxChannelOpened","FirstGraphicsReceived","DisplayDriverName","Interface_method_called","ReasonString","TimezoneBiasHour","TransportProtocolName","ConnType","ClientIP","ChannelName","TunnelID","InstanceID","error","MonitorNum","MonitorWidth","MonitorHeight","MonitorX","MonitorY","ServerName","MajorType","MinorType","StateTransition","PreviousState","PreviousStateName","NewStateName","Event","EventName","Disconnect_trace","DroppedLeakDiagnosisEventInfo.ProcessImageName","DroppedLeakDiagnosisEventInfo.ProcessId","DroppedLeakDiagnosisEventInfo.ProcessCreationTime","DroppedLeakDiagnosisEventInfo.DropReasonCode","EventInfo.Event","RmSessionEvent.RmSessionId","RmSessionEvent.UTCStartTime","RmApplicationEvent.RmSessionId","RmApplicationEvent.FullPath","RmApplicationEvent.DisplayName","RmApplicationEvent.AppVersion","RmApplicationEvent.AppType","RmApplicationEvent.TSSessionId","RmApplicationEvent.Status","RmApplicationEvent.Pid","RmApplicationEvent.nFiles","RmApplicationEvent.Files","RmRestartEvent.RmSessionId","RmRestartEvent.nApplications","RmRestartEvent.Applications","RmRestartEvent.RebootReasons","RmUnsupportedRestartEvent.RmSessionId","RmUnsupportedRestartEvent.Pid","RmUnsupportedRestartEvent.FullPath","RmUnsupportedRestartEvent.DisplayName","RmUnsupportedRestartEvent.AppVersion","RmUnsupportedRestartEvent.AppType","RmUnsupportedRestartEvent.TSSessionId","RmUnsupportedRestartEvent.Status","RmUnsupportedRestartEvent.Reason","AuditsDiscarded","Invalid_Use","LPC_Server_Port_Name","InvalidCallName","ServerPortName","EventId","TargetUserDomain","EventCount","Duration","CrashOnAuditFailValue","UserClaims","DeviceClaims","Cipher_Algorithm","Integrity_Algorithm","DiffieHellman_Group","Lifetime_minutes","Quick_Mode_Limit","Main_Mode_SA_ID","MMCipherAlg","MMIntegrityAlg","DHGroup","MMLifetime","QMLimit","MMSAID","SHA_Thumbprint","Issuing_CA","Root_CA","SHA_thumbprint","LocalMMCertHash","LocalMMIssuingCA","LocalMMRootCA","RemoteMMCertHash","RemoteMMIssuingCA","RemoteMMRootCA","Network_Address_mask","Tunnel_Endpoint","Address_Mask","Private_Address","Mode","Message_ID","Quick_Mode_Filter_ID","LocalAddressMask","LocalPort","LocalTunnelEndpoint","RemoteAddressMask","RemotePort","RemoteTunnelEndpoint","RemotePrivateAddress","MessageID","QMFilterID","TunnelId","TrafficSelectorId","Local_Network_Address","Remote_Network_Address","Application_Name","Application_Instance_ID","Client_Domain","Client_Context_ID","AppInstance","ClientDomain","ClientLogonId","Scope_Names","Groups","Operation_Name","ScopeName","Client_ID","Policy_Store_URL","StoreUrl","Ordinal","CallerUserSid","CallerUserName","CallerDomainName","CallerLogonId","EfsPolicyChange","SidFilteringEnabled","Account_UPN","Mapped_Name","MappingBy","MappedName","Provided_Account_Name_unauthenticated","Peer_Name","Protocol_Sequence","Security_Error","PeerName","ProtocolSequence","SecurityError","Access_Reasons","StagingReason","CAPs_Added","CAPs_Deleted","CAPs_Modified","CAPs_AsIs","AddedCAPs","DeletedCAPs","ModifiedCAPs","AsIsCAPs","Policy_Name","TGT_Lifetime","PreAuthType","CertIssuerName","CertSerialNumber","CertThumbprint","TGTLifetime","TransitedServices","SourceSid","Target_Type","Target_Name","New_Flags","CollisionTargetType","CollisionTargetName","ForestRoot","TopLevelName","DnsName","NetbiosName","ForestRootSid","EntryType","Certificate","Node","Entry","KRA_Hashes","KRAHashes","Certificate_Hash","Valid_From","Valid_To","CertificateHash","ValidFrom","ValidTo","Old_Security_Descriptor","NewSecurityDescriptor","OldSecurityDescriptor","Old_Blocked_Ordinals","New_Blocked_Ordinals","OldBlockedOrdinals","NewBlockedOrdinals","Old_Value","New_Value","OldIgnoreDefaultSettings","NewIgnoreDefaultSettings","OldIgnoreLocalSettings","NewIgnoreLocalSettings","DestinationDRA","SourceDRA","SourceAddr","NamingContext","Destination_Address","Start_USN","StartUSN","End_USN","EndUSN","Attribute","TypeOfChange","Replication_Event","Audit_Status_Code","Replication_Status_Code","SPI","LocalEMPrincipalName","RemoteEMPrincipalName","EMAuthMethod","EMImpersonationState","LocalEMCertHash","LocalEMIssuingCA","LocalEMRootCA","RemoteEMCertHash","RemoteEMIssuingCA","RemoteEMRootCA","ObjectPath","ObjectVirtualPath","AuthenticationSetId","AuthenticationSetName","CryptographicSetId","CryptographicSetName","IpSecSecurityAssociationId","IpSecSecurityAssociationName","Publisher","VirtualFileName","ModuleName","ContextName","InterfaceId","CAConfigurationId","NewSigningCertificateHash","BaseCRLNumber","BaseCRLThisUpdate","BaseCRLHash","DeltaCRLNumber","DeltaCRLIndicator","DeltaCRLThisUpdate","DeltaCRLHash","PacketsDiscarded","EtherType","InterfaceType","VlanTag","SpnName","ServerNames","ConfiguredNames","IpAddresses","UserUPN","TargetServer","CredType","PeerPrivateAddress","IpProtocol","KeyingModuleName","AhAuthType","EspAuthType","CipherType","LifetimeSeconds","LifetimeKilobytes","LifetimePackets","TransportFilterId","MainModeSaId","QuickModeSaId","InboundSpi","OutboundSpi","Policy","QuickModeFilter","SSID","PeerMac","LocalMac","IntfGuid","ReasonText","EAPReasonCode","EapRootCauseString","EAPErrorCode","InterfaceName","RemoteIpAddress","InterfaceUuid","OpNum","RemoteHost","MachineInventory","QuarantineState","ExtendedQuarantineState","QuarantineSessionID","QuarantineHelpURL","QuarantineSystemHealthResult","QuarantineGraceTime","HostedCacheName","Count","Categories","GUID","CallingProcessId","CallingProcessCreateTime","CallingProcessStartKey","CallingProcessSignatureLevel","CallingProcessSectionSignatureLevel","CallingProcessProtection","CallingThreadId","CallingThreadCreateTime","ChildImagePathNameLength","ChildImagePathName","ChildCommandLineLength","ChildCommandLine","parameter","diskSizeQuotaValue","dailyUploadQuotaValue","meteredConnectionState","internetAvailabilityState","freeNetworkAvailabilityState","proxyDefined","Starting_command","CommandName","ActualStartType","ExpectedStartType","Starting_stopped_external_service_Name","exit_code","platformBitMask","forcePassiveMode","requestGuid","restartRequired","serverComponentNames","ptzMessage","message2","value","ptzMessage1","ptzMessage2","hResult","hLastError","uValue","TotalXPaths","ResultsReturned","XPath","LastError","roleId","Tracked","Rehydrated","MachineName","RefreshTriggerSource","Machines","serviceStatus","exception","serverName","protocol","userName","namespaceName","wmiClassName","methodName","errorMessage","targetServer","componentId","displayName","pageTitle","JobName","targetComputer","requestState","errorId","errorCategory","warnings","CbsPackageChangeState.PackageIdentifier","CbsPackageChangeState.IntendedPackageState","CbsPackageChangeState.IntendedPackageStateTextized","CbsPackageChangeState.ErrorCode","CbsPackageChangeState.Client","updateName","identifier","client","HostOSName","Installwasanupgrade","HostOSwasWindowsPE","HostOSmajorversion","HostOSminorversion","HostOSbuildversion","HostOSservicepackName","HostOSservicepackmajorversion","HostOSservicepackminorversion","OSName","OSEditionID","OSmajorversion","OSminorversion","OSbuildversion","OSservicepackName","OSservicepackmajorversion","OSservicepackminorversion","Info","Filename","SchemaType","Failure reason","Scenario","InstallState","DataVersion","HealthStateFlags","CensusFlags","SecondsSinceBoot","ImageIdentifier","TrackingInfo","collectionName","initializationReason","layoutSelectionSerializedString","layoutProviderName","tileIdentifier","TaskHResultValue","appSize","containerName","containerXPosition","containerYPosition","itemId","containerId","itemName","packageFamilyName","ServerNameLength","EventData.NameLength","EventData.Name","EventData.DomainNameLength","EventData.DomainName","EventData.TransportNameLength","EventData.TransportName","EventData.TransportFlags","EventData.NotificationType","EventData.InterfaceNameLength","EventData.InterfaceName","EventData.FailureType","EventData.InterfaceIndex","EventData.Error","EventData.DeviceNameLength","EventData.DeviceName","EventData.ExtraInformation","IsTdiEnabled","EventData.SessionGUID","EventData.ConnectionGUID","EventData.Status","EventData.TranslatedStatus","EventData.ClientAddressLength","EventData.ClientAddress","EventData.SessionId","EventData.UserNameLength","EventData.UserName","EventData.ClientNameLength","EventData.ClientName","EventData.SPN","EventData.SPNValidationPolicy","EventData.ReasonCode","Partition","MachineDisposition","PreviousMachineVersion","DeploymentDisposition","PreviousDeploymentVersion","MigratorErrors","TimeoutMSec","ElapsedTimeMSec","MachineSize_Before","MachineJournalSize_Before","DeploymentSize_Before","DeploymentJournalSize_Before","MachineSize_After","MachineJournalSize_After","DeploymentSize_After","DeploymentJournalSize_After","MaintenancePerformed","MachineDatabase_Pages","MachineDatabase_PagesCheckpointed","DeploymentDatabase_Pages","DeploymentDatabase_PagesCheckpointed","StartTime_msecs","LoadTime_msecs","ResultCount","OperationTime_msecs","ProviderDLL","MI_Result","Runtime_msecs","DriveId","DeviceNumber","DriveManufacturer","DriveModel","DriveSerial","DeviceGUID","Vendor","FirmwareVersion","DownLevelIrpStatus","SrbStatus","ScsiStatus","SenseKey","AdditionalSenseCode","AdditionalSenseCodeQualifier","CdbByteCount","CdbBytes","NumberOfRetriesDone","State Machine","Thread ID","State Machine Name","Event Name","Current State","New State","PortNumber","PathID","TargetID","LUN","ClassDeviceGuid","AdapterGuid","MiniportName","FirmwareRevision","BootDevice","SystemUptime_s","CriticalWarning","NvmeHealthLogLength","NvmeHealthLog","VendorSpecificLogPageCode","VendorSpecificLogPageVersion","VendorSpecificLogLength","VendorSpecificLog","MiniportEventId","MiniportEventDescription","Parameter1Name","Parameter1Value","Parameter2Name","Parameter2Value","Parameter3Name","Parameter3Value","Parameter4Name","Parameter4Value","Parameter5Name","Parameter5Value","Parameter6Name","Parameter6Value","Parameter7Name","Parameter7Value","Parameter8Name","Parameter8Value","TotalErrors","TotalReadWriteErrors","TotalImpendingDeviceFailureErrors","TotalDeviceFailureErrors","TimeoutsInMiniport","HierarchicalResetSuccessCount","LastError_RequestDuration_ms","LastError_WaitDuration_ms","LastError_Command","LastError_SrbStatus","LastError_ScsiStatus","LastError_SenseKey","LastError_AddSense","LastError_AddSenseQ","LastError_IoSize","LastError_QueueDepth","LastError_LBA","SampledErrorLogArrayLength","SampledErrorLogArray","UniqueErrorLogArrayLength","UniqueErrorLogArray","IoTimeout_s","TotalDeviceQueueIoCount","MaxDeviceQueueCount","MaxOutstandingCount","TotalDeviceQueueIoWaitDuration_100ns","MaxDeviceQueueIoWaitDuration_100ns","DeviceQueueIoWaitExceededTimeoutCount","DeviceQueueIoBusyCount","DeviceQueueIoPausedCount","DeviceQueueIoUntaggedCommandOutstandingCount","DeviceQueueIoPausedForUntaggedCount","MaxReadWriteLatency_100ns","MaxFlushLatency_100ns","MaxUnmapLatency_100ns","IoLatencyBuckets","BucketIoSuccess1","BucketIoSuccess2","BucketIoSuccess3","BucketIoSuccess4","BucketIoSuccess5","BucketIoSuccess6","BucketIoSuccess7","BucketIoSuccess8","BucketIoSuccess9","BucketIoSuccess10","BucketIoSuccess11","BucketIoSuccess12","BucketIoSuccess13","BucketIoSuccess14","BucketIoFailed1","BucketIoFailed2","BucketIoFailed3","BucketIoFailed4","BucketIoFailed5","BucketIoFailed6","BucketIoFailed7","BucketIoFailed8","BucketIoFailed9","BucketIoFailed10","BucketIoFailed11","BucketIoFailed12","BucketIoFailed13","BucketIoFailed14","BucketIoLatency1_100ns","BucketIoLatency2_100ns","BucketIoLatency3_100ns","BucketIoLatency4_100ns","BucketIoLatency5_100ns","BucketIoLatency6_100ns","BucketIoLatency7_100ns","BucketIoLatency8_100ns","BucketIoLatency9_100ns","BucketIoLatency10_100ns","BucketIoLatency11_100ns","BucketIoLatency12_100ns","BucketIoLatency13_100ns","BucketIoLatency14_100ns","TotalReadBytes","TotalWriteBytes","Irp","Srb","DataLength","RequestDuration_ms","WaitDuration_ms","AddSense","AddSenseQ","QueueDepth","LBA","Removable","SurpriseRemovalOK","NewUnitCount","DeleteUnitCount","AdapterHardwareId","AdapterInterfaceType","AllowStorageD3","AcpiDsdProperty","StorageD3RegistryState","StorageD3Enable","DirectedFxEnable","FileSystem","VolumeCount","ContainsRawVolumes","Size","Epoch","DiskIndex","TotalDisks","Session","ClientInfo","SnapshotPath","TotalDirectories","TotalFiles","FilesScoped","FilesResident","FilesCachedFirstPass","FilesMissedSecondPass","LastRunDateTime","UserContext","QueuedTaskInstanceId","RunningTaskInstanceId","EventInfo.Username","EventInfo.IpAddress","EventInfo.AuthType","EventInfo.Resource","EventInfo.ConnectionProtocol","EventInfo.ErrorCode","EventXML.messageName","EventXML.Session","EventXML.Reason","EventXML.listenerName","CurrentTime(UTC)","TickCount","TimeProviders","ClockRate","AllNtpServers","ChosenReferenceNtpServer","IFTSTMP","LeapIndicator","Stratum","Precision","RootDelay","RootDispersion","ReferenceId","LastSuccessfulSyncTime","PollInterval","PhaseOffset","StateMachine","TimeSourceFlags","ServerRole","LastSyncError","TimeSinceLastGoodSync","AdjustmentPPM","NewClockRate","OldClockRate","MinReportedAdjustmentPPM","TimeSource","TimeSourceRefId","LocalStratumNumber","Enabled","LeapSecondCount","CurrentUtcOffset","RuntimeStateAndSettingsConsistent","NewestLeapSecondsList","CurrentStratumNumber","TimeOffsetSeconds","ManualPeer","Environment","IKey","DiskSizeInBytes","DailyUploadQuotaInBytes","EventsUploaded","EventsDropped","LastEventlogWrittenTime","SuccessfulConnections","FailedConnections","LastHttpError","ProxySettingDetected","SslCertValidationFailures","LastSslCertFailure","OldInfo","NewInfo","SettingAuthority","Folder","ServerErrorMessage","TenantType","JoinType","DebugOutput","Method","Key","LocalPath","ProfileType","ProcessPid","OldSchemeGuid","NewSchemeGuid","ERR_DEVICE_ID.DeviceId","InstallDeviceID.xmlns:auto-ns2","InstallDeviceID.DriverName","InstallDeviceID.DriverVersion","InstallDeviceID.DriverProvider","InstallDeviceID.DeviceInstanceID","InstallDeviceID.SetupClass","InstallDeviceID.RebootOption","InstallDeviceID.UpgradeDevice","InstallDeviceID.IsDriverOEM","InstallDeviceID.InstallStatus","InstallDeviceID.DriverDescription","AddServiceID.ServiceName","AddServiceID.DriverFileName","AddServiceID.DeviceInstanceID","AddServiceID.PrimaryService","AddServiceID.UpdateService","AddServiceID.AddServiceStatus","VhdFileName","VhdDiskNumber","VirtualDisk","VhdFile","VmId","VhdType","WriteDepth","GetInfoOnly","ReadOnly","HandleContext","FileObject","DesiredAccess","TargetVolumeGuid","SourceFile","SourceLine","SourceTag","WCM Preferred Order List","TxnTimeInMSec","CommitTimeInMSec","WatchdogTimeoutInMSec","Scan ID","Scan Type Index","Scan Type","Scan Parameters Index","Scan Parameters","Scan Resources","Scan Time Hours","Scan Time Minutes","Scan Time Seconds","DetectionID","DetectionSourceIndex","DetectionSource","ThreatName","ThreatID","SeverityID","CategoryID","PathFound","DetectionOriginIndex","DetectionOrigin","ExecutionStatusIndex","ExecutionStatus","DetectionTypeIndex","DetectionType","SeverityName","SecurityintelligenceID","FidelityValue","FidelityLabel","ImageFileHash","TargetFileName","TargetFileHash","Platform version","Engine version","Security intelligence version","NRI engine version","AV security intelligence version","AS security intelligence version","NRI security intelligence version","RTP state","OA state","IOAV state","BM state","Last AV security intelligence age","Last AS security intelligence age","Last quick scan age","Last full scan age","AV security intelligence creation time","AS security intelligence creation time","Last quick scan start time","Last quick scan end time","Last quick scan source","Last full scan start time","Last full scan end time","Last full scan source","Product status","Latest engine version","Engine up-to-date","Latest platform version","Platform up-to-date","Current security intelligence Version","Previous security intelligence Version","Security intelligence Type Index","Security intelligence Type","Update Type Index","Update Type","Current Engine Version","Previous Engine Version","Update Source Index","Update Source","Update State Index","Update State","Source Path","CurrentsecurityintelligenceVersion","PrevioussecurityintelligenceVersion","UpdateSourceIndex","UpdateSource","SecurityintelligenceTypeIndex","SecurityintelligenceType","UpdateTypeIndex","UpdateType","CurrentEngineVersion","PreviousEngineVersion","UpdateStateIndex","UpdateState","SourcePath","Feature Index","Feature Name","Unused7","Unused8","Unused9","Unused10","Unused11","Unused12","Cloud protection intelligence Type Index","Cloud protection intelligence Type","Persistence Path","Cloud protection intelligence Version","Cloud protection intelligence Compilation Timestamp","Persistence Limit Type Index","Persistence Limit Type","Persistence Limit Value","Sha256","FeatureName","FeatureID","Feature ID","Failure Id","Failure Reason","Recommendation","OldProfile","NewProfile","IPVersion","PreviousAddresses","UpdatedAddresses","PolicyChange","All Proxies","All Domain Proxies","GP Configured Domain Proxies","GP Configured Local Proxies","All DA Nat64 Proxies","GP Is Authoritative","IP Range Definition","StartTimeOfDay","CommandLineSize","updateCount","schedinstalldate","schedinstalltime","updatelist","restarttime","Config","IsTestConfig","IsAutoEnabled","Win32Status","SubscriberName","TSId","connection","optionCode","optionName","optionValue","resourceUri","shellId","commandId","applicationID","destination","operationType","className","operationName","LSPName","Catalog","Installer","HungAppEvent.AppName","InterfaceDescription","ConnectionMode","ProfileName","BSSType","PHYType","AuthenticationAlgorithm","CipherAlgorithm","OnexEnabled","ConnectionId","NonBroadcast","CallerPackageFamilyName","OldConsentValue","IsSetByHigherAuthority","EffectiveConsentValue","TargetPackageFamilyName","number","ErrorMsg","ServerID","ServerURL","File Name","Requested Signing Level","Validated Signing Level","SHA1 Hash Size","SHA1 Hash","SHA256 Hash Size","SHA256 Hash","SHA1 Flat Hash Size","SHA1 Flat Hash","SHA256 Flat Hash Size","SHA256 Flat Hash","SI Signing Scenario","PolicyIDLength","PolicyID","OriginalFileNameLength","InternalNameLength","InternalName","FileDescriptionLength","FileDescription","PackageFamilyNameLength","SHA1HashSize","SHA1Hash","SHA256HashSize","SHA256Hash","SHA1FlatHashSize","SHA1FlatHash","SHA256FlatHashSize","SHA256FlatHash","SISigningScenario","ProtectionFlags","CallerProcessStartKey","CallerProcessID","CallerProcessCreationTime","PlainTextDataSize","Prop_UnicodeString","OperationDescription","OperationElaspedTimeInMilliSeconds","DeviceObject","netPnpEvent","switchName_Length","switchName","switchFriendlyName_Length","switchFriendlyName","delta (100 ns)","UrlPrefix","SiteID","param12","PrintDriverSandboxJobPrintProc.JobId","PrintDriverSandboxJobPrintProc.Processor","PrintDriverSandboxJobPrintProc.Printer","PrintDriverSandboxJobPrintProc.Driver","PrintDriverSandboxJobPrintProc.IsolationMode","PrintDriverSandboxJobPrintProc.ErrorCode","Processor","Printer","Driver","IsolationMode","ExtraInfo","CatalogName","FilterHostProcessID","remove","pathToVhdFile","permitReboot","source","deleteComponents","SP","psz","SQL","LogString","EventInfo.BytesReceived","EventInfo.BytesTransfered","EventInfo.SessionDuration","SystemTimeChangeSeconds","MaxSystemTimeChangeSeconds","UnsynchronizedTimeSeconds","TimeDifferenceMilliseconds","TimeSampleSeconds","RetryMinutes","DomainPeer","DeviceIsJoined","AADPrt","NgcPolicyEnabled","NgcPostLogonProvisioningEnabled","NgcHardwarePolicyMet","UserIsRemote","LogonCertRequired","MachinePolicySource","UseCloudTrust","CloudTgt","INFO_PNP_STATE.xmlns:auto-ns2","INFO_PNP_STATE.InstallSubsystemState","INFO_PNP_STATE.CachingSubsystemState","RunningMode","ConfigurationReader","UploadDuration","PayloadSize","Stage","BytesUploaded","HttpExchangeResult","RequestStatusCode","TransportHr","Unused13","SignatureVersion","PolicyVersion","PolicyRuleId","EnforcementLevel","AuditReason","EventTimestamp","PhaseID","DescriptionSize","fAutoDetect","pwszAutoConfigUrl","pwszProxy","pwszProxyBypass","authFailureMessage","username","authenticationMechanism","spn1","spn2","data_0x8000003F.Provider","data_0x8000003F.Namespace","Data_15","Data_16","Data_17","Data_18","Data_19","Exception Details","Member Name","Device_HW_profile_FOUND_Instance","Instance","Device_HW_profile_ERROR_Instance","LEN","VA","MBAR","PA","STATUS","ProtectedUser","Package_Name","Protected_User","Failure_Type","dwFlags","ServerList","IsNetworkQuery","NetworkQueryIndex","IsAsyncQuery","PrintOnProcFailedEd.Param1","PrintOnProcFailedEd.Param2","PrintOnProcFailedEd.Param3","PrintOnProcFailedEd.Param4","PrintOnProcFailedEd.Param5","PrintOnProcFailedEd.Param6","PrintOnProcFailedEd.Param7","PrintOnProcFailedEd.Param8","PrintOnProcFailedEd.Param9","PrintOnProcFailedEd.Param10","PrintOnProcFailedEd.Param11","ExpirationTime","Event.EventData","data1","data2","data3","data4","data5","data6","data7","data8","data9","data10","data11","data12","data13","data14","data15","data16","data17","data18","data19","data20","data21","Data1","Data2","Data3","Error_Instrument_ProcessName","WindowTitle","MsgCaption","MsgText","CallerModuleName","BaseAddr","ImageSize","ReturnAddr","BaseAddress","ReturnAddress","binary","ERROR_Invalid_bank_number","BankNo","requested","failed","BankName","MaskSet","MaskRequested","MaskFailed","raw","mask","ActiveRaw","ActiveMask","SpbCx_DDI_EvtSpbTargetConnect_SpbController","SpbTarget","SpbController","SpbCx_DDI_EvtSpbTargetDisconnect_SpbController","SpbCx_DDI_EvtSpbControllerLock_SpbController","SpbRequest","SpbCx_DDI_EvtSpbControllerUnlock_SpbController","SpbCx_DDI_EvtSpbIoRead_SpbController","SpbCx_DDI_EvtSpbIoWrite_SpbController","SpbCx_DDI_EvtSpbIoSequence_SpbController","TransferCount","SpbCx_DDI_EvtSpbOtherInCallerContext_SpbController","FxRequest","FxTarget","SpbCx_DDI_EvtSpbOther_SpbController","InLength","OutLength","IoCtrlCode","InputLength","OutputLength","IoControlCode","Request_INFO_Addr","Idx","Cnt","SlaveAddress","Request_ERROR_Addr","Delay_us","Interrupt_ISR_Status","HwStatus","Interrupt_DPC_HWStatus","SWStatus","SwStatus","Target_ERROR_Invalid_bus_type_current","Current","Controller_ERROR_Invalid_capability_Type","Controller_INFO_Addr","Controller_ERROR_Addr","Controller_initialization_failed__STATUS","AuthorityName","Elapse","Timeout","CAPEName","CAPEDesc","session","scanStatus","scanResult","appname","contentname","contentsize","originalsize","content","hash","contentFiltered","hashoriginalcontent","Severity","Detection Origin","Detection Type","Detection Source","Signature ID","Fidelity Label","Target File Name","Action Status","Security Intelligence Version","Platform Version","Network Realtime Inspection engine version","Antivirus signature version","Antispyware signature version","Network Realtime Inspection signature version","Antivirus signature age","Antispyware signature age","Antivirus signature creation time","Antispyware signature creation time","Current Signature Version","Previous Signature Version","Signature Type","New security intelligence version","Previous security intelligence version","Update Stage","Engine Type","New Engine Version","Signatures Attempted","Current Platform Version","Dynamic Signature Type","Dynamic Signature Version","Dynamic Signature Compilation Timestamp","Persistence Limit","Removal Reason","Feature","Old value","New value","Failure Type","Exception Code","Expiration Reason","Expiration Date","unpublished","IAppVClient","Item","Global","global","packageTotal","packageSucceeded","packageFailed","groupTotal","groupSucceeded","groupFailed","Package_if_available","User_Id_if_available","Result_code","User_Idif_available","cValue","Frame","TimeDateStamp","wzName","dwTag","dwID","dwBudgetType","Limit","dwInterval","wzData","Update","dwTimeNow","EventData","dwCodeMarker","dwModuleId","dwDatapoint","dwTick","dwValue1","dwCount","dwValue","szFunction","dwLine","dwHResult","wzMessage","szCall","szTag","wzParameter","pPointer","wzJob","wzFriendlyName","wzAddressSMTP","wzSip","wzAlias","wzUserInfoId","wzPhoneNumber","wzFlags","wzEntryID","wzMuid","wzResID","wzSigninName","wzAltEmail","dwStatus","dwAvail","szMessage","wzSPUserId","wzSPServerInfo","wzDN","wzManager","wzEntryId","wzEmailAddress","wzSignInAddress","wzHashKey","wzContactType","bSetFromDL","wzSMTPAddress","wzTitle","wzCompanyName","wzDepartment","wzOfficeLocation","wzWorkPhone","wzMobilePhone","wzHomePhone","wzDescription","wzProperty","wzOldValue","wzNewValue","wzKey","szString","pCardHwnd","pPersona","pPersonInfo","wzCardType","wzEmail","wzWPhone","wzMPhone","wzHPhone","dwRank","wzSIPAddress","wzDataType","wzDisplayName","cookie","priority","scheduler","grfTaskFlags","msecRelease","msecDeadline","grfModifyFlags","fTimerOnly","fTracking","fResuming","msecsRunIntervalAvg","msecDelay","msecsTolerableDelay","wzFirstTaskName","wzC1Source","wzC1EntryId","wzC1PersonId","wzC1StampedGalEId","wzC1Email1","wzC1Email2","wzC1Email3","wzC1DisplayName","wzC2Source","wzC2EntryId","wzC2PersonId","wzC2StampedGalEId","wzC2Email1","wzC2Email2","wzC2Email3","wzC2DisplayName","dwJobSequence","dwJobCount","dwHrResult","dwResultCount","fLastBatch","fMoreResults","wzRootSourceType","szSourceType","wzUserID","wzProviderId","wzCreationDate","grfUpdateType","wzMessageName","szMessageName","wzPersonID","wzEmail1","wzEmail2","wzEmail3","wzIM","wzLastModified","fLInked","wzGALEntryID","dwGALLinkState","wzLinkRejectHistory","wzSMTPAddressCache","wzEntryID1","wzEntryID2","szComment","szCallingFunction","wzFeedProviderName","wzFeedHTML","wzFeedData","wzFeedPlainText","wzFeedIcon","wzTime","wzProviderXML","wzUnSanitizedHTML","wzSanitizedHTML","wzFriendInfo","wzRetrievalTime","wzCurrentTime","wzTimeInMinutesForNextSync","dwId","wzFunction","wzPrevValue","wzUniqueKey","wzLogLine","dwEntrypoint","dwGroupNameLength","dwGroupIdLength","dwGroupType","fAliasChanged","fAutoSubscribeChecked","fResult","dwErrorType","fGroupIdManuallyEdited","dwAvailbilityResult","dwDialogType","dwAddedMembersCount","dwRemovedMembersCount","dwAddedAdminsCount","dwRemovedAdminsCount","dwMemberCount","dwAdminCount","dwActionType","dwEnvironment","Password_expiration_claims_Seconds","URI","seconds","Password_expiration_fields_Status","ExpiryTime","PasswordChangeURI","Get_device_token_Resource","ClientID","value1","value2","value3","CA_cert_hash_keyID","Logon_failure_Status","Get_user_realm_failure_Status","Get_credential_keys_failure_Status","OAuth_request_retry_Correlation_ID","Retry","RetryNumber","Refresh_token_failure_Status","Cant_decrypt_OAuth_response_Error","AadCloudAPPlugin_S2U_logon_failed_Status","Onprem_tgt_error","User_Identity","Credential_Type","Endpoint_Uri","HTTP_Status","HTTP_Method","Error_Description","UserIdentity","CredentialType","EndpointUri","HTTPTransportError","HTTPStatus","NewToken","P2P_certificate_update_error_Status","CA_certificate_update_error_Status","Additional_information","location","Application_name","Application_version","Executable_path","Recommended_layer","Vista","FileID","ProgramID","ApplicationVersion","RecommendedLayer","VistaPlus","Action_Count","Missed_Action_Count","Output_file_location","ActionCount","MissedActionCount","OutputFileLocation","MethodName","CallerInfo","HostReference","AppDomain","TypeName","ListenAddress","DestinationAddress","ContractName","ExceptionToString","ExceptionTypeName","msg","key","cur","max","Pending_connections_ratio","Concurrent_calls_ratio","Concurrent_sessions_ratio","Outbound_connections_per_endpoint_ratio","Concurrent_instances_ratio","itemTypeName","SocketId","Available_memory_bytes","availableMemoryBytes","SerializedException","PoolSize","Delta","IncrementBusyCount_called_Source","DecrementBusyCount_called_Source","EventSource","ListenerHashCode","SocketHashCode","ListenerId","accepted_SocketId","PoolKey","busy","ChannelHandlerId","Via","Kind","tokenType","tokenID","PackageLength","PackageBuffer","Updated_current_dependency_graph_Removal","Removal","SrcPsmKey","TargetPsmKey","CheckTerminationBeforeSwitch_Should_terminate","MaxTterminate","AUMID","Misbehaving","EvaluateAndTerminatePid_PID","Package_State","PackageState","Package_Exemption_Manager_ReferenceAdded","Added","PsmKey","RegistrationRef","PendingRef","Runaway_RPC","KernelRequest","RunawayRpc","RpcDebounce","RegisterForActivationStateChanges_Act","App","ActivationType","ApplicationType","Cookie","Couldnt_open_process","HostJobType","BM_Queued_evaluate_WorkItem","EntryPoint","WorkItemId","ActivationAction","BM_Evaluate_returned_WorkItem","BM_TaskActivated_WorkItem","BM_TaskCompleted_WorkItem","BM_TaskCanceled_WorkItem","BM_Policy_evaluate_returned_WorkItem","WallClockLimit","WallClockLimitMs","BM_TaskActivating_WorkItem","BM_TerminateHost_WorkItem","BM_ActivateDeferredWorkItem_WorkItem","BM_TaskWallClockActive_WorkItem","BM_TaskWallClockExpired_WorkItem","for_WorkItem","BM_Policy_returned_HRESULT","BM_WorkItem","BM_User_Logon_Session","BM_User_Logoff_Session","BM_Flushing_ignored_EvaluationState","EvaluationState","BM_ShellSuspendState_changed_oldState","newState","OldState","BM_DPLKeyState_changed_oldState","BM_Canceling_WorkItem","BAM_Added_Package","BAM_Removed_Package","BAM_Added_Application","BAM_Removed_Application","FAM_NotifyTaskInstanceCompleted_TaskID","p1_UInt32","p2_UInt32","FAM_NotifyTaskInstanceRunning_TaskID","FAM_UiForegroundMemory","MB_CPU","FAM_CreateAgentLaunchRequest_TaskID","Queue","p3_UInt32","FAM_CancelAgentRequest_TaskID","FAM_AbortAgentRequestsInternal_hr","FAM_CompleteAgent_TaskID","FAM_PrioritizeAgentRequest_TaskID","FAM_NotifyConsumer_Notification","TaskID","hrResult","FAM_AcquireSharedResourceSet_ProductID","ConsumerPid","Pending","p1_GUID","p4_UInt32","PackageUri","PolicyReason","NewMainPackageFullName","OldMainPackageFullName","Online","ErrorCount","FailedDeploymentState","DependentPackageName","SupplierPackageName","Column","ExtendedData","UndockedDehDllParent","DehName","DehPhase","PostOsUpgrade","DehState","PlatformId","RelatedId","CompletionStatus","WorkItemType","Volume","Offset","Copy","TotalCopies","SlabSize","Title","PolicyValue","SystemEvent","EntryPointLength","TaskEntryPoint","Subsystem","Algorithm","CertGetCertificateChainStart.EventAuxInfo","CertGetCertificateChainStart.CorrelationAuxInfo","CertVerifyCertificateChainPolicy.Policy","CertVerifyCertificateChainPolicy.Certificate","CertVerifyCertificateChainPolicy.CertificateChain","CertVerifyCertificateChainPolicy.Flags","CertVerifyCertificateChainPolicy.Status","CertVerifyCertificateChainPolicy.EventAuxInfo","CertVerifyCertificateChainPolicy.CorrelationAuxInfo","CertVerifyCertificateChainPolicy.Result","CertVerifyRevocationStart.EventAuxInfo","CertVerifyRevocationStart.CorrelationAuxInfo","CertVerifyRevocation.Certificate","CertVerifyRevocation.IssuerCertificate","CertVerifyRevocation.Flags","CertVerifyRevocation.AdditionalParameters","CertVerifyRevocation.RevocationStatus","CertVerifyRevocation.CertificateRevocationList","CertVerifyRevocation.CertificateRevocationList_1","CertVerifyRevocation.EventAuxInfo","CertVerifyRevocation.CorrelationAuxInfo","CertVerifyRevocation.Result","CryptRetrieveObjectByUrlCacheStart.EventAuxInfo","CryptRetrieveObjectByUrlCacheStart.CorrelationAuxInfo","CryptRetrieveObjectByUrlCache.URL","CryptRetrieveObjectByUrlCache.Object","CryptRetrieveObjectByUrlCache.Flags","CryptRetrieveObjectByUrlCache.AuxInfo","CryptRetrieveObjectByUrlCache.CacheInfo","CryptRetrieveObjectByUrlCache.RetrievedObjects","CryptRetrieveObjectByUrlCache.EventAuxInfo","CryptRetrieveObjectByUrlCache.CorrelationAuxInfo","CryptRetrieveObjectByUrlCache.Result","CryptRetrieveObjectByUrlWireStart.EventAuxInfo","CryptRetrieveObjectByUrlWireStart.CorrelationAuxInfo","CryptRetrieveObjectByUrlWire.URL","CryptRetrieveObjectByUrlWire.Object","CryptRetrieveObjectByUrlWire.Timeout","CryptRetrieveObjectByUrlWire.Flags","CryptRetrieveObjectByUrlWire.AuxInfo","CryptRetrieveObjectByUrlWire.AdditionalInfo","CryptRetrieveObjectByUrlWire.EventAuxInfo","CryptRetrieveObjectByUrlWire.CorrelationAuxInfo","CryptRetrieveObjectByUrlWire.Result","CryptSignCertificate.Certificate","CryptSignCertificate.EventAuxInfo","CryptSignCertificate.CorrelationAuxInfo","WinVerifyTrustStart.EventAuxInfo","WinVerifyTrustStart.CorrelationAuxInfo","CryptCATAdminEnumCatalogFromHash.CATQueryInfo","CryptCATAdminEnumCatalogFromHash.AdditionalInfo","CryptCATAdminEnumCatalogFromHash.EventAuxInfo","CryptCATAdminEnumCatalogFromHash.CorrelationAuxInfo","CryptCATAdminEnumCatalogFromHash.Result","X509Objects.Certificate","X509Objects.Certificate_1","X509Objects.Certificate_2","X509Objects.Certificate_3","X509Objects.Certificate_4","X509Objects.EventAuxInfo","X509Objects.CorrelationAuxInfo","StoreName","LdapStore","TemplateName","CA","CACommonName","DCSpecifier","PolicyModuleDescription","CAKeyIdentifier","ErrorMessageText","AdditionalErrorMessage","WarningMessage","Opening_Machine_Store_Value","Provider","CurrentAcl","ExpectedAcl","NumberOfPolicies","Information_from","SmsRouter","AnsiStringName","HResultName","Access","ReasonForFailure","Protector_Name","Protector_Attributes","ProtectorName","ProtectorAttributes","Recipient_Type","RecipientType","KeyIdLength","KeyId","Volume_name","Files_skipped","First_skipped_file_name","FriendlyVolumeNameLength","FriendlyVolumeName","JobType","Param1","DebugInfo","Minimum_memory","Maximum_memory","Minimum_disk","Maximum_cores","JobInstanceId","VolumeGuidPath","VolumeDisplayName","MinimumMemoryMB","MaximumMemoryMB","MinimumDiskMB","MaximumCores","Reconciled_containers","Unreconciled_containers","Catchup_references","Catchup_containers","Reconciled_references","Crossreconciled_references","Crossreconciled_containers","Error_code","Error_message","ReconciledContainerCount","UnreconciledContainerCount","CatchUpReferences","CatchUpMergedContainerCount","ReconciledReferences","ReconciledMergedContainerCount","CrossReconciledReferences","CrossReconciledMergedContainerCount","SkippedContainerCount","NumberOfRetries","FileId","Available_memory","Available_cores","Instances","Readers_per_instance","IoThrottle","AvailableMemoryMB","AvailableCores","ReadersPerInstance","JobPriorityType","Full","Volume_free_space_MB","VolumeFreeSpaceMB","Readonly","Savings_rate_percent","Saved_space_MB","Volume_used_space_MB","Optimized_file_count","Inpolicy_file_count","Job_processed_space_MB","Job_elapsed_time_seconds","Job_throughput_MBsecond","Churn_processing_throughput_MBsecond","SavingsRate","SavedSpaceMB","VolumeUsedSpaceMB","OptimizedFileCount","InPolicyFileCount","JobProcessedSpaceMB","JobOptimizedBytesMB","JobChurnBytesMB","JobSkippedBytesMB","PriorityMode","JobElapsedTime","JobThroughput","ChurnThroughput","FinalJobStage","Freed_up_space_MB","FreedupSpaceMB","CompactedDataContainerCount","CompactedStreamContainerCount","ReclaimedFileLeakCount","Total_corruption_count","Fixable_corruption_count","TotalCorruptionCount","FixableCorruptionCount","Unoptimized_file_count","UnOptimizedFiles","ProcessedSizeMB","SkippedFiles","FailedFiles","System_memory_percent","Schedule_mode","SystemMemoryPercent","JobScheduleMode","File_ID","Available_threads","AvailableMemoryMb","AvailableThreads","Chunk_lookup_count","Inserted_chunk_count","Inserted_chunks_logical_data_MB","Inserted_chunks_physical_data_MB","Committed_stream_count","Committed_stream_entry_count","Committed_stream_logical_data_MB","Retrieved_chunks_physical_data_MB","Retrieved_stream_logical_data_MB","DataPort_time_seconds","Ingress_throughput_MBsecond","Egress_throughput_MBsecond","SavedSpaceMb","VolumeUsedSpaceMb","VolumeFreeSpaceMb","ChunkLookups","InsertedChunks","InsertedChunksLogicalMb","InsertedChunksPhysicalMb","CommittedStreamMaps","CommittedStreamMapEntries","CommittedStreamBytesLogicalMb","RetrievedChunkBytesPhysicalMb","RetrievedStreamBytesLogicalMb","DataPortTime","IngressThroughput","EgressThroughput","Update_file_list_entries_Remove","Add","EntryToRemove","EntryToAdd","PolicyFilePath","UInt2","UInt3","UInt4","UInt5","UInt6","HRESULT2","Message6","UInt7","InternalCmdType","Message5","HRESULT8","HRESULT9","IsFramework","Prop_ProductId","Prop_SoftwarePfn","Missing_updates","Missing_drivers","Unpublished_drivers","Published_drivers","Analysis_errors","Prop_ProductVersion","Prop_MissingUpdates","Prop_MissingDrivers","Prop_UnpublishedDrivers","Prop_PublishedDrivers","Prop_AnalysisErrorDrivers","DfsPath","ClientIpAddress","ClientSite","Comment","TimeConsumedInMilliSeconds","unused","path","Stack_Media_Connect","TimeToWaitLeft","ConfigNameType","BoolFlag","DwordVal1","ClassIDSize","ClassID","StandardOptListSize","StandardOptList","VendorOptListSize","VendorOptList","OptDataSize","OptData","DwordVal2","NewMode","DataCollectorSetCreation.Name","DataCollectorSetCreation.UserName","DataCollectorSetEdit.Name","DataCollectorSetEdit.UserName","DataCollectorSetDeletion.Name","DataCollectorSetDeletion.UserName","DataCollectorSetStart.Name","DataCollectorSetStart.Key","DataCollectorSetStart.UserName","DataCollectorSetStop.Name","RPC_Method","Client_SID","Client_Network_Address","RPCMethod","UserAccountName","ClientSID","ClientNetworkAddress","Account_name","Account_objectClass","userAccountControl","Caller_address","Caller_SID","Accountname","AccountobjectClass","userAccountcontrol","Calleraddress","CallerSID","Interface","TotalServerCount","DynamicAddress","Total_DNS_Server_Count","SendBlob","SendBlobContext","QueryBlob","IsParallelNetworkQuery","NetworkIndex","InterfaceCount","DNSServerAddress","ParentBlob","DnsServerIpAddress","ResponseStatus","AdapterSuffixName","DnsServerList","Sent UpdateServer","Ipaddress","SentUpdateServer","__binLength","QTYPE","QNAME","ScavengeServers","UMDFDriverManagerHostCreateStart.LifetimeId","UMDFDriverManagerHostCreateStart.HostGuid","UMDFDriverManagerHostCreateStart.DeviceInstanceId","HostGuid","UMDFDriverManagerHostCreateEnd.LifetimeId","UMDFDriverManagerHostCreateEnd.FinalStatus","UMDFDriverManagerHostShutdown.LifetimeId","UMDFDriverManagerHostShutdown.TerminateStatus","UMDFDriverManagerHostShutdown.ExitCode","TerminationStatus","UMDFHostStartupBegin.LifetimeId","UMDFHostStartupEnd.LifetimeId","UMDFHostStartupEnd.FinalStatus","UMDFHostAddDeviceBegin.LifetimeId","UMDFHostAddDeviceBegin.InstanceId","UMDFHostAddDeviceBegin.Level","UMDFHostAddDeviceBegin.Service","UMDFHostAddDeviceBegin.DriverClsid","Level","ClsId","UMDFHostModuleLoad.LifetimeId","UMDFHostModuleLoad.InstanceId","UMDFHostModuleLoad.ModulePath","UMDFHostModuleLoad.CompanyName","UMDFHostModuleLoad.FileDescription","UMDFHostModuleLoad.FileVersion","ModulePath","UMDFHostAddDeviceEnd.LifetimeId","UMDFHostAddDeviceEnd.InstanceId","UMDFHostAddDeviceEnd.Level","UMDFHostAddDeviceEnd.FinalStatus","UMDFHostDeviceArrivalEnd.LifetimeId","UMDFHostDeviceArrivalEnd.InstanceId","UMDFHostDeviceArrivalEnd.FinalStatus","UMDFHostShutdown.LifetimeId","Range","szTrace","ModuleNameLen","Log","Bypass_IO_Operation","Vetoing_Reason","Operation_Status","BypassIoOperation","BypassVetoingReason","OperationStatus","Begin_IFunctionDiscoveryGetInstanceCollection__Category","IncludeSubcategories","End_IFunctionDiscoveryGetInstanceCollection__Category","Begin_IFunctionDiscoveryGetInstance__FIID","FunctionInstanceID","End_IFunctionDiscoveryGetInstance__FIID","Begin_IFunctionDiscoveryCreateInstanceCollectionQuery__Category","End_IFunctionDiscoveryCreateInstanceCollectionQuery__Category","Begin_IFunctionDiscoveryCreateInstanceQuery__FIID","End_IFunctionDiscoveryCreateInstanceQuery__FIID","Begin_IFunctionDiscoveryAddInstance__Category","ProviderInstanceID","End_IFunctionDiscoveryAddInstance__Category","Begin_IFunctionDiscoveryRemoveInstance__Category","End_IFunctionDiscoveryRemoveInstance__Category","Begin_IFunctionInstanceCollectionQueryExecute__Category","End_IFunctionInstanceCollectionQueryExecute__Category","Begin_IFunctionInstanceCollectionQuery2Advise__Category","End_IFunctionInstanceCollectionQuery2Advise__Category","Begin_IFunctionInstanceCollectionQuery2Unadvise__Category","End_IFunctionInstanceCollectionQuery2Unadvise__Category","Begin_IFunctionInstanceCollectionQuery2Start__Category","End_IFunctionInstanceCollectionQuery2Start__Category","Begin_IFunctionInstanceCollectionQuery2Stop__Category","End_IFunctionInstanceCollectionQuery2Stop__Category","Begin_IFunctionInstanceCollectionQuery2QueryService__Category","End_IFunctionInstanceCollectionQuery2QueryService__Category","Begin_IFunctionInstanceQueryExecute__Category","End_IFunctionInstanceQueryExecute__Category","Begin_IFunctionDiscoveryProviderInitialize__Category","End_IFunctionDiscoveryProviderInitialize__Category","Begin_IFunctionDiscoveryProviderQuery__Category","End_IFunctionDiscoveryProviderQuery__Category","Begin_IFunctionDiscoveryProviderEndQuery__Category","End_IFunctionDiscoveryProviderEndQuery__Category","Begin_IFunctionDiscoveryProviderInstancePropertyStoreValidateAccess__FIID","End_IFunctionDiscoveryProviderInstancePropertyStoreValidateAccess__FIID","Begin_IFunctionDiscoveryProviderInstancePropertyStoreOpen__FIID","End_IFunctionDiscoveryProviderInstancePropertyStoreOpen__FIID","Begin_IFunctionDiscoveryProviderInstancePropertyStoreFlush__FIID","End_IFunctionDiscoveryProviderInstancePropertyStoreFlush__FIID","Begin_IFunctionDiscoveryProviderInstanceQueryService__FIID","End_IFunctionDiscoveryProviderInstanceQueryService__FIID","Begin_IFunctionDiscoveryProviderInstanceReleased__FIID","End_IFunctionDiscoveryProviderInstanceReleased__FIID","Begin_IProviderPublishingCreateInstance__Category","End_IProviderPublishingCreateInstance__Category","Begin_IProviderPublishingRemoveInstance__Category","End_IProviderPublishingRemoveInstance__Category","Begin_asyncronous_query__Category","querycookie","Asynchronous_query_complete__Category","Activity_id","SaveToCacheTimeElapsedInMilliseconds","UNC_Path","Mutual_Authentication_Enforced","Integrity_Enforced","UncPath","MutualAuthenticationEnforced","IntegrityEnforced","User_SID","Deployment_Type","DeploymentType","Subtype","GestureType","GestureSubtype","CertificateEnrollmentMethod","CertificateRequired","HasCloudTgt","TPM_Supported","Hardware_Policy","Exclude_TPM_12","TPM_Version","TPM_FIPS","TPM_Locked_Out","Satisfactory_Key_Pregeneration_Pool","Key_Storage_Provider","TpmSupport","HardwarePolicy","IsTpm12Excluded","TpmVersion","IsTpmFIPS","IsTpmLockedOut","IsKeyPregenPoolSatisfactory","KeyProvider","Software_Lockout_Counter","Authentication_Error_Status","Authentication_Error_Substatus","SoftwareLockoutCounter","AuthenticationErrorStatus","AuthenticationErrorSubStatus","UserEntered","Unused_Username","UnusedUserName","Unused_User_SID","UnusedUserSid","Stale_User_SID","CurrentlyMostRecentUserSid","StaleUserSid","Stale_Username","CurrentlyMostRecentUserName","StaleUserName","Core_initialization_failed__Details","Page_initialization_failed__Details","Page","GetHomeGroupStatus_failed__Details","GetSharingFlags_failed__Details","PopulateSharedFolderList_failed__Details","Retrieve_file_sharing_failed__Details","Retrieve_public_folder_failed__Details","Retrieve_printer_sharing_failed__Details","Retrieve_media_sharing_failed__Details","Commit_network_discovery_failed__Details","DWORD","Commit_file_sharing_failed__Details","Commit_public_folder_failed__Details","Commit_printer_sharing_failed__Details","Commit_media_sharing_failed__Details","Share_folder_failed__Details","guid","Parameter0","Parameter1","Parameter2","GnsId","GnsState","Request","Entity","RpcAccessLevel","Hotadd_information_Current_UxNumberOfProcessors","comment","NewProcNumber","Thread_pool_extension_Pool_type","active_pools","PoolType","ActivePools","Thread_ready_Pool_type","thread_count","ThreadCount","Thread_pool_trim_Pool_type","Thread_gone_Pool_type","QUIC_Connection_QuicConnectionId","Connection","Local_IP","Remote_IP","SNI","QuicConnectionId","LocalAddressLength","RemoteAddressLength","SniLength","SniHost","ErrorLogCode","QUIC_Connection_Callback_Connection","EventParam","QUIC_Stream_QuicStreamId","Stream","QuicStreamId","QUIC_Stream_Callback_Stream","StreamType","SSL_handshake_failed_Local_IP","Thumbprint","Client_Initiated_Disconnect","Abortive_Disconnect","Connection_Status","SniHostname","ThumbprintLength","ClientDisconnect","AbortiveDisconnect","SSL_renegotiate_timed_out_Local_IP","Connection_Buffer_Full","ConnectionBufferFull","HTTP_11_Required_Verb","Fault_Code","FaultCode","QUIC_Registration_Failed_Status","VmlEventLog.VmName","VmlEventLog.VmId","VmlEventLog.VmBootSourceCount","VmlEventLog.VmBootSourceResult","VmName","BootSourceCount","BootSourceResult","VmlEventLog.VmBootSourceResult_1","VmlEventLog.VmBootSourceResult_2","VmlEventLog.VmBootSourceResult_3","SystemId","BankCount","ProcessorFeatures","XsaveFeatures","CLFlushSize","Host_processor_features_mask","Host_xsave_features_mask","Host_cache_line_flush_size","PartitionId","SchedulerType","HardwarePresent","HardwareEnabled","EnabledFeatures","InternalInfo","Problems","AdditionalInfo","Hardware_present","Hardware_enabled","Enabled_features","Internal_information","NotAffectedRdclNo","NotAffectedAtom","CacheFlushSupported","SmtEnabled","ParentHypervisorFlushes","DisabledLoadOption","CacheFlushNeeded","Max","CurrentVersion","MinVersion","MaxVersion","NotAffectedMdsNo","MdClearSupported","BufferFlushNeeded","AMD_PSP_PCI_device_discovered_Segment","bus","device","function","Segment","NDK_PnP_event_failed_PnPEvent","NetEvent","failureReason","MiniportNameLen","MsgStatus","VF_adapter_bind_failed_FailureReason","VfSerialNumber","LowestIfIndex","SnapshotId","TotalBytes","AverageBps","TotalBytes0","TotalBytes1","TotalBytes2","TotalBytes3","TotalBytes4","TotalBytes5","TotalBytes6","TotalBytes7","TotalBytes8","TotalBytes9","TotalBytes10","TotalBytes11","TotalBytes12","TotalBytes13","TotalBytes14","TotalBytes15","VmNicNoAvailableMac.VmName","VmNicNoAvailableMac.VmId","VmNicNoAvailableMac.NicGuid","VmNicNoAvailableMac.NicName","NicGuid","NicName","VmlEventLog.String","VmlEventLog.ErrorCodeString","VmlEventLog.Param1","VmlEventLog.Param2","ErrorCodeString","Param2","VmlEventLog.Parameter2","VmlEventLog.Parameter3","Parameter3","VmlEventLog.Parameter4","Parameter4","VmlEventLog.RepositoryName","VmlEventLog.Comments","VmlEventLog.PerformanceSummary","RepositoryName","Comments","PerformanceSummary","VmlEventLog.PathName","PathName","SwitchNameLen","SwitchName","SwitchFNameLen","SwitchFName","OwnerService","PortNameLen","PortName","PortFNameLen","PortFName","NicNameLen","NicFNameLen","NicFName","BaseCpuNumber","HashInformation","IndirectionTableSize","IndirectionTableOffset","HashSecretKeySize","HashSecretKeyOffset","FailReason","NdisOid","PtNicNameLen","PtNicName","PtNicFNameLen","PtNicFName","NicStatus","UniqueEvent","VMNameLen","VMName","VMIdLen","VMId","NicInstanceId","SharePath","ShareFlags","ShareJson","VmlEventLog.ProcessorFeatures","VmlEventLog.ProcessorXsaveFeatures","VmlEventLog.PartitionCreationFlags","VmlEventLog.NonArchitecturalCoreSharing","VmlEventLog.ProcessorCLFlushSize","VmlEventLog.ImplementedAddressBits","ProcessorXsaveFeatures","PartitionCreationFlags","NonArchitecturalCoreSharing","ProcessorCLFlushSize","ImplementedAddressBits","PhysicalAddressWidth","VmlEventLog.HResult","PreviousLine","ErrorLine","NextLine","FileConfigPath","SectionPath","DatabaseType","DatabaseAuthenticationType","DatabaseName","DatabasePath","DatabaseServerOrIP","DatabaseServerPort","DatabaseCredentialUsername","CreateNewSchema","ProvisioningMethod","GPOPrefix","LocalV6","RemoteV6","LocalV4","RemoteV4","IpAddrV4Length","IpAddrV6Length","SourceIpv6Address","DestinationIPv6Address","SourceIPv4Address","DestinationIPv4Address","IPHTTPS_InterfaceName","RegistryState","CurrentState","AuthenticationMode","PrefixLength","InterfaceLuid","Prefix","RemotePrefix","RemotePrefixLength","LocalPrefix","LocalPrefixLength","Metric","TrustletIdentity","NormalProcessId","Issuer","Template","CachedCopyStatus","IdkGenerationStatus","MeasuringStatus","SealingAndCachingStatus","Measured_Boot_Measurement_Failure_Status","TPM_Measurement_Failure_Status","SMM_isolation_level_decreased_Reason","TxtStatus","PolicyLevel","checkpoint","Checkpoint","SMM_isolation_detected_Level","Crash_dump_disable_failed_NT_status","Crash_dump_load_driver_failed_NT_status","Crash_dump_reconfigured_NT_status","Dump_disabled_forcefully_ForceDumpDisabled","ForceDumpDisabled","MaxFileSize","ProviderGuid","ExtraStringLength","ExtraString","TmId","RmId","InternalCode","RM","Writing_dump_file_ended_NT_Status","HeaderBytes","PrimaryDataBytes","SecondaryDataBytes","DumpWriteDuration_ms","Sizing_Workflow_Allocation_NT","NtPrimaryDataBytes","HvPrimaryDataBytes","HvSecondaryDataBytes","SkPrimaryDataBytes","AllocateDumpBuffersDuration_ms","AllocateExtraBuffersDuration_ms","HvlPrepareLivedumpDescriptorDuration_ms","size","daddr","saddr","dport","sport","startime","endtime","seqnum","connid","mss","sackopt","tsopt","wsopt","rcvwin","rcvwinscale","sndwinscale","Driver_Name","Class_Guid","Driver_Date","Driver_Version","Driver_Provider","Driver_Section","Driver_Rank","Matching_Device_Id","Outranked_Drivers","Device_Updated","Parent_Device","DriverPackageId","Veto_type","Vetoed_By","DeviceInstanceLength","DeviceInstance","VetoNameLength","Disabled","Overridden","BugcheckCode","BugcheckParameter1","BugcheckParameter2","BugcheckParameter3","BugcheckParameter4","SleepInProgress","PowerButtonTimestamp","BootAppStatus","ConnectedStandbyInProgress","SystemSleepTransitionsToOn","CsEntryScenarioInstanceId","BugcheckInfoFromEFI","CheckpointStatus","CsEntryScenarioInstanceIdV2","LongPowerButtonPressDetected","LidReliability","InputSuppressionState","PowerButtonSuppressionState","LidState","WHEABootErrorCount","Firmware_S3_times_SuspendStart","SuspendEnd","SuspendStart","ProcessSequenceNumber","CreateTime","ParentProcessID","ParentProcessSequenceNumber","ProcessTokenElevationType","ProcessTokenIsElevated","ImageChecksum","SecurityMitigations","ExitTime","HandleCount","CommitCharge","CommitPeak","CPUCycleCount","ReadOperationCount","WriteOperationCount","ReadTransferKiloBytes","WriteTransferKiloBytes","HardFaultCount","ThreadID","StackBase","StackLimit","UserStackBase","UserStackLimit","StartAddr","Win32StartAddr","TebBase","SubProcessTag","CycleTime","ImageBase","ImageCheckSum","DefaultBase","OldPriority","NewPriority","Container ID","Job ID","ContainerID","JobID","Participation","MemoryIO","Memory_Hierarchy_Level","TransactionType","MemorIO","MemHierarchyLvl","Wired_Group_Policy_Name","AutoConfig_Enabled","Profile_applied","Reason_Code","PolicyType","PolicyNamePlaceholder","AutoConfigEnabled","Profileapplied","Configured_value","Minimum_value","Error_HRESULT","Line_Number","P1_HexInt32","P2_String","P3_UInt32","Error_Propagated_HRESULT","meeting_id","Prop_Dword_1","Prop_String1","Prop_String2","expected_parent","expected_parent_type","actual_parent","actual_parent_type","Prop_Dword1","Prop_Dword2","Prop_String3","Prop_Dword3","DavSyncProvider_Uploading_change_item_id","type","Prop_Id","Prop_Type","DavSyncProvider_Uploaded_change_item_id","status","Prop_Dword","P1_HResult","Mms_Mime_Invalid_phone_number","NetworkHelperHttpTransport_Callback_error_Handle","P1_UInt32","P2_UInt32","NetworkHelperHttpTransport_Request_Failure_Handle","NetworkHelperCrackUrl_Failure_HR","Http","Unknown_status","Prop_ptr","Prop_uint","Http_Total_bytes_received","P1_Int32","Total_Body_Bytes_sent","Prop_int","Http_HTTP_Error","Prop_hexint","Http_Content_Lengtgh","Receive_WNF_event_current_mode","current_value","SyncMode","Prop_Dword_2","Metadata_allocation","Requested_tier","actual_tier","Requested_allocation_start","count","Actual_allocation_start","IsMetadata","RequestedTier","ActualTier","RequestedStartOfRange","RequestedCountOfRange","AllocatedStartOfRange","AllocatedCountOfRange","InitialState","AutopilotSync_Using_user_SID","Autopilot_Provisioning_change_Session_Id","sequence_number","MDM_Alert_sync_session_FeatureName","IsCompleted","SessionState","SyncSessionId","EnrollmentId","Uint1","Uint2","Diagnostic_extraction_failed_Error","Starting_Video","Video_Bit_Rate","Region","VideoX","VideoY","AudioChannels","VideoBitRate","AudioBitRate","SeekOffsetMs","Stopping_Bytes_Muxed","Video_Frames_Received","Video_Frames_Encoded","Audio_Bytes_Received","Audio_Frames_Encoded","TotalBytesEncoded","VideoFramesReceived","VideoFramesEncoded","AudioBytesReceived","AudioFramesEncoded","Retrieving_Max_connections_failed_MaxCon","MaxCount","param_bin1","NCA_PerfTrack_Scenario_Event_MachineId","DeploymentId","StopState","MachineIdentifier","SessionIdentifier","DeploymentIdentifier","Network_connected_device_Name","String2","Integer1","GatewayIP","GatewayMAC","KnownProxyless","KnownHotspot","KnownOppInternet","KnownProxiedOppInternet","IpAddressLength","MacAddressLength","MacAddress","HasNextHopToInternet","NextHopAddress","NextHopAddressLength","HasPreferredAddress","AddressSuffixOrigins","HasPreferredGlobalAddress","Host","Next_retry","ProbeHost","ProbePath","RetryInterval","Individual","Cummulative","NetLuidIndex","CurrentProcessorIndex","NumberOfNetBufferLists","ProcessingDurationMilliseconds","PreviousLimit","NewLimit","IndividualMeasurement","CummulativeMeasurement","Event_source","LayerCount","SourceId","SourceName","LayerInfo","Interface_Luid","_IfLuid","_ProcNum","_ListIndex","Flow_Context_Flow_Id","_FlowHandle","_RefDeref","NduUpdateProcessStatsForContainerOrVmId_succeeded_CurrentProcNumber","IfType","BytesSent","BytesRecvd","CurrentProcNumber","OuterProcessId","IfAlias","VirtualIfLuid","SourceProvider","Source_Provider","Software_Slot","HardwareSlotReset","SoftwareSlotReset","UNC_Hardening_Configuration","Property_Name","Property_Value","UncPathLength","UncHardeningConfigurationLength","UncHardeningConfiguration","PropertyNameLength","Expected_Token","Found_Token","ExpectedToken","FoundTokenLength","FoundToken","5nProtocol","SaContextID","LocalAddr","LocalMask","RemoteMask","IPProtocol","LocalTunnelEndpt","RemoteTunnelEndpt","NlnsState","MAC","GatewayIpAddress","MacAddrLen","MacAddr","Volume_GUID","MessageLength","FailureStatus","Volume_correlation_Id","File_Reference","File_Name","File_Link_name","Parent_file_reference","Parent_file_name","FileReference","FileLinkNameLength","FileLinkName","ParentFileReference","ParentFileNameLength","ParentFileName","Failure_Status","Source_Tag","TotalCountDeleteFile","TotalCountDeleteFileLogged","ProcessNamesArray","CountDeletesInDesktopArray","CountDeletesInDocumentsArray","CountDeletesInDownloadsArray","CountDeletesInMusicArray","CountDeletesInPicturesArray","CountDeletesInVideosArray","CountDeletesInOtherArray","Time_seconds","Owner_Process","Breaking_Process","TimeoutSeconds","OwnerProcessNameLength","OwnerProcessName","BreakingProcessNameLength","BreakingProcessName","NativeNVMe","Volume_Name","MountStageSourceTag","WorkItem_queued_WorkItem","WorkItem","WorkItem_queue_failed_WorkItem","WorkItem_started_WorkItem","WorkItem_completed_WorkItem","Calling_Process_Name","Negotiated_Security_Flags","Minimum_Security_Flags","NegotiatedSecurity","RequiredSecurity","SvcHostTag","Service_Host_Tag","Nwf_Status","StatusAnnotation","Context1","WorkerRequestHandler","Context2","ActivityType","StatusActive","Activators_received_acknowledgement_Status","Notification_started_Type","ClientContext","PDC_Sequence","WaitTime","PdcSequence","Control_notification_Type","Invalid_notification_Client","Expected_sequence_number","Received_sequence_number","AssumedPdcSequence","ReceivedPdcSequence","Notification_received_Client","Control","ClientState","ClientStatus","SendMessage","UserModeMessage","PDC_received_monitor_request_ONOFF","Console","On","PDC_SuspendResume_handler_activated","Suspend","Connected","PDC_Initialization__AoAc","AoAc","PowerEvent","Suspendresume_started_Type","IteratioType","Power_Event","Iteration","PDC_state_changed_new","old","ReferenceCount","PdcId","ClientNameLength","ScenarioNameLength","ScenarioName","Slot_number","Model_Number","NfitHandle","SlotNumber","SaveFailed","RestoreFailed","PlatformFlushFailed","ArmFailed","TechnologySpecificDetails","LostPersistence","WarningThresholdExceeded","PersistenceRestored","BelowWarningThreshold","ModuleHealth_VoltageRegulatorFailed","ModuleHealth_VddLost","ModuleHealth_VppLost","ModuleHealth_VttLost","ModuleHealth_DramNotInSelfRefresh","ModuleHealth_ControllerHardwareError","ModuleHealth_NvmControllerError","ModuleHealth_NvmLifetimeError","ModuleHealth_NotEnoughEnergyForSave","ModuleHealth_InvalidFirmwareError","ModuleHealth_ConfigDataError","ModuleHealth_NoEnergySourcePresent","ModuleHealth_EnergySourcePolicyNotSet","ModuleHealth_EnergySourceHardwareError","ModuleHealth_EnergySourceHealthAssessmentError","EncodedModuleTemperature","ErrorThreshold_NvmLifetimeError","ErrorThreshold_EnergySourceLifetimeError","ErrorThreshold_EnergySourceTemperatureError","WarningThreshold_NvmLifetimeWarning","WarningThreshold_EnergySourceLifetimeWarning","WarningThreshold_EnergySourceTemperatureWarning","NvmLifetimePercentage","UncorrectableMemoryErrorCount","CorrectableMemoryErrorAboveThresholdEventCount","LastBackup_TriggerInformation","LastBackup_SaveFailureInformation","MemoryEventCount","CAD_Notifying_Battery_Driver_____Id","MaxCurrent","ChargerId","PowerSourceId","MaxChargeCurrent","PowerSourceInformation","PowerSourceStatus","CAD_Power_Source_Update_Call_____Id","CAD_Start_Charging_IOCTL_Call____Id","CAD_Stop_Charging_IOCTL_Call_____Id","CAD_Source_Change_Notification___Id","SourceOnline","WorkflowGuid","JobData","ActivityName","ActivityGuid","Parameters","Property_name","Property_owners_type_name","Getter_script","PropertyOwnerType","GetterScript","Runspace_Id","Pipeline_Id","TargetInterface","Runspace_InstanceId","PowerShell_InstanceId","DataSize","DataType","CategoryInfoCategory","CategoryInfoReason","CategoryInfoTargetName","FullyQualifiedErrorId","Stack_Trace","ExceptionMessage","ExceptionStackTrace","ExceptionInnerException","PipelineId","StackTrace","CanRunTask_failed__Details","DocumentDeleted.Param1","DocumentDeleted.Param2","DocumentDeleted.Param3","DocumentDeleted.Param4","JobDiag.JobId","DeleteJobDiag.JobId","DeleteJobDiag.JobSize","DeleteJobDiag.DataType","DeleteJobDiag.Pages","DeleteJobDiag.PagesPerSide","DeleteJobDiag.FilesOpened","DeleteJobDiag.JobSizeHigh","JobSize","Pages","PagesPerSide","FilesOpened","JobSizeHigh","CallerAppPackageFamilyName","SetByHigherAuthority","SqliteInformational_Status","SqliteOther_Status","SqliteWarning_Status","SqliteError_Status","Destination_Port","Next_Protocol","DropReason","NumberOfPackets","SrcAddress","SrcPort","NextProtocol","MountStartTimeUtc","DevDriveState","SpaceId","StackCount","Stack","Volume_correlation_ID","Device_name","Space_ID","Elapsed_seconds","Available_clusters","Reserved_clusters","Metadata_clusters","Used_clusters","Volume_size","Bytes_per_cluster","AvailableClusters","AvailabeSpaceStr","ReservedClusters","ReservedSizeStr","MetadataTotalClusters","MetadataSizeStr","UsedClusters","UsedSizeStr","MappedClusters","MappedSpaceStr","AvailableMappedClusters","AvailableMappedSpaceStr","SlabSizeInBytes","SlabSizeStr","SlabOffsetDeltaInBytes","SlabsMapped","SlabsMappedDelta","TotalSlabsCount","MapCountSinceMount","IntervalMapCount","MapFailureCountSinceMount","IntervalMapFailureCount","MappedBytesSinceMount","MappedBytesSinceMountStr","IntervalMappedBytes","IntervalMappedBytesStr","UnmapCountSinceMount","IntervalUnmapCount","UnmapFailureCountSinceMount","IntervalUnmapFailureCount","UnmappedBytesSinceMount","UnmappedBytesSinceMountStr","IntervalUnmappedBytes","IntervalUnmappedBytesStr","DedupEnabled","WeakReferenceEnabled","DirtyStateTrackingEnabled","Volume_Id","Max_Acceptable_IO_Latency","TierIndex","ReadWriteLatencyBucket1","ReadWriteLatencyBucket2","ReadWriteLatencyBucket3","ReadWriteLatencyBucket4","ReadWriteLatencyBucket5","ReadWriteLatencyBucket6","ReadWriteLatencyBucket7","TrimLatencyBucket1","TrimLatencyBucket2","TrimLatencyBucket3","TrimLatencyBucket4","TrimLatencyBucket5","TrimLatencyBucket6","TrimLatencyBucket7","FlushLatencyBucket1","FlushLatencyBucket2","FlushLatencyBucket3","FlushLatencyBucket4","FlushLatencyBucket5","FlushLatencyBucket6","FlushLatencyBucket7","Tier_index","Interval_duration","IO_count","Total_bytes","Avg_latency","Extents_count","HighIoLatencyCount","IntervalDurationUs","NCReadIOCount","NCReadTotalBytes","NCReadAvgLatencyNs","NCWriteIOCount","NCWriteTotalBytes","NCWriteAvgLatencyNs","FileFlushCount","FileFlushAvgLatencyNs","DirectoryFlushCount","DirectoryFlushAvgLatencyNs","VolumeFlushCount","VolumeFlushAvgLatencyNs","FileLevelTrimTotalBytes","FileLevelTrimExtentsCount","FileLevelTrimAvgLatencyNs","VolumeTrimTotalBytes","VolumeTrimExtentsCount","VolumeTrimAvgLatencyNs","IoBucketsCount","TotalBytesBucketsCount","ExtentsBucketsCount","IoCount","TotalLatencyUs","TrimExtentsCount","IoTypeIndex","Process_Id","Process_name","File_name","IO_Type","IO_Size","File_offset","Latency","IO_type","High_Latency_IOs","Avg_IOPS","HighLatencyLevelMs","HighLatencyLevelStr","TotalCount","TotalTimeNs","AverageOps","AverageLatencyLevelNs","MedianLatencyLevelNs","MedianLatencyLevelStr","MaxLatencyLevelNs","TotalExtents","ExtentsCountArrayLength","ExtentsCountArray","Event_Group_Tag","EventGroupTag","BucketLabelsLength","BucketLabels","StreamSnapshotCreateOperationCountsBucket1","StreamSnapshotCreateOperationCountsBucket2","StreamSnapshotCreateOperationCountsBucket3","StreamSnapshotCreateOperationCountsBucket4","StreamSnapshotCreateOperationCountsBucket5","StreamSnapshotCreateOperationCountsBucket6","StreamSnapshotCreateOperationCountsBucket7","StreamSnapshotCreateOperationCountsBucket8","StreamSnapshotCreateOperationCountsBucket9","StreamSnapshotCreateOperationCountsBucket10","StreamSnapshotCreateOperationCountsBucket11","StreamSnapshotCreateOperationCountsBucket12","StreamSnapshotCreateOperationCountsBucket13","StreamSnapshotCreateOperationCountsBucket14","StreamSnapshotCreateOperationCountsBucket15","StreamSnapshotCreateOperationLatencyBucket1","StreamSnapshotCreateOperationLatencyBucket2","StreamSnapshotCreateOperationLatencyBucket3","StreamSnapshotCreateOperationLatencyBucket4","StreamSnapshotCreateOperationLatencyBucket5","StreamSnapshotCreateOperationLatencyBucket6","StreamSnapshotCreateOperationLatencyBucket7","StreamSnapshotCreateOperationLatencyBucket8","StreamSnapshotCreateOperationLatencyBucket9","StreamSnapshotCreateOperationLatencyBucket10","StreamSnapshotCreateOperationLatencyBucket11","StreamSnapshotCreateOperationLatencyBucket12","StreamSnapshotCreateOperationLatencyBucket13","StreamSnapshotCreateOperationLatencyBucket14","StreamSnapshotCreateOperationLatencyBucket15","StreamSnapshotListOperationCountsBucket1","StreamSnapshotListOperationCountsBucket2","StreamSnapshotListOperationCountsBucket3","StreamSnapshotListOperationCountsBucket4","StreamSnapshotListOperationCountsBucket5","StreamSnapshotListOperationCountsBucket6","StreamSnapshotListOperationCountsBucket7","StreamSnapshotListOperationCountsBucket8","StreamSnapshotListOperationCountsBucket9","StreamSnapshotListOperationCountsBucket10","StreamSnapshotListOperationCountsBucket11","StreamSnapshotListOperationCountsBucket12","StreamSnapshotListOperationCountsBucket13","StreamSnapshotListOperationCountsBucket14","StreamSnapshotListOperationCountsBucket15","StreamSnapshotListOperationLatencyBucket1","StreamSnapshotListOperationLatencyBucket2","StreamSnapshotListOperationLatencyBucket3","StreamSnapshotListOperationLatencyBucket4","StreamSnapshotListOperationLatencyBucket5","StreamSnapshotListOperationLatencyBucket6","StreamSnapshotListOperationLatencyBucket7","StreamSnapshotListOperationLatencyBucket8","StreamSnapshotListOperationLatencyBucket9","StreamSnapshotListOperationLatencyBucket10","StreamSnapshotListOperationLatencyBucket11","StreamSnapshotListOperationLatencyBucket12","StreamSnapshotListOperationLatencyBucket13","StreamSnapshotListOperationLatencyBucket14","StreamSnapshotListOperationLatencyBucket15","StreamSnapshotRevertOperationCountsBucket1","StreamSnapshotRevertOperationCountsBucket2","StreamSnapshotRevertOperationCountsBucket3","StreamSnapshotRevertOperationCountsBucket4","StreamSnapshotRevertOperationCountsBucket5","StreamSnapshotRevertOperationCountsBucket6","StreamSnapshotRevertOperationCountsBucket7","StreamSnapshotRevertOperationCountsBucket8","StreamSnapshotRevertOperationCountsBucket9","StreamSnapshotRevertOperationCountsBucket10","StreamSnapshotRevertOperationCountsBucket11","StreamSnapshotRevertOperationCountsBucket12","StreamSnapshotRevertOperationCountsBucket13","StreamSnapshotRevertOperationCountsBucket14","StreamSnapshotRevertOperationCountsBucket15","StreamSnapshotRevertOperationLatencyBucket1","StreamSnapshotRevertOperationLatencyBucket2","StreamSnapshotRevertOperationLatencyBucket3","StreamSnapshotRevertOperationLatencyBucket4","StreamSnapshotRevertOperationLatencyBucket5","StreamSnapshotRevertOperationLatencyBucket6","StreamSnapshotRevertOperationLatencyBucket7","StreamSnapshotRevertOperationLatencyBucket8","StreamSnapshotRevertOperationLatencyBucket9","StreamSnapshotRevertOperationLatencyBucket10","StreamSnapshotRevertOperationLatencyBucket11","StreamSnapshotRevertOperationLatencyBucket12","StreamSnapshotRevertOperationLatencyBucket13","StreamSnapshotRevertOperationLatencyBucket14","StreamSnapshotRevertOperationLatencyBucket15","StreamSnapshotQueryDeltasOperationCountsBucket1","StreamSnapshotQueryDeltasOperationCountsBucket2","StreamSnapshotQueryDeltasOperationCountsBucket3","StreamSnapshotQueryDeltasOperationCountsBucket4","StreamSnapshotQueryDeltasOperationCountsBucket5","StreamSnapshotQueryDeltasOperationCountsBucket6","StreamSnapshotQueryDeltasOperationCountsBucket7","StreamSnapshotQueryDeltasOperationCountsBucket8","StreamSnapshotQueryDeltasOperationCountsBucket9","StreamSnapshotQueryDeltasOperationCountsBucket10","StreamSnapshotQueryDeltasOperationCountsBucket11","StreamSnapshotQueryDeltasOperationCountsBucket12","StreamSnapshotQueryDeltasOperationCountsBucket13","StreamSnapshotQueryDeltasOperationCountsBucket14","StreamSnapshotQueryDeltasOperationCountsBucket15","StreamSnapshotQueryDeltasOperationLatencyBucket1","StreamSnapshotQueryDeltasOperationLatencyBucket2","StreamSnapshotQueryDeltasOperationLatencyBucket3","StreamSnapshotQueryDeltasOperationLatencyBucket4","StreamSnapshotQueryDeltasOperationLatencyBucket5","StreamSnapshotQueryDeltasOperationLatencyBucket6","StreamSnapshotQueryDeltasOperationLatencyBucket7","StreamSnapshotQueryDeltasOperationLatencyBucket8","StreamSnapshotQueryDeltasOperationLatencyBucket9","StreamSnapshotQueryDeltasOperationLatencyBucket10","StreamSnapshotQueryDeltasOperationLatencyBucket11","StreamSnapshotQueryDeltasOperationLatencyBucket12","StreamSnapshotQueryDeltasOperationLatencyBucket13","StreamSnapshotQueryDeltasOperationLatencyBucket14","StreamSnapshotQueryDeltasOperationLatencyBucket15","StreamSnapshotSetShadowBTreeOperationCountsBucket1","StreamSnapshotSetShadowBTreeOperationCountsBucket2","StreamSnapshotSetShadowBTreeOperationCountsBucket3","StreamSnapshotSetShadowBTreeOperationCountsBucket4","StreamSnapshotSetShadowBTreeOperationCountsBucket5","StreamSnapshotSetShadowBTreeOperationCountsBucket6","StreamSnapshotSetShadowBTreeOperationCountsBucket7","StreamSnapshotSetShadowBTreeOperationCountsBucket8","StreamSnapshotSetShadowBTreeOperationCountsBucket9","StreamSnapshotSetShadowBTreeOperationCountsBucket10","StreamSnapshotSetShadowBTreeOperationCountsBucket11","StreamSnapshotSetShadowBTreeOperationCountsBucket12","StreamSnapshotSetShadowBTreeOperationCountsBucket13","StreamSnapshotSetShadowBTreeOperationCountsBucket14","StreamSnapshotSetShadowBTreeOperationCountsBucket15","StreamSnapshotSetShadowBTreeOperationLatencyBucket1","StreamSnapshotSetShadowBTreeOperationLatencyBucket2","StreamSnapshotSetShadowBTreeOperationLatencyBucket3","StreamSnapshotSetShadowBTreeOperationLatencyBucket4","StreamSnapshotSetShadowBTreeOperationLatencyBucket5","StreamSnapshotSetShadowBTreeOperationLatencyBucket6","StreamSnapshotSetShadowBTreeOperationLatencyBucket7","StreamSnapshotSetShadowBTreeOperationLatencyBucket8","StreamSnapshotSetShadowBTreeOperationLatencyBucket9","StreamSnapshotSetShadowBTreeOperationLatencyBucket10","StreamSnapshotSetShadowBTreeOperationLatencyBucket11","StreamSnapshotSetShadowBTreeOperationLatencyBucket12","StreamSnapshotSetShadowBTreeOperationLatencyBucket13","StreamSnapshotSetShadowBTreeOperationLatencyBucket14","StreamSnapshotSetShadowBTreeOperationLatencyBucket15","StreamSnapshotClearShadowBTreeOperationCountsBucket1","StreamSnapshotClearShadowBTreeOperationCountsBucket2","StreamSnapshotClearShadowBTreeOperationCountsBucket3","StreamSnapshotClearShadowBTreeOperationCountsBucket4","StreamSnapshotClearShadowBTreeOperationCountsBucket5","StreamSnapshotClearShadowBTreeOperationCountsBucket6","StreamSnapshotClearShadowBTreeOperationCountsBucket7","StreamSnapshotClearShadowBTreeOperationCountsBucket8","StreamSnapshotClearShadowBTreeOperationCountsBucket9","StreamSnapshotClearShadowBTreeOperationCountsBucket10","StreamSnapshotClearShadowBTreeOperationCountsBucket11","StreamSnapshotClearShadowBTreeOperationCountsBucket12","StreamSnapshotClearShadowBTreeOperationCountsBucket13","StreamSnapshotClearShadowBTreeOperationCountsBucket14","StreamSnapshotClearShadowBTreeOperationCountsBucket15","StreamSnapshotClearShadowBTreeOperationLatencyBucket1","StreamSnapshotClearShadowBTreeOperationLatencyBucket2","StreamSnapshotClearShadowBTreeOperationLatencyBucket3","StreamSnapshotClearShadowBTreeOperationLatencyBucket4","StreamSnapshotClearShadowBTreeOperationLatencyBucket5","StreamSnapshotClearShadowBTreeOperationLatencyBucket6","StreamSnapshotClearShadowBTreeOperationLatencyBucket7","StreamSnapshotClearShadowBTreeOperationLatencyBucket8","StreamSnapshotClearShadowBTreeOperationLatencyBucket9","StreamSnapshotClearShadowBTreeOperationLatencyBucket10","StreamSnapshotClearShadowBTreeOperationLatencyBucket11","StreamSnapshotClearShadowBTreeOperationLatencyBucket12","StreamSnapshotClearShadowBTreeOperationLatencyBucket13","StreamSnapshotClearShadowBTreeOperationLatencyBucket14","StreamSnapshotClearShadowBTreeOperationLatencyBucket15","Connection_name","Connection_URL","FeedURL","ErrorCodeAdditional","ms_heartbeats_sent","data_packet_last_sent","ms_heartbeat_last_sent","TimestampMs","NumHeartbeats","LastDataPacketMs","LastHeartbeatMs","NumMonitors","SubjectPointer","ObjectPointer","DataPointer","ProcNum","NetworkAddress","TypeMgrUuid","Max Calls","SDSize","SD","MaxCalls","PendingQueueSize","EndpointFlags","NicFlags","capture_time","WinRTCaptureEngine","CaptureTime","obj","statusCode","statusDescription","pending_Winsock_requests","data_available","runtimeClass","pendingOperations","winsockPendingOperations","winsockDataAvailable","contains_fatal_certificate_errors","intermediate_certificate_count","certificateThumbprint","hasFatalError","errorCount","errorList","intermediateCertificatesCount","intermediateCertificatesList","functionName","lineNumber","Current_network_cost_Internet_available","Roaming","Over_data_limit","Data_limit_MB","Used_MB","IsInternetAvailable","CostType","IsRoaming","IsOverDataLimit","DataLimitMegabytes","UsedMegabytes","Remaining_bytes","Transfer_Speed_bytessec","ETA_sec","ElapsedTimeInSeconds","TotalBytesRemaining","TransferSpeedInBytesPerSeconds","EtaInSeconds","SD_Host_Physical_Address","Events_masked","SDHostPhysicalAddress","EventMask","PoFx_Device_Handle","PState_Requested","PState_Request_Count","PoFxDeviceHandle","PStateRequested","PStateRequestCount","PState_Completed","PState_Completion_Count","PStateCompleted","PStateCompletionCount","PState_Active_Percentage","PState_Active_Duration","PState_Sample_Duration","PState_Current_Frequency","PState_Requested_Frequency","PStateActivePercent","PStateActiveDuration","PStateSampleDuration","PStateCurrentFrequency","PStateRequestedFrequency","SecuritySettings","CAName","vSwitch ID","SourcevSwitchPort","DestinationvSwitchPort","vSwitchID","FatalCode","elapse","TimeSpent","SPN","ServerPort","ServerVdir","Proxy","ProxyBypass","Supported_Schemes","First_Scheme","Initialized","DomainAndUserName","ProxyEpoch","SupportedSchemes","FirstScheme","DigestCredInitialized","DigestCredDomainAndUserName","DigestCredEpoch","BasicCredInitialized","BasicCredDomainAndUserName","BasicCredEpoch","TargetDomain","DesiredFlags","CacheFlags","DomainController","Client_Time","Server_Time","Extended_Error","Client_Realm","Server_Realm","Server_Name","Error_Text","LogonSession","ClientTime","ServerTime","ExtendedError","ClientRealm","ServerRealm","FailureTime","StackHash","Binary_path","Redirection_Type","Operation_Path","Impersonating","RedirectionType","OperationPathLength","OperationPath","Module1","Module1Offset","Module2","Module2Offset","Module3","Module3Offset","Module4","Module4Offset","Module5","Module5Offset","Module6","Module6Offset","Module7","Module7Offset","Module8","Module8Offset","Module9","Module9Offset","Module10","Module10Offset","Module11","Module11Offset","Module12","Module12Offset","Module13","Module13Offset","Module14","Module14Offset","Module15","Module15Offset","Module16","Module16Offset","AccountDomain","Method_name","Method_opnum","Client_address","Client_identity","MethodOpnum","ClientAddress","ClientSid","with_provider","providerName","message1","currentRoleId","releaseType","initialPackageStateLoc","initialPackageState","packageStateLoc","packageState","packageAssembly","supportInformation","operation","operationCompleted","rebootOption","missingElements","Experience","CXID","InstanceNameLength","PortSelectionOrigin","ConnectionIdSize","ClientCertSha1HashSize","ClientCertSha1Hash","TreeId","SigningUsed","EncryptionUsed","RegName","RegValue","ShareNameLength","ObjectNameLength","EventData.ChangeType","EventData.NetNameLength","EventData.NetName","EventData.Flags","EventData.Capability","EventData.LinkSpeed","NetNameLength","NetName","LinkSpeed","ClientAddressLength","EventData.ConfiguredLmCompatibilityLevel","EventData.DefaultLmCompatibilityLevel","ConfiguredLmCompatibilityLevel","DefaultLmCompatibilityLevel","AttemptedPath","SrpRuleGuid","RulePath","Field","Ids","IrpStatus","TransferByteCount","NvCachePriority","PagingPriority","Threshold_ms","AddressFamily","Pid","Tcb","RexmitCount","ISN","RcvWnd","RcvWndScale","CompartmentId","Compartment","Injected","Inspect","SndNxt","TimerType","WaitTimeMilliseconds","LastInterruptTime","LastMicroseconds","CachedKQPCValues","CachedFrequencyValues","NumBytes","SeqNo","NumPkt","SndUna","SndMax","NBL","TimerValue","BytesToSend","SendAvailable","Cwnd","MaxSndWnd","OptionType","SoOptionType","BytesInSegment","BytesRemaining","Delivery","RequestFlags","IsUrgentDelivery","FullySatisfiedORDelayedPush","RcvNxt","ActivityID","SndLimBytesSnd","SndLimBytesRwin","SndLimBytesCwnd","CWnd","SRtt","LossRecoveryEpisodes","RtoEpisodes","PtoEpisodes","SeqNum","Tick","RttSample","NewSrtt","NumMessages","LocalSockAddrLength","LocalSockAddr","RemoteSockAddrLength","RemoteSockAddr","PortAcquirer","WeakReference","OriginalAcquirer","IsSack","CurrLinkSpeed","IPv4 Address","IpAddrLength","IPv6 Address","PhysicalMediumType","OldLinkSpeed","NetworkCategory","InternetConnectivityStatus","IsolationId","IPv4Address","IPv6Address","NlMtu","ForwardingTag","Nbl","IPTransportProtocol","Source IPv4 Address","Dest IPv4 Address","IPv6SourceIpAddrLength","IPv6 Source Address","IPv6DestIpAddrLength","IPv6 Dest Address","NblCount","DestIPv4Address","IPv6SourceAddress","IPv6DestAddress","PacketCount","SourceAddressLength","DestAddressLength","PathDirection","TemplateType","CoalescedSegCount","DupAckCount","RscTcpTimestampDelta","HeaderFlags","EcnCePresent","OldCwnd","NewCwnd","CurrentTick","IdleTick","Rto","AdapterIndex","HashInfo","MaximumProcessors","GroupNumber","GroupAffinity","ActiveAffinity","ActiveMode","IndirectionTable","SendTrackerEnabled","RcvBufSet","Indicating Processor","Target Processor","Current Tick","Next Expiration Tick","Old Scheduled Expiration","New Scheduled Expiration","Due Time","Aperiodic","IndicatingProcessor","TargetProcessor","NextExpirationTick","DueTime","Next Expiration","Current Interrupt Time","Scheduled Expiration Time","External Trigger","NextExpiration","ExternalTrigger","IP Address","DlAddrLength","DL Address","Old Neighbor State","New Neighbor State","Neighbor Event","IPAddress","DLAddress","OldNeighborState","NewNeighborState","NeighborEvent","Source IP Address","Target IP Address","SourceIPAddress","TargetIPAddress","Preferred Source IP Address","Preferred Destination IP Address","Non-Preferred Source IP Address","Non-Preferred Destination IP Address","Sort Option","Rule Type","Rule Major","Rule Minor","PreferredSourceIPAddress","PreferredDestinationIPAddress","NonPreferredSourceIPAddress","NonPreferredDestinationIPAddress","SortOption","RuleMajor","RuleMinor","SndWnd","BytesAcked","RttVar","RTO","PacingRate","TcpState","CongestionState","RecoveryMax","MaxRcvBuf","SRTT","SSThresh","Frto","TotalRT","MaxRT","ConstrainSourceAddress","ConstrainInterfaceIndex","ConstraintOverridden","ReturnConstrained","OutgoingInterfaceIndex","ConstrainForwardingTag","SelectedSourceAddress","HighMemoryEvent","HighNonPagedPoolEvent","LowMemoryEvent","LowNonPagedPoolEvent","TailProbeSeq","TailProbeLast","ControlsToSend","ThFlags","TlpEvent","RackEvent","RackMinRtt","RackReoWind","RackTimeSlotDeltaMin","SequenceNumber","SackIsLostSeq","IcmpType","IcmpCode","InRecovery","TimeSinceLastLossMS","CubicCwnd","AimdCwnd","K","Wmax","LastWmax","IsLimitedSlowStart","CwrMax","DestinationPrefixAddressLength","DestinationPrefix","DestinationPrefixLength","Age","ValidLifetime","PreferredLifetime","InspectHandle","InspectType","InspectAction","InspectPort","DestinationAddrLength","ConstrainSourceAddrLength","ConstraintFlags","TransportProtocol","NumEntries","Hour","Minute","Second","SegmentSize","HwDatagrams","HwSegments","SwSegments","SubMssSegments","SocketOptionLevel","SocketOptionValue","TcpRscDisabledMask","UdpUroDisabledMask","FlicCode","NtStatus","Neighbor State","LastReachableInMs","IsUnreachable","NeighborState","SackedBytes","LossDetected","DeltaTicks","Ack","SLE","SRE","NumSackBlocks","DSackCount","NewSackInfo","NewSackedBytes","AckNo","Start","End","Timestamps","EverRetransmitted","BytesInFlight","NoNewTransmitCreated","InFlightCount","OriginalListener","RedirectedListener","Succeeded","Redirected","CodePath","SockAddrLength","RedirectSockAddr","StateTransitionName","TraceMessage","ClientMode","AvcEnabled","StateName","EventXML.TargetSession","EventXML.Source","TargetSession","EventXML.ListenerName","EventXML.Class","ListenerName","Class","Time Zone","TimeZone","BytesUploadedSoFar","BytesAllowed","PercentageUsed","NewTier","OldTier","OldLevel","NewLevel","ServerMessage","JoinRequestType","JoinRequestTypeSymbolicName","AuthToken","ServerResponse","ActivityId","Format","AuthMethod","Turn","VhdMetaOps","TargetVhdFileName","SnapshotCount","CountDeleted","CountVisible","SnapshotGuid","Deleted","Visible","CommitTime","LargeReadCount","SmallReadCount","TableDataBytes","TotalBytesRead","RemoteRpcRequestLength","RemoteRpcRequest","RemoteRpcResponseLength","RemoteRpcResponse","ExceptionCode","CrashTimeFromStart","SuspectedDriver","MainModeLocalAddressLength","MainModeLocalAddress","MainModePeerAddressLength","MainModePeerAddress","KeyingModule","SaLuid","ICookie","RCookie","Endpoint1Ports","Endpoint2Ports","LocalTunnelEndpointV4","LocalTunnelEndpointV6","RemoteTunnelEndpointV4","RemoteTunnelEndpointV6","Phase1AuthSetId","Phase2AuthSetId","Phase2CryptoSetId","Endpoint1","Endpoint2","MMParentRuleId","IsDTM","ApplyAuthZ","BypassTunnelIfEncrypted","NoIPSecOnOutbound","SetId","SetName","CryptoSetFlags","NumSuites","SuitesBinaryLength","CryptoSuites","TimeOutMinutes","TimeOutSessions","Pfs","IPsec Phase","AuthSetFlags","AuthenticationSuites","IPsecPhase","StoreType","SAIdleTime","PresharedKeyEncoding","IPSecExempt","CrlCheck","IPSecThroughNAT","PolicyVersionSupported","BinaryVersionSupported","DisableStatefulFTP","EnableAuditMode","OpMode","DisableStealthMode","BlockAllInbound","DisableUnicastResponseToMultiCastBroadCast","LogDroppedPackets","LogSuccessfulConnections","LogIgnoredRules","DisableInboundNotifications","AllowUserPrefMergeForApps","AllowUserPrefMergeForGlobalPorts","AllowLocalPolicyMerge","AllowIPSecPolicyMerge","DefaultOutboundAction","DefaultInboundAction","RemoteAdministrationEnabled","MaxLogFileSize","LogFilePath","DisabledInterfacesSize","DisabledInterfaces","DisableStealthModeIPsecSecuredPacketExemption","GP Configured Domain Subnets","All DA Nat64 Domain Subnets","AllDomainProxies","GPConfiguredDomainSubnets","AllDANat64DomainSubnets","GPIsAuthoritative","DetectFlags","WPADNetworkDecision","NetworkCount","UniqueId","EtwQueueActionType","PayloadByteLength","transport","address","errorcode","errordetail","pluginName","EnterExit","SocketType","BufferCount","Buffer","BufferLength","AddressLen","AcceptEndpoint","CurrentBacklog","Option","NodeName","CancelHandle","ProviderGUID","ServiceGUID","ControlFlags","LookupHandle","RefCount","VetoAppEvent.AppName","VetoAppEvent.ResponseTime","ResponseTime","Operation_New.CorrelationId","Operation_New.GroupOperationId","Operation_New.OperationId","Operation_New.Operation","Operation_New.ClientMachine","Operation_New.ClientMachineFQDN","Operation_New.User","Operation_New.ClientProcessId","Operation_New.ClientProcessCreationTime","Operation_New.NamespaceName","Operation_New.IsLocal","CorrelationId","GroupOperationId","ClientMachine","ClientMachineFQDN","ClientProcessCreationTime","NamespaceName","IsLocal","Operation_Provider_Info_New.GroupOperationId","Operation_Provider_Info_New.Operation","Operation_Provider_Info_New.HostId","Operation_Provider_Info_New.ProviderName","Operation_Provider_Info_New.ProviderGuid","Operation_Provider_Info_New.Path","HostId","Operation_Stop_New.OperationId","Operation_Stop_New.ResultCode","Operation_Provider_Result.OperationId","Operation_Provider_Result.Operation","Operation_Provider_Result.ErrorId","Operation_Provider_Result.Message","ErrorId","Operation_Client.CorrelationId","Operation_Client.ProcessId","Operation_Client.Protocol","Operation_Client.Operation","Operation_Client.User","Operation_Client.Namespace","Operation_RepDelete.OperationID","Operation_RepDelete.Operation","OperationID","Operation_RepUpdate.OperationID","Operation_RepUpdate.Operation","Operation_RepUpdate.Flags","MethodExec.CorrelationId","MethodExec.GroupOperationId","MethodExec.OperationId","MethodExec.ClassName","MethodExec.MethodName","MethodExec.ImplementationClass","MethodExec.ClientMachine","MethodExec.ClientMachineFQDN","MethodExec.User","MethodExec.ClientProcessId","MethodExec.ClientProcessCreationTime","MethodExec.NamespaceName","MethodExec.IsLocal","ImplementationClass","UpdateTitle","OCSPResponderURL","ThisUpdate","SPID","Version_number","Previous_SRS_name","SRS_Name","Note_contents","Previous_Group","Duration_Time","SRS_Path","SRC_Name","SRC_Path","File_Path","Session_name","Product_Name","Mounted_Product_Name","Mounted_Manufacturer","Serial_Numver","Vendor_ID","Product_ID","Class_Type","Mounted_Class_Type","SubClass_Type","Mounted_SubClass_Type","Mounted_Protocol","Device_Version","USB_Version","Version_Number","Terminal_Session_ID","RMM_ID","Previous_SRS_Name","NTSTATUS","SourceFileID","Data_20","Data_21","Data_22","Data_23","Data_24","Data_25","Data_26","Data_27","Data_28","Data_29","AdditionalFields","InitiatingProcessFileName","InitiatingProcessCommandLine","FolderPath","SHA256","FileSize","InitiatingProcessAccountName","RemoteIP","IsLocalAdmin","RemoteUrl","SHA1","MD5","InitiatingProcessFolderPath","InitiatingProcessSHA256","InitiatingProcessAccountDomain","InitiatingProcessParentFileName","RegistryKey","RegistryValueName","RegistryValueType","RegistryValueData","PreviousRegistryValueData","Program","Scan Time","Threat Resource Path","pdod","ipgd","GoodClient","PageReuse","Doc Kind","cpFirst","cpLim","itap","cp","GivenCp","ParaClient","FormatLineCaller","FormatLineCallerOldestAncestor","panic","cp (approx.)","abdk","cpLimIfAcex","pmwd","pwwd","hwnd","View Type","Pct Zoom","RM View","rcwDisp.xp","rcwDisp.yp","rcwDisp.dxp","rcwDisp.dyp","Layer Handle","Texture Handle","rcePage.xe","rcePage.ye","rcePage.dxe","rcePage.dye","tag","xsz","drk","drc.xp","drc.yp","drc.dxp","drc.dyp","First Loop Char","SqmDocId","DocumentId","ccp","Evt Mntr Name","InInsertLoop","fEnd","UpdateWwd","wm","Wwd Update Duration (msec)","Chunking Update Threshold (msec)","Wwd Update Delay (msec)","Time since last wwd update (msec)","fDirty","fInTable","fTxbx","fGEPresent","drselk","grfdrdo","cTxbx","drkx","DmsecInIdle","fSuccess","fCancelledByUser","Content info","extension","fIsRetryOpenViaBcs","pdodMain","Ideal Pixel Count","Bounding Box Pixel Count","ElapsedTimeMicroseconds","TagCaller","pdodSrc0","pdodSrc1","pdodBase","cpMac0","cpMac1","cpMacBase","grfdc","cmdRet","fConflict","fTwoWayMerge","Autofit0Microseconds","Autofit1Microseconds","AutofitBaseMicroseconds","pdodSrc","pdodClone","fBackground","SQMDocID","recurseCount","SaveActionId","ftyp","fSaveAs","SqmDocLocation","AuthorsCount","fMultipleAuthors","fCoAuthorable","fMergeRequired","saveDwTag","saveInitiateKind","rtcEnabledState","alwaysSaveEnabledState","BkgSaveDisallowReason","AlwaysSaveDisableReason","eid","EditToSaveTimeMicroseconds","FirstEditId","EdpiType","CurrentEditId","RtcBrkEditToSaveTimeMicroseconds","FirstRtcBrkEditId","CurrentRtcBrkEditId","IdleDelayedAutoSaveTimeMicroseconds","AutoSaveIdleToSaveTimeMicroseconds","AutoSaveIdleDurationTimeMicroseconds","AutoSaveIdleCooldownTimeMicroseconds","Pdod","FCoAuthorable","DusecFirstEditToSaveInit","DusecFirstRtcBrkEditToSaveInit","CsiErrorCode","DynamicSaveAdjustedReason","ThreadName","SuspensionID","fpInitialTimeAvailableMilliseconds","fIsDocOpen","pdodCurrent","fIsDocDirty","fIsSaveInProgress","fpTimeRemainingMilliseconds","fpElapsedTimeMilliseconds","dataLossType","ETW_TrackbackTag","device id","layer name","layer id","airspace layer handle","bootQuit state","Details1","Details2","fSaveDuringSuspendOrClose","cIntervals","Bucket1-Min-Msec","Bucket2-Min-Msec","Bucket3-Min-Msec","Bucket4-Min-Msec","Bucket5-Min-Msec","Bucket6-Min-Msec","Bucket7-Min-Msec","Bucket8-Min-Msec","Bucket9-Min-Msec","Bucket10-Min-Msec","Bucket1-Count","Bucket2-Count","Bucket3-Count","Bucket4-Count","Bucket5-Count","Bucket6-Count","Bucket7-Count","Bucket8-Count","Bucket9-Count","Bucket10-Count","TopUnresponsiveDuration1-Msec","TopUnresponsiveDuration2-Msec","TopUnresponsiveDuration3-Msec","TopUnresponsiveDuration4-Msec","TopUnresponsiveDuration5-Msec","fOnBackgroundThread","MillisecondsSuspended","cmvBeforeUpgrade","cmvToUpgrade","upgradeCmdStatus","ReportID","IdleCoreTime","ActiveTime","DeepSleepTime","Bucket-0-50-Count","Bucket-50-100-Count","Bucket-100-150-Count","Bucket-150-200-Count","Bucket-200-350-Count","Bucket-350-500-Count","Bucket-500-1000-Count","Bucket-1000-2000-Count","Bucket-2000-5000-Count","Bucket-5000-Max-Count","IdleTaskName","fRtcGroupIdle","IdleTimeForTask","MsgPresentCount","fn","Ext","pioldoc","Caller","fAutosaveDoc","fFnStrmWrapped","dof","dof2","currentScopeId","parentScopeId","Failed","Canceled","diReason","FtypExt","sdv","nFib","QueueStatus","fInCoherencyRetry","lserr","dk","fGoodClientDoc","wk","fWwdLayout","fWwdVBA","sqmDocID","fserr","fInterrupt","Old View Type","New View Type","pmwdOld","pwwdOld","Old Wwd View Type","pmwdNew","pwwdNew","New Wwd View Type","Wwd View Type","x Scroll","y Scroll","Canvas Width","Canvas Height","mbit","Tag","Allowed","ReasonInt","ContextTag","E1oType","E2oType","fAccessibilityRunning","wkWwd","cpStart","cpEnd","iTap","facekind","faceLeft","faceTop","faceRight","faceBottom","layerHandle","tE2oSelected","fVisible","cChildren","fHitTestChildrenOnly","fPinToScreen","fIgnoreFace","ptX","ptY","fZoomMatches","dxeScroll","dyeScroll","tapLeft","tapTop","tapRight","tapBottom","usec","iPagesTested","iFacesTested","cChildrenTree","cChildrenHitPage","Interrupt","Count of Intervals","Bucket-0-500-Count","Bucket-5000-10000-Count","Bucket-10000-20000-Count","Bucket-20000-50000-Count","Bucket-50000-100000-Count","Bucket-100000-300000-Count","Bucket-300000-Max-Count","E2oTotalCount","E2oChartCount","E2oSmartArtCount","E2oPictureCount","E2oGroupCount","E2oTextBoxCount","E2oOLECount","E2oOthersCount","E1oTotalCount","E1oPictureCount","E1oGroupCount","E1oTextBoxCount","E1oOthersCount","FootNotesCount","EndNotesCount","CommentsCount","EvalFunc","Rule","editorsCount","Issue","CorruptionReason","SectionsCount","E2oIvyChartCount","Current Section","HeaderFooter Type","Has PAGE Field","Has NUMPAGES Field","Has Lego","PN Start On","PN Format","dxaLeftBefore","dxaRightBefore","dyaTopBefore","dyaBottomBefore","dzaGutterBefore","dxaLeftAfter","dxaRightAfter","dyaTopAfter","dyaBottomAfter","dzaGutterAfter","dmPaperBefore","dmPaperAfter","iColumnPresetBefore","iColumnPresetAfter","FormatLineCallerStack","fStart","csiErrorCode","rtcState","MergeAllowed","NoMergeReason","reason","cSavesToMonitorForMovingAvg","MovingAvgThreshold","SaveSpike","SaveSpikeElapsedTimeThreshold","cGoodSavesToMonitor","GoodSaveTimeThreshold","fDeepSleep","TimeSinceLastInput-Msec","cMouse","cTouch","cKeyboard","cIME","cCommand","cZoom","cScroll","cDM","cPen","FailureType","cbGzipUncompressed","OpenId","nFibCurr","StreamName","StreamSizeBytes","fIsOCSB","IndexIntoFibshared","Cb","PercentOfTblStream","SaveInitiateTag","SaveInitiateKind","SaveAs","BkgndSaveLaunch","FailureRetry","HrCommitFileIO","SaveOpResult","ContinueIdleReturn","CancellationReason","crsidBase","crsid0","crsid1","fBaseOver0","fBaseOver1","itcrr","citcrr","fit","pct","wkViewKind","fNoMargPgvw","fAlwaysSaveEnabled","edpiType","fTouch","fIme","msecUserInteractionTime","fTrackChanges","pageCountBucket","fPageCountInProgress","wordCountBucket","lineCountBucket","paraCount","charCountBucket","charWsCountBucket","rsidCount","lidEditMru","szEditLids","fIsRetryOpen","OriginalEncoding","ChangedEncoding","HROptional","CodePage","Confidence","dusecInterval","xszName","fResume","fPause","dusecTaskInterval","fMsgPresent","dusecMsg","m_cInBatch","insloopID","docKind","stateFrom","stateTo","WM","fDefaultViewSetting","fViewStateSavingLogicUsed","pcoa","OptedIn","AutoSaveState","AutoCreateEventHandler","idReturn","AutorecoveryConfiguration","AutorecoveryInterval","fDelayUpdateWwdToEndInsert","fFallback","saveActionId","cmd","saveActionIdOrig","fSaveAsAttempted","fEmergencySave","fBsiIsFirst","pbsi","DocumentSessionId","AutoSaveActive","RtcActive","AutoSaveEnabled","RtcEnablementState","FlowEnabled","AutoSaveDisallowReason","AutoSaveBlockingReason","CsiStatusOk","UserWantsAutoSave","GroupPolicyPermitsAutoSave","UpdateFlowDisabledReason","FEnableAutosaveWin32ODSP","TAppWndProcCloseReturn","fInFreezeDryClose","fInForceEndSession","ForegroundSave","dmsecLastRenderedSinceEpoch","dmsecLastCharacterTurnAround","pdim","fEquation","fTable","selcurCpFirst","selcurCpLim","caParaCpFirst","caParaCpLim","m_cpInsert","drkx_drck","pdodDk","fMtxi","wkHwwd","dpiSys","dpiPerMonitor","fAlreadySeen","pIPersisterTrans","saveActionGuid","dwSrcTag","pDod","runTime","aggType","fCompatCheckSuccess","dypViewport","dypCard","pctRatioCardToViewport","formatDesc","fIsEjectable","fIsReadOnly","fIsEncrypted","fIsDirectory","fIsSymbolicLink","fileSaveType","picCount","tocCount","fBibliography","pageNumberFieldCount","citationCount","chartCount","ivyChartCount","bkmkRefCount","fHeader","fUserHasEdited","heading1Count","heading2Count","heading3Count","smartArtCount","heading1Length","heading2Length","heading3Length","piErrorOut","fPidim0","fPidim1","fPidimB","fPidim0A","fPidim1A","fPidimBA","did0BEns","did1BEns","didBBEns","did0AEns","did1AEns","didBAEns","did0AAgr","did1AAgr","didBAAgr","fObjIn0","fObjIn1","fObjInB","fVclok","fBAncestOf0","fBAncestOf1","dirulEval","lidKbd","lidInstall","fPrintMet","expectedJpnEraYear","actualJpnEraYear","gregorianYear","FRet","CersBefore","CersAfter","Cerdr","Cerwr","Cerfr","FSuccess","fMergeExecuted","fIgnore","fBeginBatchDone","fAttachKposDone","fRevertDone","fDoDestroy","usecExecTime","fEndBatchDone","fInvokeKposDone","fReplayDone","fSubDocDeleted","usecCreateTime","usecDestroyTime","usecNextSaveTime","usecMostRecentSaveEvent","m_dusecDynamicSaveCooldownInterval","usecNow","m_grfdysgLastAdjustedReason","fOcsMode","m_dusecDefaultSaveCooldownInterval","fDidSave","fDidAutosave","sqmDocId","sqmDocLocation","PersisterType","fIsMerge","GuidFileId","EditToUploadTimeMicroseconds","RtcBrkEditToUploadTimeMicroseconds","fRtcEnabled","fAutoSaveEnabled","result","fChoose0","fComparedWithBase","dmsecSinceLastScheduleLoad","fPendingLoad","IsSubscribed","iCmdDoDiffTag","ITap","TMI","fCancelDel","itc","fMarkIns","fMarkDel","parid0CpCell","parid","isGroup","ContentElement","CoauthUserAction","EditToSaveTime","scenarioType","fIsAlwaysSave","IStm","AuthorCount","pIOTransaction","iotType","iotFinalState","fMergeSucceeded","fLoad","fCoroutineLoadDone","fCoroutineSaveDone","fDelayedLoadOnCoroutine","persisterTransactionType","persisterType","strMeasurement","fDocmCoauthEnabled","coauthDisableReason","exclusiveLockReason","pcoctxt","parid0OfCpFirst","parid0OfCpLast","parid1OfCpFirst","parid1OfCpLast","pcob","fChangeIn0","fChangeIn1","fInserted0","fInserted1","fDeleted0","fDeleted1","fDeletedPara0","fDeletedPara1","dcpChange0","dcpChange1","fConflictVisible","cpFirst1","cpLim1","cpLim0ForChange0","cpLim0ForChange1","parid0ForChange0","parid0ForChange1","dcpConflict","cEntriesInResolvePane","cxchPara0","elapsedTimeMicroseconds","fChangeInLocalDoc","dcpChange","iotStatePrev","iotStateNext","fReadOnly","guidSqmDocId","cpMac","fAutoSaveOff","fUserRequestedSave","pioldocOther","iolcmd","iolcmdPrev","dwCallsite","fOnMainThread","fValidThread","hrBeginCmd","hrMisc","hrRecordEvent","iotState","fFocusLost","lcrTransitionIn","BrickTransitionType","BrickSaveResult","MainThread","NumFontsInTable","FontNameRequested","CharSetRequested","FTCResolved","FontNameResolved","CharSetResolved","FTCResolvedFrom","FontName","CharSet","CpMacPdod","Lid","Style","Fticm","NameFromLogfont","FaceNameLoaded","FontSize","FontNameAscii","FontNameFE","FontNameOther","FontNameBi","FontSizeAscii","FontSizeBi","CharacterCount","WordCount","EmbedLicenseType","ErrorKind","GetLastError","logId","lid","correlationId","kmcHandled","correlationIdStart","correlationIdEnd","messagePostDelayMs","fAlwaysSaveEnabledAndOn","fWetChangesInDocument","fDuringOrAfterRecentAutoSave","fInOcsMode","dmsecTypingTime","dmsecMessagePostDelay","dmsecTypedChar","dmsecAirspaceRender","DocKind","SrcDocKind","fInWPM","fChunking","fUIMCharacter","fShaping","fAcetate","fAbdkRMAtn","softKeyboardIsLocked","touchX","touchY","grippyX","grippyY","distance","newTouchX","newTouchY","CP","Double Tap","Nested Level (itap)","Max Rows","Max Columns","Valid Row","PointerId","CanDM","UITEH","Gesture","InteractionState","PointX","PointY","DeltaX","DeltaY","InputType","teh","uiteh","segid","iseg","dcpRelative","dcpSegmentStart","dcpSegmentEnd","dcpShift","m_ptct","m_sppts","m_sppts.bstrText","m_spptcc","m_spptcc.segid","m_spptcc.iseg","m_spptcc.dcpRelative","m_spptcc.dcpSegmentStart","m_spptcc.dcpSegmentEnd","m_spptcc.dcpShift","ulRelativeOffset","lShift","ulSegmentStart","ulSegmentEnd","fClearCache","bstrText","spSegment.segid","spSegment.iseg","spSegment.dcpRelative","spSegment.dcpSegmentStart","spSegment.dcpSegmentEnd","spSegment.dcpShift","m_vecsegmentSize","index","ullBmkId","cpBmkStart","cpBmkEnd","ibkf","tempUullSegmentId","ullSegmentId","timeSpent","loopIterations","context","InfoString","ErrIdOptional","InfoOptDeci","InfoOptHex","VoidPtr","InfoOptional1","InfoOptional2","InfoOptional3","InfoOptional4","ReRegisterSucceeded","NumDocs","Virtual desktop GUID","pidim","fMother","docParidsStateOpen","docParidsStateEnsureParids","pcaso","fIsInCsiTransactedStreamMode","fIsSaveAs","fSourceIsServer","fTargetIsServer","fListenerRegistrationFailed","fDocumentContentWasNull","persisterTypeReplaced","persisterTypeConstructed","dwTagCaller","previousSupportedLocations","newSupportedLocations","ac","fAutosaveActiveAfterFailure","csierrOnRetry","fOnFreeRunningThread","dwtag","dwtagLast","dullDirtyToolbarsMs","fToolbarsDirty","JsonData","previousDisableTempFileLocations","newDisableTempFileLocations","TrackbackTag","SamplingPolicy","DiagnosticLevel","DataCategories","AggregationMode","LogEventResultEndState","ResultType","IsExpected","DataPayloadTarget","DataClassification","sel","Old Selection Kind","Old cpFirst","Old cpLim","Old fDiscontiguous","Intended cpFirst","Intended cpLim","grfsel","New Selection Kind","New cpFirst","New cpLim","New fDiscontiguous","fInOptimizedPass","rcw.xp","rcw.yp","rcw.dxp","rcw.dyp","Old pdod","New pdod","Selection Kind","DR cpFirst","DR cpLim","Original xwLeft","Original xwRight","Original ywTop","Original ywBottom","Updated xwLeft","Updated xwRight","Updated ywTop","Updated ywBottom","Cmd Name","FCI","TCID","grfcco","grfaux","kcm","kcm2","Chained","Macro Active","Live Preview","Orig pdod","Orig Doc Kind","Orig pmwd","Orig wwd","Orig View Type","SEL pdod","SEL Doc Kind","SEL cpFirst","SEL cpLim","SEL pmwd","SEL wwd","SEL View Type","Original pdodMain","Cmd Return","Dlg Type","Dlg ID","Layout Type","Wwd","Natural stop page","x Natural stop point","m_xeDmBegin","xeMid","Viewport left","Viewport right","Corrected page","dxpInertiaStrength","Current xPos","Snap point","xScrollerContext","yScrollerContext","dxMoved","dyMoved","Current point","Left Bounds","Right Bounds","Correction point","From Keyboard","grfoff1","grfoff2","grfoff3","grfon1","grfon2","grfon3","Dirty calls before update","Updates already in progress","Dirty calls during update","Updates scheduled during update","Updates still in progress","idTag","depth","cursorSaverOn","fAll","UserAction","fViewportMovesRight","cPagesMoved","cPagesInViewport","Interval","Point 1","Point 2","Point 3","Point 4","Point 5","E1o info","Square Pixels of Missing Page","Square Pixels of Missing DR content","Square Pixels of Viewport","Square Pixels Scrolled","Start Time (msec)","End Time (msec)","Duration (msec)","Sliver Count (pixel height or width 1)","Total Count","Threshold time (msec)","Threshold count","Dxw Max","Dyw Max","PtlType","IsNextError","updateCnt","Sel.cpFirst","Sel.cpLim","ViewType","UsedFmt","AvailFmts","AvailFmtsCount","PasteType","SourceUrlHash","SourceLocationType","SourceApp","ContentType","responsivenessType","timeoutLength","IsDocDirty","FuncName","Dusec","fAborted","sti","stiBase","istd","istdBase","Linked","E2oId","PrevTextWrapping","NewTextWrapping","SqmDocID","izSource","instance","objectType","toggleToState","scale","zoom","windowWidth","windowHeight","secondLevel","objectFitKind","availSpaceWidth","availSpaceHeight","fSinglePage","PageTurnSuccess","apiName","ReadModeFontSizePCT","hwwd.pdod","cpok","taxc.IMac","rcwAnchor.xp","rcwAnchor.yp","rcwAnchor.dxp","rcwAnchor.dyp","fForcefullySingleThreaded","cplr","fDocsPaneUX","ItemType","tplc","iCat","nfc","iApplyTo","textPatternCount","textRangePatternCount","fUndo","cActions","fucr","fRet","CommandArgument","UndoType","fChained","fChainStart","fInLiveDrag","fSwapConsidered","fSavedByAllowSwapStyles","cUndoCmdsBlown","cRedoCmdsBlown","cCmdsUsk","fTrackChangesNewState","stateToggledByFCI","fTrackChangesOn","OpenInRM","moveDistance","moveTime","maxDistance1","maxDistanceTime1","maxDistance2","maxDistanceTime2","maxDistance3","maxDistanceTime3","maxTime1","maxTimeDistance1","maxTime2","maxTimeDistance2","maxTime3","maxTimeDistance3","dxpApp","dypApp","rclwApp","pctFontApp","dxpPageContentApp","cpReq","fFoundPiece","fBinaryPiece","fInBulletProofer","fSafeFetch","fCoauthEdit","cPaxuadSlots","cPaxuadSlotsUsed","cPaxuadSlotsUnused","dcp","RMRR","ZoomScrollCause","flt","fcr","cTasks","cExecutedTasks","fPass","AttachmentIndex","CID","fReuse","pctFontUI","pctApp","pctUI","vcLcidEdit","vfFlavourT","lidUITemp","lidOS","lidDefault","lidPolicy","cpgUI","cpgOS","chsOS","fOsrc","autoSwitchedByFCI","LevelPrev","LevelCur","UsageCur","LimitCur","LimitPrev","UsagePrev","PartCount","ChromeOnly","PartId","SdtId","SdtContentId","UseBackgroundLoad","ReplacePart","PlainText","Reset","SDTType","IsPlainText","NumberAttachments","StreamCount","AttachmentCount","Success","ParaCP","IsReadOnly","IsHeader","HeaderXValue","HeaderYValue","OutputType","UseBackgroundLoading","Encoding","IsvpdodGlobalDot","fDefaultViewWebScaling","MsForHitTesting","CountOfWindowlessNetUI","fProtected","fEmptyIdentity","obi","ioid","dispid","Invoke","MethodPropName","RevokedSession","fThinAutoCorrectArrowType","In DM","In VM","unknownUnsupported","cssTableBackgroundImage","cssASpanPaddingBottom","cssASpanMarginBottom","cssDivASpanDimensions","cssPosition","htmlTableBackgroundImage","htmlForm","tableHeaderOrFooter","tableWiderThan61Cols","tableColspan","tableCaption","id","Dismissal Reason","cAtm","msecTimeTaken","tInterrupted","AllowAutoRM","Old Pct Zoom","tbt","leftDelta","rightDelta","topDelta","bottomDelta","widthE1o","widthE2o","heightE1o","heightE2o","rstyp","corlid","fActive","zoomScrollCorrelationId","X Distance Scrolled","Y Distance Scrolled","Direct Manipulation","Thumb Used","Preview Shown","ForceInline Reason","Total Notifications","Added Notifications","Removed Notifications","DirtyCode","Itap","HeightSpecified","Timer Duration (msec)","commandline","fMainExe","fSafeMode","fOleLaunchedUs","fOleAutomation","fMacroOnCmdLine","fLoadAddIns","fOnly1DDEDcl","fOpenAsNew","fReadWriteOnSave","fRestore","fNormalDotSafe","fDotEvt","fMacroSwitch","fOpenedDrp","fDocRecoveryWorkPane","fShowOutspace","fShowAllDrps","fDidCrashRecoveryLastTime","fRestoringFromRestart","fFreezeDryEnabled","cdrpGroups","cdrpResolvedWithOthers","cdrpRepaired","cdrpSavedOnCrash","cmdLineFlagsExtended","fGlobalDotMatchesDefault","fInterrupted","cFootnoteObjects","cEndnoteObjects","cTrackedChangeObjects","cCommentObjects","cRtcPresenceObjects","cCoauthLockObjects","cAtnObjects","cHsp","cE2o","SuggestionNumber","HyperlinkDestinationType","FromAnchorTag","cPartsLoaded","HostedControl","fTruncationNeeded","fCallSucceeded","addtionalSpaceNeeded","CardCount","CardId","dxaLeftOffset","dxaRightOffset","dyaTopOffset","dyaBottomOffset","PartsToRemove","CardIdToReplace","CardsToRemove","PartSdtId","PartReadOnly","LoadAborted","DraftName","ResultSize","HyperlinkProtocol","DyDip","DxDip","ScaleUI","dxdipMargin","ControlHandle","HostParentHandle","DusecConversionTime","E1oCount","icf","ifld","cpMacPdodClone","fCacheAllHspAtOnce","fInline","fPseudoInline","usecSystemUptime","usecUserCpuTime","usecSystemCpuTime","usecProcessCpuTime","usecMainThreadCpuTime","maxrss","ixrss","idrss","isrss","minflt","majflt","nswap","inblock","oublock","msgsnd","msgrcv","nsignals","nvcsw","nivcsw","fGetrusageSuccess","Count of MWDs","MWD PunkWindow","fServerObjPunkWindow","Found Doc Kind","Original Doc Kind","BookMark Class","dypAdjust","ypHostedTop","dypScrollable","ypScrollerOffset","dypRootHeight","hpl","idpci","fCannotDeterminePivot","fNoContextAllowable","fContextReduced","fContextReducedToShort","fContextNaturallyTooShort","fAutoOpen","fPlan","ihdt","left","top","right","bottom","fDropCap","LrgKind","docAnchorKind","cpAnchor","SpxKind","xlLeft","ylTop","xlRight","ylBottom","xlFull","ylFull","fIgnorePositionPTS","lstFlow","heightRef","heightPres","upLimAutonumberingText","upLimLineProper","upLimLine","breakEndr","fForcedBreak","fTopEnable","fBottomEnable","fBetweenTop","fBetweenBottom","fVolatile","fPicture","fHandAtn","fFirstLineCp","fSplatSub","fSfx","lbrCRJ","durReservedLeft","durRightIndentBreak","durRightIndentJustify","durHyphenationZone","lsbrj","lskj","lskal","durAutoDecimalTab","fVisiCondHyphens","fVisiParaMarks","fVisiSpaces","fVisiTabs","fVisiSplats","fVisiBreaks","fPunctStartLine","fHangingPunct","fApplyBreakingRules","fApplyOpticalAlignment","fPresSuppressWiggle","fAutonumber","fAutoDecimalTab","fUnderlineTrailSpacesRM","fSpacesInfluenceHeight","fAllowSplatLine","fForceBreakAsNext","fCheckTruncateBefore","fAllowHyphenation","fDrawInLogicalOrder","fTreatHyphenAsRegular","fWrapTrailingSpaces","fWrapAllSpaces","fForgetLastTabAlignment","fIndentChangesHyphenZone","fNoPunctAfterAutoNumber","fResolveTabsAsWord97","fIgnoreHeightOfEOL","fSpecialFirstLine","edge","brcType","dptLineWidth","dptSpace","fShadow","fFrame","fPdvv","Text","VerticalAlign","fVertical","ipgdCur","pgnNext","fLandscape","duPageES","dvPageES","fSlicedPage","ylTopMargin","ylBottomMargin","xlLeftMargin","xlRightMargin","fEmptyPage","fHasBubbles","printer","driver","fUsePrinterMetrics","xdpi","ydpi","dodKind","DRK","drdoKind","dxp","dyp","fGoodClient","yaTopMargin","dyaBottomMargin","pabd","fInsertAbdInPlcAbd","cxpInch","cypInch","cxtInch","cytInch","fticmOut","fticmBase","pctZoom","dmOrient","xpLeft","ypTop","cpMin","xl","yl","dxl","dyl","xt","yt","dxt","dyt","fHdr","dvpAscent","dvrAscent","dvpDescent","dvrDescent","dvpMultiLineHeight","dvrMultiLineHeight","dvpAscentAutoNumber","dvrAscentAutoNumber","dvpDescentAutoNumber","dvrDescentAutoNumber","durContent","cpLimToContinue","cpLimToStay","dcpDepend","endres","vaAdvance","fAdvanced","fFirstLineInPara","fTabInMarginExLine","fNoCSSInlineContent","fEllipsis","fNonTextObjectPresent","fAnmPresent","EffectsFlags","kysr","wchYsr","wchYsr2","lshq","upStartLineOriginal","upStartLine","upStartMainText","upStartLineProper","upRightMargin","ppj","fCanceledByUser","fMacro","numPages","rangeType","rangeSz","jobParity","jobParitySz","numCopies","fCollate","fDuplex","sourceSz","fPrintToFile","pgsPerSheet","dmPaper","numSections","width","height","lMargin","rMargin","tMargin","bMargin","dmOrientSz","prType","szPrinterDev","grfpr","pPrintHandler","desiredPage","PTCompletion","pFastPrintTaskAppImpl","dxdipPage","dydipPage","xdipContent","ydipContent","dxdipContent","dydipContent","fPrintMarkup","fPrintBgImages","dxpPreview","dypPreview","xpPrintable","ypPrintable","dxpPrintable","dypPrintable","pPrintDocuemntPackageTarget","dxaPage","dyaPage","printRange","customRange","completion","ipgdMacNew","PrintSettingUpdated","InOutspace","fFileSize","MacPMSessionError","FTransparentFill","Eaten","corId","cBatchEdit","cvText","cvBack","cvUl","kul","fRevMarkingPdod","Cicero","IMMForced","CiceroAvailable","UIMName","cpFirstChange","cpLimChange","cpFirstUrb","cpLimUrb","cpFirstComp","cpLimComp","messagePostDelay","fSearchWord","fSearchCase","fSndsLike","fFuzzy","fMatchByte","searchStringLength","InReadmode","Next","FindEventId","CloseWithFindBarButton","CSearchResults","fResultInComment","ReplaceQueryLength","cReplaces","fFindInComments","ClientType","AuthorId","OpKind","OpResult","ParaID","ParaId","RtcOn","AnalyzeAndDoResult","AnalyzeAndDoResultString","cParasReverted","cCpTraversed","SelType","TextId","CaretPos","fSetPresence","RbodQueueSize","fReplay","fUnpause","CountRbodProccessed","pIRtcConnection","DusecEffectiveRTCSessionDuration","fPlayUnpausedDocument","actt","dusecAliveTime","dusecDeadTime","fSpec","xchSpec","ibstshort","fBroken","fCanRtc","fAlwaysSaveActivated","HR","Automatic","OptInSource","Response","AlwaysAsk","Bssck","cpIn","cpOut","cFetch","scps","pthis","cParasDeleted","cParasDelMax","FirstReason","GrfReasons","cpFirstOld","cpLimOld","cpFirstNew","cpLimNew","DusecRTCContentHandlerDuration","fPresence","cReceived","cLost","cUnordered","cDelayedStart","fAlive","DeadReason","paraid","dusecAliveDeadTime","InitialOpResult","InitialOpKind","InitialClientType","RbodIdentifier","usecInsertTime","usecCoalesceTime","usecSerializeTime","usecBroadcastTime","dusecCreateToBroadcastTime","usecAckTime","dusecRoundtripTime","retryBucket","usecProcessAllRbodsTime","usecRorDoIfPossibleTime","dusecReceiveToPlayTime","Paused","UnderPauseEffect","FeatureGateOn","PresenceTextType","AggregationHelper","UnknownEditorTime","fNeverKnown","cParaIds","cSequence","usecInBuffer","cUnorderedResolved","drwmidss","dusecDelay","NoProofRegion","lang","fIsDifferentLangSelected","fIsNoProofChecked","fIsAutoDetectUnchecked","fIsSetDefaultPressed","fMoving","xPos","yPos","xMaxOffset","yMaxOffset","xZoom","yZoom","XszName","XszPayload","fIsMotherWwd","fInListWwd","fDifferentDoc","fUiaNodeAllowed","Devmode","DC","fError","fFaking","RetVal","fQuery","fFakePrinterNameOK","fHaveDefaultPrinterName","fEmptyPrinterName","DCIn","DCOut","fOutput","fDevmode","receivingClientVclokId","sendingClientVclokId","senderSaveActionGuid","sendingClientVclokValueMin","sendingClientVclokValueMax","uploadDuration","rtcPacketArrivalToMergeDuration","rtcPacketArrivalToDownloadStartDuration","downloadStartToEndDuration","downloadEndToMergeDuration","mergeToDisplayDuration","e2eDuration","deepSleepDuration","mergeStartToEndDuration","downloadBranchNotificationDuration","idleDuration","loadDuration","fMergedContent","rtcBrkSenderDuration","rtcBrkE2EDuration","idleDocLoadEndToMergeStartDuration","sendingClientVclokValue","savingClientVclokId","savingClientVclokValueMin","savingClientVclokValueMax","editToUploadTimeMicroseconds","rtcBrkEditToUploadTimeMicroseconds","saveToUploadInitTimeMicroseconds","savingClientVclokValue","saveTimeMicroseconds","rtcBrkEditToSaveTimeMicroseconds","editToSaveTimeMicroseconds","firstRtcBrkEditId","firstEditId","minOcsAutoSaveIntervalMicroseconds","idleAutoSaveDelayTimeMicroseconds","autoSaveIdleToSaveTimeMicroseconds","deepSleepDurationMicroseconds","fDocHasFormsField","grftr","grfef_low","grfef_high","grfef2_low","grfef2_high","Bounding Box","Rectangles","fNoLayoutChange","fSelectionChange","fUpdateArtvNVersion","fDirtyMtxi","tSucceeded","fDocRenamed","Reason for Conflict","fciUser","fciCoauth","User CA type","camoUser.cp","camoUser.dcpOld","camoUser.dcpNew","camoCoauth.cp","camoCoauth.dcpOld","camoCoauth.dcpNew","fRepeat","IdomoMacUsk","idomoUndoLim","idomoRedoLim","idomoFirst","cdomo","UAD.fci","fPrivateInvalRgn","Sum of Pixel Count for Rects","ppr","grfrpu","xszText","ExitType","BackgroundColor","BackgroundType","NotifyUserResult","ShowNotificationResult","dwIndex","dwType","cb","dwCValue","GateValue","secBootLengthThreshold","pctBootPercentageThreshold","AddinScenario","time","fDisplay","FIsCOMAddin","FIsGroupPolicyDisabled","SelectedAction","dwConnect","dwPolicy","areaPoints","fRTF","callType","changes","mrtTag","property","CountOfRecipients","LinkPermissionType","CountOfRecipientsOptimizedAway","featureDwTag","ProfilerModules","ProfilerSamples","objInstance","ucType","hHeap","ulInitial","ulMin","ulMax","ulAllocCount","ulExtendCount","ulTotalAlloc","owner","jobid","xferId","proxyServerList","proxyServer","urlContentLength","urlHttpVersion","urlRange","HTTPVersion","URLRange","CACertIdentifier","LDAPPath","ApartmentId64","AptId","AptKind","CallTraceId","CausalityId","TargetMethod","ProxyInterfacePointer","ProxyManagerIUnknown","IPID","OID","CallerLogicalThreadId","CallerReturnAddress","WinrtAsyncPatternMethodIndicator","FakeSync","SourceOfHRESULT","InterfacePointer","MethodAddress","ServerIUnknown","ServerException","UnloadDelay","Bias","StandardName","SystemDatewYear","SystemDatewMonth","SystemDatewDayOfWeek","SystemDatewDay","SystemDatewHour","SystemDatewMinute","SystemDatewSecond","SystemDatewMilliseconds","StandardBias","DaylightName","DaylightDatewYear","DaylightDatewMonth","DaylightDatewDayOfWeek","DaylightDatewDay","DaylightDatewHour","DaylightDatewMinute","DaylightDatewSecond","DaylightDatewMilliseconds","DaylightBias","TimeZoneKeyName","HexInt4","HRESULT1","Boolean6","Message8","Message9","Boolean10","Boolean11","Message12","Boolean13","ResourceID","ResourceId","MessageBody","Class_name","Resource_ID","Execution_Mode","DSC_resource_Namespace","ExecutionMode","ProviderNamespace","Method_Name","Error_Message","PhysicalAdapterIndex","DriverSegmentIndex","VprIndex","NewStartOffset","pDxgAdapter","InitChannelPublisherEnableFailure.ErrorCode","InitChannelPublisherEnableFailure.ChannelPath","InitChannelPublisherEnableFailure.PublisherGuid","ChannelPath","EventString","EndpointId","NetworkId","HTTP_error_response_sent_Url","Cache_Send","Request_Queue","TID","Image_Name","Working_SetBytes","Send_Status","Thread_Count","Reason_Phrase","Error_Cause","Verbosity","CacheSend","RequestQueue","ImageFileName","WorkingSetSize","SendStatus","ReasonPhrase","ErrorCause","VmlDebugTrace.TraceData","VmlDebugTrace.VmName","VmlDebugTrace.VmId","VmlDebugTrace.StackFrameCount","VmlDebugTrace.StackFrame","VmlDebugTrace.ModuleCount","VmlDebugTrace.Module","TraceData","StackFrameCount","StackFrame","ModuleCount","AllowMacSpoofing","EnableDhcpGuard","EnableRouterGuard","MonitorMode","MonitorSession","AllowIeeePriorityTag","VirtualSubnetId","AllowTeaming","StormLimit","DynamicIPAddressLimit","EnableFixSpeed10G","Applicability","LocalAddrLen","RemoteAddrLen","RemoteAddr","ApplicationPool","IsatapRouter","IssuingKDC","UnsealingCachedCopyStatus","KeyGenerationAndSaveStatus","SealingStatus","TpmPcrMask","ProtectorAssistedUnsealStatus","ProtectorAssistedResealStatus","ProtectorSealUpdateStatus","TpmCounterOpStatus","TpmCounterCreateStatus","BackupSealedBlobUsed","PrimaryBlobUnsealStatus","BackupBlobUnsealStatus","Pca2023ProtectorUnsealStatus","BackupBlobValidityCheckStatus","BackupBlobStillValid","Pca2023ProtectorValidityCheckStatus","Pca2023ProtectorStillValid","PrimaryBlobResealStatus","BackupBlobResealStatus","Pca2023ProtectorResealStatus","Pca2023ProtectorCleanupPostUpgradeStatus","NeedToRollLkey","CreationStateVerified","V2ProtectorsUsed","LegacyUefiVarQueryStatus","LegacyUefiVarCleanupStatus","VbsRollbackDataProtectionEnabled","VbsRollbackDataProtectionOptedIn","VbsRollbackDataProtectionTpmCounterStatus","FirstWriteToDisk","WritePkgToUefi","LatchedProtectorUsed","LatchTheUnlatched","UnsupportedRollback","UpgradedVbsPolicyExists","TpmCounterIncrementStatus","ActivePolicyVersion","LatchedPolicyVersion","UnlatchedPolicyVersion","LatchedPrimaryBlobResealStatusV2","LatchedBackupBlobResealStatusV2","LatchedPca2023ProtectorResealStatusV2","LatchedPca2023ProtectorCleanupPostUpgradeStatusV2","UnlatchedPrimaryBlobResealStatusV2","UnlatchedBackupBlobResealStatusV2","UnlatchedPca2023ProtectorResealStatusV2","UnlatchedPca2023ProtectorCleanupPostUpgradeStatusV2","SrkSymKeyPolicy_value","TPM_symmetric_key_capability","AES_bits_used","SrkAsymKeyPolicy_value","TPM_asymmetric_key_capability","Rsa_bits_used","TpmSrkProvisioningTime","TpmSrkPolicyReadStatus","TpmSrkSymKeyPolicyValue","TpmSrkSymKeyCapability","TpmSrkAesBitsUsed","TpmSrkAsymKeyPolicyValue","TpmSrkAsymKeyCapability","TpmSrkRsaBitsUsed","IsFasrCertPresent","ValidateFasrCertSignatureStatus","BootmgrAuthorityEventCount","VerifiedMicrosoftAuthority","ValidateFasrPcrValuesStatus","PcrMismatchIndex","FasrCertSize","FasrCertWithoutSignature","FasrSignatureSize","FasrSignature","FileKey","IssuingThreadId","CreateOptions","CreateAttributes","ShareAccess","ByteOffset","IOSize","IOFlags","ExtraFlags","ExtraInformation","InfoClass","FileIndex","LoadPercent","GsivCount","MaskCount","GroupCount","Mask","Gsiv","NewTarget","OldTarget","Vector","ServiceRoutine","IsrLoad","DpcLoad","ProcIndex","DeviceInterrupts","OldWorkOnBehalfThreadID","NewWorkOnBehalfThreadID","BaseObject","KeyObject","BaseName","RelativeName","CapturedDataSize","CapturedData","ValueName","PreviousDataType","PreviousDataSize","PreviousDataCapturedSize","PreviousData","HiveFilePath","HiveMountPoint","FlushFlags","WritesIssued","BytesWritten","KtmTriggerSvcStartGuid","Operating_System_Protected_Version","NtfsAllocateAttribute_MaxAlloc_for_Mfts_AttrList_IC","p_Scb","p_StaringVcn","I64x_ClusterCount","I64x_Flags","NtfsAddAllocation_IC","p_FileObject","Purge_failed_Scb","NtfsCreateNonresidentWithValue_Create_Mfts_NonResident_Attribute_List_IC","pValueLength","MakeRoomForAttribute_Moving_Mfts_attribute_IC","MoveAttributeToOwnRecord_Moving_Mfts_BITMAP_IC","p_SizeNeeded","x_TypeCode","x_RecLen","x_Form","x_Instance","NtfsConsolidateAllFileRecords_Invalid_Vcb_Thread","NtfsConsolidateAllFileRecords_Volume_is_locked_Thread","p_Vcb","p_VolumeName","S_VolumeLabel","S_Volume_Id","NtfsAllocateClustersPriv_IC","p_Mcb","S_DelayedAllocation","3I64xScbState","p__Lsn","I64x_new","3I64xAddrTotalAllocated","pAddrTotalAllocated","p_ScbState","Entering_Scb","p_ExtentsDescriptorIndex","Exiting_ExtentsDescriptorIndex","Dsm_TotalNumberOfRanges","d_NumberOfRangesReturned","Updating_ExtentsDescriptor_Index_and_StartOffset_from_Locals_ExtentsDescriptorIndex","Return_IrpContext","Raising_STATUSSUCCESS_from_NtfsCommonCleanup","NtfsCommonCreate_Volume_is_locked_Thread","S_Vcb_State","NtfsCommonVolumeOpen_Invalid_create_disposition_for_volume_open_Thread","NtfsCommonVolumeOpen_Volume_is_locked_or_we_have_performed_a_dismount_Thread","NtfsCommonVolumeOpen_Thread","d_BiasedCleanupCount","NtfsCommonVolumeOpen_Volume_is_locked_or_we_have_performed_a_dismountThread","NtfsCommonVolumeOpen_Conlicting_file_objects_Thread","d_VcbCloseCount","d_VcbSystemFileCloseCount","NtfsHandlePagingFile_Paging_file_already_open_paging_files_can_only_be_opened_once_Thread","S_Fcb","NtfsHandlePagingFile_Cannot_open_system_file_as_paging_file_Thread","NtfsHandlePagingFile_Persisted_paging_file_already_exists_Thread","NtfsOpenFcbById_Invalid_system_file_access_Thread","NtfsOpenExistingPrefixFcb_Can_not_directly_open_txf_directory_Thread","NtfsOpenExistingPrefixFcb_Invalid_system_file_access_Thread","NtfsOpenFile_Unsafe_to_acquire_parent_directory_after_acquiring_a_txfsystem_file_Thread","NtfsOpenFile_Invalid_system_file_access_Thread","NtfsOpenFile_Deny_open_when_txf_rm_is_active_Thread","NtfsCreateNewFile_Deny_creation_in_system_directory_except_root_Thread","S_Parent_Fcb_Fcb","NtfsCreateNewFile_Unable_to_create_Ea_for_the_file_Thread","NtfsCreateNewFile_Unable_to_create_in_the_txf_directory_Thread","NtfsOpenSubdirectory_Denying_access_to_Txf_file_when_the_RM_is_active_Thread","NtfsOpenAttributeInExistingFile_Denying_access_due_to_caller_being_Ea_blind_Thread","NtfsOpenAttributeInExistingFile_Fail_to_find_INDEXROOT_attribute_Thread","NtfsOpenAttributeInExistingFile_Denying_access_for_volume_root_directory_Thread","NtfsCreateNewFile_Not_allowed_to_create_streams_on_system_files_Thread","NtfsOverwriteAttr_Cannot_overwrite_hidden_or_system_attribute_for_a_nonpaging_file_Thread","NtfsOverwriteAttr_Denying_access_due_to_user_being_Ea_blind_Thread","p_FileRef","NtfsOverwriteAttr_Deny_access_due_to_encryption_happening_on_the_stream_Thread","NtfsCheckValidAttributeAccess_Supersede_or_overwrite_is_not_allowed_on_this_type_of_named_attribute_Thread","NtfsCheckValidAttributeAccess_Only_read_attributes_access_is_supported_on_this_attribute_Thread","NtfsCheckValidAttributeAccess_Deny_access_for_protected_system_attributes_Thread","p_AttributeTypeCode","NtfsOpenAttributeCheck_File_already_has_user_writable_references_Thread","NtfsOpenAttributeCheck_Deny_access_for_online_encryption_backup_data_stream_Thread","NtfsOpenAttributeCheck_File_was_granted_write_access_but_has_image_section_Thread","NtfsOpenAttribute_Denying_write_access_on_disallowed_writes_Thread","p_Disallow_write_count","NtfsOpenAttribute_File_already_has_user_writable_references_Thread","NtfsOpenAttribute_Open_for_exclusive_read_access_is_not_allowed_Thread","NtfsCheckExistingFile_Desired_access_conflicts_with_readonly_state_Thread","NtfsOpenExistingEncryptedStream_No_encryption_driver_found_Thread","NtfsOpenExistingEncryptedStream_Opening_for_readwrite_access_not_allowed_on_compressed_file_Thread","NtfsEncryptionCreateCallback_Encrytion_engine_fail_to_encrypt_all_streams_for_file_with_open_handle_Thread","NtfsFindStartingNode_Opening_not_allowed_for_txf_name_when_RM_is_active_Thread","p_Fcb","NtfsCheckShareAccess_IoCheckLinkShareAccess_failed_with_sharing_violation_Thread","d_LinkShareAccessDeleters","d_LinkShareAccessSharedDelete","d_ShareAccessReaders","d_ShareAccessWriters","d_ShareAccessDeleters","d_ShareAccessSharedRead","d_ShareAccessSharedWrite","d_ShareAccessSharedDelete","S_Link_Name","d_LinkShareAccessOpenCount","NtfsReCheckShareAccess_Does_not_meet_allow_open_requirement_Thread","d_Readers","d_Writers","d_Deleters","d_SharedRead","d_Lcb_Deleters","NtfsCommonDeviceControl_IOCTLDISKCOPYDATA_is_not_allowed_on_unlocked_volume_Thread","NtfsVolumeDasdIo_Data_section_blocking_flush_Thread","S_Flush_status","Writing_to_Bitmap_Vcb","NTFS_Posting_hotfix_on_file_object","NTFS_____Freeing_Bad_Vcn","NTFS_____Retiring_Bad_Lcn","NtfsDefragFileInternal_Defrag_is_denied_Thread","NtfsDefragFile_Defrag_is_denied_without_manage_volume_access_Thread","NtfsEncryptDecryptOnline_Defrag_is_denied_Thread","NtfsCommonQueryInformation_File_information_query_not_allowed_as_file_was_opened_by_ID_without_traversal_privilege_Thread","NtfsQueryCaseSensitiveInfo_Case_sensitive_info_query_not_allowed_without_read_attributes_access_Thread","NtfsQueryNameInfo_Name_info_query_not_allowed_as_file_was_opened_without_traverse_privilege_Thread","NtfsQueryLinksInfo_Link_info_query_not_allowed_as_file_was_opened_without_traverse_privilege_Thread","NtfsSetCaseSensitiveInfo_Cannot_mark_root_directory_of_a_volume_casesensitive_Thread","NtfsRemoveSupersededTarget_Can_not_do_a_superseding_rename_over_a_system_file_Thread","NtfsRemoveSupersededTarget_Can_not_do_a_superseding_rename_over_a_file_with_open_handles_Thread","p_Link_name","S_TxfNumWriters_count","NtfsRemoveSupersededTarget_Can_not_do_a_superseding_rename_over_a_file_opened_by_ID_Thread","NtfsRemoveSupersededTarget_Can_not_do_a_superseding_rename_over_a_file_with_open_handles_via_either_part_of_the_longshort_pair_Thread","S_Link_cleanup_count","d_SplitPrimaryLcb","p_Split_link_name","S_Split_link_cleanup_count","NtfsSetRenameInfo_Can_not_rename_a_file_marked_for_deletion_Thread","p_link_name","NtfsSetRenameInfo_Can_not_rename_a_txf_directory_Thread","NtfsSetRenameInfo_Can_not_rename_into_a_system_directory_Thread","NtfsSetRenameInfo_Can_not_rename_a_file_that_is_part_of_a_TxF_transaction_Thread","NtfsSetRenameInfo_The_file_should_not_have_inmemory_directory_descendents_Thread","NtfsSetRenameInfo_Child_Scb_mismatch_Thread","NtfsSetLinkInfo_Set_link_info_is_not_allowed_on_txf_directory_Thread","NtfsSetLinkInfo_Set_link_info_is_not_allowed_on_a_file_in_a_TxF_transaction_Thread","S_TxfVisibleLinks","NtfsSetLinkInfo_Set_link_info_failed_due_to_caller_not_having_FILEWRITEATTRIBUTES_access_Thread","S_SeAccessCheck_status","NtfsSetLinkInfo_Creating_a_link_in_system_directory_is_not_allowed_Thread","NtfsSetLinkInfo_Creating_a_link_in_txf_is_not_allowed_if_the_RM_is_running_Thread","S_Target_RM_state","NtfsSetShortNameInfo_Can_not_set_a_short_name_on_a_deleted_file_Thread","p_Link_Name","NtfsSetShortNameInfo_Can_not_set_a_short_name_on_a_file_under_the_TxF_directory_Thread","S_Parent_FileRef","NtfsCheckScbForLinkRemoval_Existing_handles_are_not_allowed_if_Txf_transaction_is_doing_the_rename_Thread","NtfsCheckScbForLinkRemoval_Not_all_open_handles_for_the_stream_are_byid_opens_Thread","d_Stream_cleanup_count","NtfsStreamRename_Deny_access_due_to_encryption_happening_on_source_stream_Thread","NtfsProcessTreeForRename_Deny_access_due_to_number_of_batch_oplocks_has_grown_Thread","d_current_batch_oplock_count","NtfsFlushVolumeFlushSingleFcb_Thread","p_LocalFlags","NtfsFlushVolume_Thread","NtfsFlushVolume_setting_SCBPERSISTVOLUMEDISMOUNTED_on_BitmapScb_Scb","NtfsFlushVolume_setting_SCBPERSISTVOLUMEDISMOUNTED_on_MftScb_Scb","NtfsLockVolumeInternal_Cannot_lock_the_volume_Thread","d_ExplicitLock","d_Volume_CleanupCount","d_Handle_count","NtfsLockVolumeInternal_Volume_is_already_lockedThread","NtfsLockVolumeInternal_Failed_to_flush_system_files_on_the_volume_Thread","S_Flush_Status","NtfsLockVolumeInternal_Failed_to_flush_system_files_on_the_volumeThread","NtfsLockVolumeInternal_Outstanding_user_files_open_after_flush_and_retry_Thread","S_Volume_close_count","d_System_file_close_count","d_User_handle_count","NtfsLockVolume_Cannot_lock_volume_due_to_caller_does_not_have_manage_volume_privilege_Thread","NtfsLockVolume_Cannot_lock_volume_due_to_active_secondary_RMs_on_the_volume_Thread","S_Active_RM_count","d_Default_RM_Active","NtfsUnlockVolume_Cannot_unlock_volume_due_to_caller_does_not_have_manage_volume_privilege_Thread","NtfsDismountVolume_IC","p_Label","S_DeviceName","NtfsDismountVolume_Cannot_dismount_volume_due_to_systempagefiles_being_open_for_write_access_Thread","NtfsDismountVolume_Cannot_dismount_volume_due_to_volume_being_locked_Thread","d_CloseCount","d_SystemFileCloseCount","NtfsMarkVolumeDirty_Cannot_mark_volume_dirty_due_to_caller_not_having_manage_volume_privilege_Thread","NtfsGetVolumeBitmap_Cannot_get_volume_bitmap_due_to_caller_not_having_manage_volume_privilege_Thread","NtfsGetBootAreaInfo_Cannot_get_boot_area_info_due_to_caller_not_having_manage_volume_privilege_Thread","NtfsGetRetrievalPointers_Cannot_get_retrieval_pointers_due_to_caller_not_having_manage_volume_privilege_Thread","NtfsGetRetrievalPointerBase_Cannot_get_revrieval_pointer_base_info_due_to_caller_not_having_manage_volume_privilege_Thread","NtfsGetRetrievalPointerBase_Cannot_get_revrieval_pointer_base_info_due_to_caller_not_having_manage_volume_privilege_or_this_is_not_a_volume_open_Thread","NtfsCreateUsnJournal_Cannot_create_Usn_journal_due_to_caller_not_having_manage_volume_privilege_Thread","NtfsUsnTrackModifiedRanges_Cannot_enable_range_tracking_due_to_caller_not_having_manage_volume_privilege_Thread","NtfsEnumerateUsnData_Cannot_enumerate_Usn_data_due_to_caller_not_having_manage_volume_privilege_Thread","NtfsFindFilesOwnedBySid_Caller_not_having_manage_volume_privilege_backup_access_or_can_bypass_traverse_checks_Thread","NtfsFindFilesOwnedBySid_Caller_not_having_manage_volume_privilege_or_backup_access_and_is_not_admin_Thread","d_Context_owner_ID","NtfsSetSparse_Caller_does_not_have_appropriate_write_access_to_the_stream_Thread","NtfsSetSparse_Cannot_desparse_encrypted_file_without_write_data_access_Thread","NtfsZeroRange_User_mode_caller_not_allowed_Thread","NtfsReadRawEncrypted_Caller_does_not_have_backup_access_or_read_data_access_Thread","NtfsWriteRawEncrypted_Caller_does_not_have_write_data_access_or_restore_access_Thread","NtfsWriteRawEncrypted_Caller_not_having_manage_volume_privilege_Thread","NtfsLookupStreamFromCluster_Caller_not_having_manage_volume_privilege_Thread","NtfsChangeVolumeSize_Caller_not_having_manage_volume_privilege_Thread","NtfsMarkHandle_Caller_does_not_have_a_valid_volume_handle_or_manage_volume_access_or_is_not_kernel_model_caller_Thread","NtfsMarkHandle_Caller_not_having_manage_volume_privilege_Thread","NtfsMarkHandle_Cannot_deny_defrag_Thread","NtfsMarkHandle_Cannot_deny_Frs_consolidation_Thread","NtfsMarkHandle_Cannot_filter_metadata_Thread","NtfsMarkHandle_Mark_handle_is_not_allowed_on_system_files_Thread","NtfsMarkHandle_File_already_has_user_writable_references_Thread","NtfsMarkHandle_File_was_granted_write_access_previously_but_no_oplocks_were_broken_Thread","S_Writers","NtfsPrefetchFile_Caller_not_having_manage_volume_privilege_Thread","p_TypeOfOpen","d_Vcb","NtfsSetZeroOnDeallocate_Only_allowed_on_regular_user_files_opened_for_write_Thread","S_TypeOfOpen","d_WriteAccess","d_Fcb","NtfsSetShortNameBehavior_Caller_not_having_manage_volume_privilege_Thread","NtfsQueryPagefileEncryption_Caller_not_having_manage_volume_privilege_Thread","NtfsResetVolsnapBehaviorForVolume_Volsnap_hints_are_disabled_by_registry_Thread","S_NtfsData_Flags","NtfsResetVolsnapBehaviorForVolume_Caller_not_having_manage_volume_privilege_Thread","NtfsCorruptionHandling_Caller_not_having_manage_volume_privilege_Thread","NtfsGlobalCorruptionHandling_Caller_does_not_have_manage_volume_privilege_Thread","NtfsScrubData_Caller_not_having_manage_volume_privilege_Thread","Scrub_not_supported_for_Txf_file_Scb","p_TxfScb","Scb","p_ScrubInternal_OperationStatus","S_Repaired","I64x_Failed","I64x_FileOffset","I64x_Length","I64x_ParityExtentCount","p_ScrubInternal_Status","p_Scrub_starting_vcn_is_beyond_VDL_FileOffset","I64x_SectorAlignedVdl","Scrub_found_problems_Scb","I64x_Status","S_BytesFailed","I64x_BytesRepaired","I64x_NewParityExtents","FSCTLREPAIRCOPIES_not_supported_for_Txf_file_Scb","NtfsQueryCachedRuns_Caller_not_having_manage_volume_privilege_Thread","NtfsQueryStorageClasses_Caller_not_having_manage_volume_privilege_Thread","NtfsQueryRegionInfo_Caller_not_having_manage_volume_privilege_Thread","NtfsUnloadFile_Caller_not_having_manage_volume_privilege_Thread","NtfsCheckForSection_File_already_has_image_section_Thread","NtfsShuffleFile_User_mode_caller_is_not_allowed_Thread","S_Irp_RequestorMode","NtfsShuffleFile_Denying_access_due_to_volume_is_locked_Thread","I64x_Ccb_FullFileName","NtfsShuffleFile_Defrag_is_denied_Thread","NtfsShuffleFile_Denying_access_due_to_conflicting_with_readonly_state_Thread","NtfsRearrangeFile_User_mode_caller_is_not_allowed_Thread","NtfsRearrangeFile_Denying_access_due_to_volume_is_locked_Thread","NtfsRearrangeFile_Defrag_is_denied_Thread","NtfsSparseOverAllocate_Caller_does_not_have_appropriate_write_access_Thread","S_FileRef","I64x_FullFileName","S_Ccb_access_flags","NtfsInitiateFileMetadataOptimization_Only_allowed_on_regular_user_filesdirectories_opened_for_write_Thread","I64x_Scb_AttributeTypeCode","x_FcbState2","x_Ccb_FullFileName","S_Ccb_Access_flags","x_Ccb_Flags2","NtfsQueryFileMetadataOptimization_Only_allowed_on_regular_user_filesdirectories_opened_for_read_Thread","NtfsCleanVolumeMetadata_Caller_not_having_manage_volume_privilege_Thread","NtfsEncryptionKeyCtl_Caller_does_not_have_SETCBPRIVILEGE_Thread","NtfsFindPrefixHashEntry_Hash_table","p_ParentScb","NtfsFindPrefixHashEntry_Lcb","NtfsInsertHashEntry_Hash_table","p_HashValue","d_Lcb","NtfsRemoveHashEntry_Hash_table","NtfsAddToMatchingDeallocatedClusters_ExtentsWithoutDanglingMdl__failed","NtfsAddToMatchingDeallocatedClusters_ExtentsWithDanglingMdl__failed","Valid_NTFS_boot_sector_Vcb","p_BootSector","Not_an_NTFS_boot_sector_Vcb","p_CheckNumber","NtfsMountVolume_Vcb","p_IC","NtfsMountVolume_IC","Mounting_DAX_partition_Vcb","DAX_volume_mounted_without_DAX_support_because_storage_is_not_DAX_capable_Vcb","User_Data","Exception_Details","ExceptionDetails","TrustedDomainName","TrustedDomainId","LegacyRPCMethodName","Start_Time","End_Time","Renew_Until","Luid","ClientPrincipalName","ServicePrincipalName","TicketFlags","EndTime","RenewUntil","TargetRealm","Targetname","KDCRealm","TriggerSubType","TriggerData","LowQuality","RequestSize","CropLookupSize","VARTYPEFrom","VARTYPETo","FMTID","LoopCount","QueueItemCount","ExecutableName","pszSource","pszDest","SourceType","DestinationType","FileOp","TOID","PathToIcon","IconOffset","PIDL_out","HWND","IBindCtx","cbEaten","dwAttributes","Depth","Children","TrayCode","uID","hwndTaskBand","pTBGroup","pszExePath","tbgType","x","y","hwndItem","pszGroup","nVisibleRow","nRequiredRow","nTotalWidth","nTotalFixedWidth","iGroupStart","iItemStart","iGroupEnd","iItemEnd","MonitorID","Left","Top","Right","Bottom","uPicturePosition","pszFilePath","SecurityStatus","PrincipalNameLength","PrincipalName","UserNameLength","EncyptionUsed","CompressionUsed","MinRto","EnableCwndRestart","InitialCwnd","CongestionAlgorithm","MaxDataRetransmissions","DelayedAckTicks","DelayedAckFrequency","Rack","TailLossProbe","TcpIpChecksumNetBufferListInfo","TcpLargeSendNetBufferListInfo","Ieee8021QNetBufferListInfo","NetBufferListHashValue","NetBufferListHashInfo","VirtualSubnetInfo","TcpRecvSegCoalesceInfo","NrtNameResolutionInfo","DataBytesOut","DataBytesIn","DataSegmentsOut","DataSegmentsIn","SegmentsOut","SegmentsIn","NonRecovDa","NonRecovDaEpisodes","DupAcksIn","BytesRetrans","Timeouts","SpuriousRtoDetections","FastRetran","MaxSsthresh","MaxSsCwnd","MaxCaCwnd","SndLimTransRwin","SndLimTimeRwin","SndLimTransCwnd","SndLimTimeCwnd","SndLimTransSnd","SndLimTimeRSnd","SndLimBytesRSnd","ConnectionTimeMs","TimestampsEnabled","RttUs","MinRttUs","MaxRttUs","SynRetrans","SsThresh","RcvBuf","IsolalationId","SwRscUroApplicable","SwRscEnabled","SwUroEnabled","LastFrequencyErrorPPM","AvgFrequencyErrorPPM","AvgFreqDurationMins","LastDailyDriftSeconds","AvgDailyDriftSeconds","ApiNumber","ClientSessionId","fRequestPending","fConnectionClosed","AppPoolID","Minutes","ListenerAdapterProtocol","SecondMessage","callersAppCommandLine","callerFunctionName","threadWaitAndLockHoldTimeMs","fwLockHoldTimeMs","AddressName","ErrorMesage","OriginalHRESULT","NewHRESULT","NameSpace","NameSpaceGuid","TimeOutInSec","AsyncWithCallback","AsyncWithOverlapped","automationId","handle","isHardware","isShared","featureLevel","adapterLuidLowPart","adapterLuidHighPart","command","hresult","animationClass","animation","storyboardHandle","triggerProperty","triggerValue","eventType","customEvent","looping","animationProperty","instant","implied","inherited","animationTick","animationSeconds","started","finished","layerHostCount","layerCount","textureCount","finalValue","deleted","frameId","frameTimestamp","totalTime","channelTime","animationUpdateTime","layoutTime","repairDamageTime","storyboardsScheduled","storyboardScheduleTime","updateTime","drawingTime","compositorBatches","canvasesPresented","totalCompNodeCount","dirtyCompNodeCount","canvasesPainted","pixelsPainted","paintTime","pixelsPresented","pixelsScrolled","presentTime","hardwareMode","sharedDevice","enabled","batched","channelCommandId","start","batchId","FramesPerSecond","PresentsPerSecond","method","numBytesUpdated","textureHandle","droppedForLowResourceMode","deviceLostNotificationPending","isFrontEndDevice","ControlCount","level","category","XamlDrawableSurface","XamlDrawResult","XamlVirtualSurface","X","Y","Width","Height","IsDrawOutstanding","ObjectHandle","CommandListComposite","XamlVirtualizedSurface","Handle","RectX","RectY","RectWidth","RectHeight","Fidelity","ID2D1RenderTarget","OutstandingDraw","IVirtualSurfaceImageSourceNative","NumberOfRects","ISurfaceImageSourceNativeWithD2D","ID2D1DeviceContext","IDXGISurface","OffsetX","OffsetY","PrefetchScope","NumberOfRootEvents","OldWidth","OldHeight","NewWidth","NewHeight","DpiX","DpiY","CommandList","ID2D1CommandList","NumberTrimmed","CanvasOffsetX","CanvasOffsetY","AdjustedOffsetX","AdjustedOffsetY","Zoom","NumberOfCommandLists","IVirtualSurfaceImageSource","CommandListRasterizerSource","VSISTiler","ISurfaceImageSource","XamlMultithreadNativeSurfaceUI","TextureType","MaxTextureDimension","NullRenderTargetReason","VirtualOffsetX","VirtualOffsetY","ZoomFactor","CanvasWidth","CanvasHeight","VirtualCanvasWidth","VirtualCanvasHeight","ViewportWidth","ViewportHeight","IsRTL","VirtualZoomedX","VirtualZoomedY","RealUnzoomedX","RealUnzoomedY","VirtualZoomedX_Rtl","VirtualZoomedY_Rtl","RealUnzoomedX_Rtl","RealUnzoomedY_Rtl","currentZoom","IsIntermediate","InkInputMode","PenStroke","PresentCount","SyncQPCTime","Directionality","Tag1","QpcTime","DeltaTime","Bitmap","Thread","Resize","TAG","xDpi","yDpi","newDpi","xPoint","yPoint","HitLayerHandle","xLayer","yLayer","XamlNativeSurface","ReadyToPresent","PointCount","Tag2","PresentSyncRefreshCountDelta","LastPresentSyncRefreshCountDelta","NewPointCount","RefreshCount","PresentRefreshCount","SyncRefreshCount","TotalPointCount","GetLastPresentCount","ForceToPresent","XamlMultithreadDrawableSurfaceOffThread","XamlMultithreadNativeSurface","InBatch","EndDrawDirect2dResult","XamlMultithreadNativeSurfaceOffThread","IDXGIDevice","XamlMultithreadDrawableSurface","IXamlMultithreadDrawableSurfaceUser","ID2D1Bitmap1","offsetX","offsetY","SetDeviceCount","IncludeInverseTransform","Drawable","DeviceMismatch","UpdateInstanceStopTime","pointerId","UpdateInstanceCalcTime","horizontal","vertical","UpdateInstanceStartTime","CommandListRasterizeWork","CommandListRasterizer","AreAnimationsDisabled","TileId","tileId","RasterizeOnUI","XamlMultithreadVirtualSurfaceUI","IXamlDrawableSurface","Opaque","XamlSurface","VirtualTexture","VirtualTextureEvents","OfficeDeviceLost","LayerWidth","LayerHeight","SlopAmount","SlopUsedX","SlopUsedY","IsHighDPI","MaxLimit","MemoryUsage","IsInLowResourceMode","PendingScrollTo","PendingZoomTo","PendingSetCanvasSize","IsFIrstScroll","ResetPendingScrollTo","OffSetY","ResetPendingZoomTo","Layer","ParentAnchor","ViewportOffsetRealX","ViewportOffsetRealY","OldVirtualOffsetX","OldVirtualOffsetY","NewVirtualOffsetX","NewVirtualOffsetY","OldCanvasSizeVirtualX","OldCanvasSizeVirtualY","NewCanvasSizeVirtualX","NewCanvasSizeVirtualY","OldPlatformViewportOffsetX","OldPlatformViewportOffsetY","NewPlatformViewportOffsetX","NewPlatformViewportOffsetY","AdjustRightEdge","finalZoom","IsAnimated","VirtualPerimeterChanged","TileRectX","TileRectY","TileRectWidth","TileRectHeight","IsRecyclingTile","VirtualOffsetNextX","VirtualOffsetNextY","ZoomFactorNext","VirtualOffsetFinalX","VirtualOffsetFinalY","ZoomFactorFinal","HiddenTileCount","ViewportX","ViewportY","IsMoving","OldNumberOfVsisTilesX","OldNumberOfVsisTilesY","NewNumberOfVsisTilesX","NewNumberOfVsisTilesY","virtualPerimeterX","virtualPerimeterY","virtualPerimeterWidth","virtualPerimeterHeight","CalculatedvirtualPerimeterX","CalculatedvirtualPerimeterY","CalculatedvirtualPerimeterWidth","CalculatedvirtualPerimeterHeight","parentVirtualOffsetX","parentVirtualOffsetY","VirtualizedRectX","VirtualizedRectY","VirtualizedRectWidth","VirtualizedRectHeight","LayerBoundingBoxX","LayerBoundingBoxY","LayerBoundingBoxWidth","LayerBoundingBoxHeight","LayerOffsetFromViewportX","LayerOffsetFromViewportY","PointTestX","PointTestY","HitTestOptions","ViewportOffsetX","ViewportOffsetY","HeaderType","ParentScrollingLayer","SearchForHitTestData","InputSourceType","ScrollingLayerCanvas","IsFirstScroll","ScrollToX","ScrollToY","ScrollToAnimate","ZoomAnimate","DeviceMode","ShareDevice","Scene","ReacquireDevice","DirectXDeviceResources","Direct2dDeviceResources","DeviceLossType","LockDevice","CanvasSizeWidth","CanvasSizeHeight","VirtualPerimeterX","VirtualPerimeterY","VirtualPerimeterWidth","VirtualPerimeterHeight","MaxViewportDestinationX","MaxViewportDestinationY","nextZoom","LastSteadyZoom","IntermediateCount","IsScroll","IsZoom","AllAppsBlocked","BlockedDeviceId","BlockedDriverVersion","CrashHistory","SecsBetweenCrashes","UpdatedDriverVersion","newValue","animationInstanceId","animationEvent","animationInstanceHandle","airSpaceLayerHandle","classCookie","animationClassId","contextVariableId","contextableValue","AppCrashingInHw","SafeMode","TerminalServer","Registry","AdminPolicy","AnimationDisabled","EaseOfAccess","WARP","OldZoomFactor","NewZoomFactor","oldVirtualPerimeterX","oldVirtualPerimeterY","oldVirtualPerimeterWidth","oldVirtualPerimeterHeight","newVirtualPerimeterX","newVirtualPerimeterY","newVirtualPerimeterWidth","newVirtualPerimeterHeight","IsPendingScroll","LayerTileManager","LCLVT","LayerTexture","LTM","LayerHandle","TextureHandle","ContentZoom","HighDpiScaleFactor","BoundsLeft","BoundsTop","BoundsWidth","BoundsHeight","PrefetchDistanceX","PrefetchDistanceY","Surface","Playback","OldStretchMode","NewStretchMode","IsArc","ScrollingIndicatorMode","LayerVirtualTexture","StretchMode","WindowCompositor","WindowCompositionGraphicsDevice","DxgiDevice","Compositor","IgnoreAlpha","IsCommandListBacked","GraphicsDevice","isMouseWheelSupportEnabled","BorderPosition","isHorizontal","Distance","isZoom","zoomFactor","WinCompEnabled","isXChainingSupportEnabled","isYChainingSupportEnabled","IsViewportMoving","IsClientScroll","MinPositionX","MinPositionY","MaxPositionX","MaxPositionY","MinMaxOrder","hasAnimation","animating","animationTracker","duration","IsActivating","ZoomCenterPointX","ZoomCenterPointY","canvasSizeX","canvasSizeY","SurfaceWidth","SurfaceHeight","UpdateWidth","UpdateHeight","hasCalledBeginDraw","IsDrawing","BatchDesc","V1Name","V1Val","V2Name","V2Val","V3Name","V3Val","V4Name","V4Val","V5Name","V5Val","V6Name","V6Val","V7Name","V7Val","IncomingVirtualTextureAction","AbnormalState","PointerID","VirtualTextureHandle","VTOActionEnum","TileTop","TileLeft","TileBottom","TileRight","StandbyTileBucket","VisualCaptureWaitTimeMS","CommandId","BlockingCommandExecutionTimeMS","NumVisualCapturesExecuted","LastVisualCaptureWaitTimeMS","CumulativeVisualCapturesWaitMS","SceneHandle","BatchId","wzProduct","wzCategory","wzTag","dwInstanceId","lpScenarioName","bWasSuccessful","bWasErrorCodeSet","FilesCreated","NumberOfFileReads","NumberOfFileWrites","TotalBytesWritten","NumberOfSetEndOfFiles","NumberOfSeeks","NumberOfLocks","NumberOfUnlocks","Requests","ElapsedMilliseconds","BytesReceived","BytesUsedDelta","BytesUsedAtComplete","ResourceScopePtr","FileUsagePtr","ScopePtr","NetworkUsagePtr","ChildScopePtr","ParentScopePtr","TypeOfData","StartCounter","StopCounter","ElapsedCounters","Frequency","CurrentResourcePrt","MemoryUsagePtr","CallerProcessImageName","BinaryData","PreviousFileName","OSPlatform","OSVersion","OSBuild","OSArchitecture","AadDeviceId","IsAzureADJoined","AccountSid","LocalIP","NetworkAdapterType","NetworkAdapterStatus","IPAddresses","ConfigurationId","ConfigurationCategory","IsCompliant","IsApplicable","SoftwareVendor","SoftwareName","SoftwareVersion","CveId","VulnerabilitySeverityLevel","MissingCAPDNs","ReasonFlags","SlowStartThreshold","WindowMax","WindowLastMax","IsServer","CidLength","Cid","IsLocallyInitiated","Ulong1","Ulong2","WString1","AnsiString2","AnsiString1","stringValue1","WString2","Additional_error_data","RecipeID","Enterprise_STS_OAuth_Info_response","Request_status","Protected_key_error","Error_description","DetachedSignatureFilePathLength","DetachedSignatureFilePath","OriginalFilename","FileVersionLength","IsApproved","CLSID","PolicyGuid","columnNumber","attributeName","attributeValue","elementName","disallowedFileExtensions","1","2","RequirementType","ManagedInstallerEnabled","PassesManagedInstaller","SmartlockerEnabled","PassesSmartlocker","DefenderTrust","AuditEnabled","FromMode","ToMode","DasContext","RelationName","BndStatus","PartnerServer","state","startTimeOfState","MACAddress","DenyFilter","HWType","IP_ScopeName","ModifiedDuration","OriginalDuration","OptionName","IP_Name","ModifiedSupportType","OriginalSupportType","NAP_ProfileName","NAP_ModifiedProfileName","NAP_OriginalProfileName","IP_MulticastScopeName","IP_SuperScopeName","ReservationName","ExclusionRange","PhysicalAddress","PurgeInterval","OptionValue","Integer2","RelationshipName","Server1Name","Server2Name","ScopeAddress","AccessType","Hostname","ResultHR","RootCause","RootCauseGUID","RepairOption","RepairGUID","SecondsRequired","SIDTypeRequired","HelperClassName","InterfaceDesc","InterfaceGUID","Channel","BackupPath","ExtensionId","DISPID","ArgErr","SecurityProblem","WizardID","Extended String","ExtendedString","ApplicationID","NotificationID","Language1","Language2","Prop_UInt32","string","Win32 Error","NumResourcesAvailable","NumResourcesDownloaded","NumResourcesNotDownloaded","ControlPcImageNameLength","ControlPcImageName","RspContentsImageNameLength","RspContentsImageName","StrictMode","UserCetAppcompatOptions","NonenforcementReason","ControlPcAddress","ControlPcOffset","ControlPcCetCompat","RspContentsAddress","RspContentsOffset","RspContentsCetCompat","TargetIpImageNameLength","TargetIpImageName","ContinueType","MappedImageNameLength","MappedImageName","ImageCetShadowStacksReady","ImageEHContinuationTablePresent","NonEhcontMode","Subcode","ModuleFullPath","ModuleBase","ModuleAddress","MemAddress","MemModuleFullPath","MemModuleBase","APIName","ProcessStartTime","HookedAPI","CalledAddress","TargetAddress","StackAddress","FrameAddress","ReturnAddressModuleFullPath","parameter1","parameter2","errorType","description","module","quotaValue","quotaValueUnit","percentageValue","ExceptionType","ExceptionErrorCode","TraceSessionName","ProviderId","SasUri","CompressionLevel","Update_phase","new_platform_version","phase","newVersion","failure_message","Boolean1","onboardingBlobHash","isDefaultOnboardingBlob","onboardingState","isDefaultOnboardingState","offboardingBlobHash","isDefaultOffboardingBlob","previousSampleCollectionValue","IsDefault","newSampleSharing","previousLatencyMode","newLatencyMode","isServiceRunningAlready","previousOnboardingBlobHash","newOnboardingBlobHash","isServiceRunning","previousOffboardingBlobHash","newOffboardingBlobHash","requestedValue","minimumAllowedValue","maximumAllowedValue","registryValue","conversionSucceeded","previousCriticalityValue","newCriticalityValue","previousIdMethodValue","newIdMethodValue","ScanID","ScanTypeIndex","ScanType","ScanParametersIndex","ScanParameters","StatusDescription","CleaningActionIndex","CleaningAction","SourceID","DetectionUser","OriginID","OriginName","ExecutionID","ExecutionName","TypeID","PreExecutionStatus","ActionID","PostCleanStatus","AdditionalActionsID","AdditionalActionsString","RemediationUser","Threatresourcepath","SecurityintelligenceAttemptedIndex","SecurityintelligenceAttempted","Loadingsecurityintelligenceversion","Loadingengineversion","NewPlatformVersion","CloudprotectionintelligenceTypeIndex","CloudprotectionintelligenceType","PersistencePath","CloudprotectionintelligenceVersion","CloudprotectionintelligenceCompilationTimestamp","PersistenceLimitTypeIndex","PersistenceLimitType","PersistenceLimitValue","RemovalReasonIndex","RemovalReasonValue","FailureTypeIndex","HitCount","Threshold","Crashed","ConsumerType","PossibleCause","source_filename","source_line","filtering_type","line_number","ReasonBuffer","SourceRequestFor","RecyclerID","ElapsedTime","PolicyElapsedTime","PercentageTime","Mclt","Percentage","AutoSwitchoverInterval","StandbyServer","PktContents","OldPageId","NewPageId","DiskCount","ItemPos","ItemState","ItemContent","IsOpenXPSDoc","IsOMInput","Enum","flags","AnimationID","StoryboardID","x0","y0","x1","y1","hwndCloned","hwndAfter","clockId","timespan","StoryboardId","TargetId","VisualHandle","EffectGroupHandle","Transform3DGroupHandle","TranslateTransform3DHandle","ScaleTransform3DHandle","RotateTransform3DHandle","AnimationHandle","ResourceHandle","PropertyID","DPI","LogicalOriginX","LogicalOriginY","PhysicalOriginX","PhysicalOriginY","CreationMethod","UseDelayStoryboard","AbandonCrossfade","FoundValidTarget","IsResize","Hwnd","Platform_Directed","Consumed","PartitionFriendlyName","PartitionName","LowAddress","HighAddress","SkipBytes","CacheType","NodeIndex","MemoryPartition","PartitionGuid","ModuleDll","ProcessorArchitecture","ContainerIdentifier","DeviceIdentifier","EnumeratorName","CapabilityFlags","DeviceLocation","NumProperties","AlreadyExists","notification","WDFDEVICE","MajorFunction","MinorFunction","NumberOfChildren","QueueTag","Provider_Type","Container_Name","Machine_Keyset","MachineKeyset","AppContainer","NetStatusCode","rule","claims","appliesTo","target","actAs","obo","policyType","policyData","checkAccessResult","policySelector","originalEvent","originalDataIndex","originalDataPageIndex","originalData","AddonName","vdir","trace","Data4","Data5","Data6","Data7","Data8","Data9","Data10","Data11","Data12","Data13","FxDevice","IOAddr","IOLen","BankId","PinCount","ConnectMode","PullConfig","DisconnectMode","ReadIoPins_BankID","PinValues","BankID","WriteIoPins_BankID","SetValue","ClearValue","VAddr","PAddr","pRequest","pDevice","pTarget","IOCTL","Target I2C Address","MMIO","TargetI2CAddress","Status ","Stat","TxDmaEnabler","RxDmaEnabler","WDFDevice","MonitorState","IdleTimeout","NumMdls","DMA Status","DMAStatus","ERROR","GpioCx_DDI","PinNo","PinOwnership","PinMode","PrepareController_INTERRUPT_VEC","MBAR_current","MBAR_expected","INT_current","INT_expected","IntMode","IntPolartity","PullMode","PinIoMode","PinState","PinIoModeCurrent","PinIoModeRequested","PrepareHardware_INTERRUPT_VEC","MBAR_count","INT_count","SpbCx_DDI","AddressMode","ClkFreq","HwMask","Expected","TotalInformation","WdfPowerState","Logoff_Time","Call_Type","LogoffTime","CallType","Exception","Secret","TargetVersion","TrustName","Trust","ErrorCodeHex","AutoEnabled","CredGuardRunning","IsPasswordValid","GroupPolicyStatus","MachinePasswordSource","MachinePasswordValidity","MachineCertificatePresent","OldScripts","NewScripts","Logfile","ParentName","Dependency","processName","fileName","volumePath","sourceFile","sourceLine","stackBackTrace","EngineId","ScanSource","ResourceCount","FirstResourceType","FirstResourcePath","ThreadTime","StartQPC","VPath","ErrorHigh","ErrorLow","StringParam","StringParam1","StringParam2","PackageGroup","ConnectionGroup","GroupVersion","GroupId","LastFolder","ReqFolder","ScriptScope","tGuid","tString","DOM_Error","line","column","offset","Sid","ErrorWarning","SubsystemName","Hresult","VirtualEnvironmentId","VirtualEnvironmentVersion","Item1","Item2","published","Group_GUID","Group_Version_GUID","Package_GUID","Guid1","Guid2","Guid3","input","Server_ID","Interval_Unit","Flag1","Flag2","Flag","Return_code","astring","uint64","unint64","uint642","packageId","versionId","percentageComplete","uint32","str","ClientEvent","str1","guid1","guid2","pid","ustring","stage","interval","HR2","SessionCount","opId","PFM_if_available","Edition","PKey","Associate_Id","VariableName","SystemTime","Msg","Pass","FragmentEventId","ByteLength","Callout","FilterWeight","MessageFrame","FlowHandle","DiscardModule","DiscardReason","DiscardFilterID","DatapathFeatures","Desc","ByteCount","ErrStr","PerfCountersLength","PerfCounters","Major","Minor","Patch","Build","Registration","ExecProfile","Worker","IdealProcessor","IsActive","Arg","QueueDelay","Listener","Binding","AddrLength","Addr","AlpnLength","Alpn","IsRemoteShutdown","IsQuicStatus","BytesInFlightMax","CongestionWindow","ConnectionFlowControl","IdealBytes","PostedBytes","SmoothedRtt","DelayMs","ProbeCount","LocalAddrLength","RemoteAddrLength","CongestionCount","PersistentCongestionCount","SendTotalBytes","RecvTotalBytes","Cc","StreamFlowControl","StreamSendWindow","SendTotalPackets","SendSuspectedLostPackets","SendSpuriousLostPackets","RecvTotalPackets","RecvReorderedPackets","RecvDroppedPackets","RecvDuplicatePackets","RecvDecryptionFailures","VnlLength","Vnl","Delay","BbrState","RecoveryState","EstMinRtt","EstBw","IsAppLimited","IsCapable","EncryptLevel","EcnEctCounter","EcnCeCounter","NumPacketsSentWithEct","EctCeDeltaSum","IsEcn","EcnCongestionCount","HyStartState","Count2","OneWayDelay","IsLocalOwned","BufLength","BufCount","UdpBinding","TotalSize","TcpFlags","ID2","P1String","P2Ulong","P2ErrorCode","P1Length","P2UnicodeBuffer","P3ProcessId","Start time","End time","Starttime","Endtime","intValue1","Int2","repositoryPath","settingsFilePathToAdd","syncID","fileIdentifier","packagePath","serverRoot","recipeIDToSync","SyncID","package","actualSize","maxSize","stringValue2","Int","String3","Settings_location_template_ID","Settings_package_Version","UIntValue1","UIntValue2","intValue","File_IO_exception_occurred","Registry_IO_exception_occurred","hresultValue","http","SQMAPI_error_code","AadCloudAPPlugin_Realm_discovery_response","AadCloudAPPlugin_GetToken_Correlation_ID","AadCloudAPPlugin_GetKeys_Correlation_ID","AadCloudAPPlugin_MEX_request_status","NGC_UserID_Key","Credential_type","AadCloudAPPlugin_RefreshToken_Correlation_ID","Validation_needed","AadCloudAPPlugin_DeviceP2PCertificateUpdate_Correlation_ID","AadCloudAPPlugin_GetCertificateFromCred_Correlation_ID","AadCloudAPPlugin_RenewCertificate_Correlation_ID","Generic_Call_Packate_call_type","NoOfTargets","AadCloudAPPlugin_LookupSIDFromIdentity_Identity","AadCloudAPPlugin_LookupIdentityFromSID_SID","AadCloudAPPlugin_Resource_infomation","RBAC_Status","Response_content_type","AD_TGT","Cloud_TGT","Credbuffer_correlation_ID","ClientId","KeyTestResult","ClaimsCount","TenantId","RegistryLocation","Http_request_status","OAuth_response_error","Key_error","WSTrust_response_error","NGC_nonce_response_error","Cloud_tgt_error","Binding_key_tag_check_failed","PairwiseID","RollReason","HardwareType","HardwareSubtype","NumaNode","AcceleratorCountOnThisNode","QueueFile","configurationSection","assemblyPath","accountPartnerUri","Param3","Param4","Param5","DetailCode","SessId","AppXPackage","UserDomain","UserAccount","NumberOfPackages","QStatus","str_Sku","ApplicationBinaryPath","HResultErrorCode","WebInstance","DeferralCount","MainWebInstanceInitializeTime","AppSuspendHandlerInvoked","AppSuspendHandlerCompleted","WebPlatformSuspendDownloadPending","WebPlatformSuspendDownloadCount","WebPlatformSuspendDownloadWaitStart","WebPlatformCleanupPending","WebPlatformCleanupStart","CurrentSuspendingTimeout","NewSuspendingTimeout","PublisherNameBuffer","CallingFunctionNameLength","CallingFunctionName","FunctionCallNameLength","FunctionCallName","Fix_information","FixID","ExePath","FixName","ClientStartTime","ProductCode","PackageCode","MsiPath","Scenario_ID","User_action","User_action_ID","Compatibility_layer","UserActionID","CompatibilityLayer","Scenarios_code","Deprecated_Components","Compatibility_layers_recommended","DialogGuid","ChainId","ButtonId","QuestionId","QuestionText","QuestionKind","QuestionValue","FollowupValue","FixNameLength","FixType","ExtraDataSize","ExtraData","Detector_shim_WIN32EXCEPTION","Chain","ChainID","Result_ID","ResultID","Compatibility_status","CompatStatus","DebugString","qwData","cchIdAnalyzedIncludingNull","cchProgramIdIncludingNull","IdTypeAnalyzed","NumFilesAnalyzed","NumFilesFailed","RunTime","IdAnalyzed","ProgramId","RecordNumber","EventTime","ActivityDefinitionId","Annotations","ActivityInstanceId","ActivityTypeName","Variables","WorkflowDefinitionIdentity","Handled","ThrottleName","ServiceTypeName","InstanceKey","Values","ParentScope","ClosedCount","Pending_messages_per_channel_ratio","WebSocketId","websocketId","TrackingProfile","limit","via","AppDomainFriendlyName","VirtualPath","RelativeAddress","NormalizedAddress","IncomingAddress","AspNetRoutePrefix","ServiceHostFactoryType","BookmarkScope","Security_session_ratio","expr","activityName","MaxNum","uri","FaultString","LocalId","Distributed","BufferId","sharedMemoryName","pipeName","remoteAddress","byteCount","closeStatus","clientWebSocketFactoryType","Pending_session_queue_ratio","curr","End_SQL_command_execution","Starting_SQL_command_execution","Command_failed","discoveryMessageName","messageId","discoveryOperationName","messageType","relatesTo","endpointAddress","listenUri","synchronizationContextType","SurrogateType","DCType","issuerName","Activity","appdomainName","CacheLookupCounter","CacheHitCounter","CacheInsertCounter","CacheUpdateCounter","DBType","AppNameCount","VendorNameCount","VendorName","SummaryCount","ParentProcessLength","ParentProcess","AppLockerReason","Bucket","NtfsFileIdSize","NtfsFileId","OriginDataPresent","SubSessionId","Generation","SmartScreen","RevocationID","CurrentProcessLength","CurrentProcess","UninstallStringLength","UninstallString","CmdlineLength","Cmdline","MatchFound","ExecutionDecision","AuditInfoLength","AuditInfo","ExecutionOptionFlags","FileSha256Hash","DefenderScanResultDetails","DefenderClientStatusCode","DefenderCloudHTTPCode","DefenderEngineReportGUID","DefenderFlags","DefenderCalled","DefenderCallAttempted","DefenderCloudCallRequested","DefenderMadeCloudCall","ExternalAuthorizationFlags","ValueCount","AuditValueCount","AuditValue","AppPsmKey","HwndPointer","Bool","PackageLevel","Bool1","Bool2","PlmFlags","SuspendExemptionReason","TimeOut","Trigger","LogErrorCode","TerminationErrorCode","plmKnowsPackage","PidCount","StateSource","SwapState","MemorySize","AppCount","ApplicationCouunt","OldPsmKey","Score","PackageCount","Notify","Echange","TerminateAction","SuspendTrigger","ResumeReason","PreserverProcessRequest","TaskCompletionCategory","fActivate","NetworkAudio_entries","IsNetworkReferenced","NetworkAudioEntriesCount","NetworkingReferenced","NewRelativeExpirationTimer","ElapsedMs","CpuRunning","CpuReady","IoNormal","WindowChange","DeferredVisibility","Aumid","EnableDebugMode_failed","DisableDebugMode_failed","ChangeApplicationBiState_failed","ChangePackageBiState_failed","Template_PsmkeyCount","Registered","CallbackId","CallBackId","ResourceSetId","PolicyCLSID","SqmId","PluginClsid","Old_AccessState","New_AccessState","Returned_AccessState","Requested_AccessKind","Returned","p1_UInt64","p2_String","p3_String","p3_Boolean","p1_String","ActivationId","ActState","p2_UInt64","p4_String","p5_UInt64","p6_UInt32","p1_AppLayer","p4_Boolean","p5_UInt32","p5_Boolean","p2_Boolean","p5_String","p4_activationType","TaskId_2","pResSet","p2_AppLayer","p1_Boolean","p2_GUID","p0","p1","p2","Usercontext","p3_UInt64","p4_UInt64","p3","WnfStateName","InActiveCall","HasRTCTask","OnHold","TaskCompletionApplied","InForeground","skuId","productId","taskInstanceId","taskType","reasonForStateChange","peak","RudeTerminate","CancelationReason","Prop_Bool","Prop_Description_UnicodeString","Prop_Data_UInt32","Prop_ExtendedEventType","Prop_EventType","Prop_ObjectType","Prop_ReadStatusType","Prop_Data1_UInt32","Prop_Data2_UInt32","Prop_Data3_UInt32","Prop_Description_UnicodeString1","Prop_Description_UnicodeString2","FailedBinary","HeaderAddr","Section","Subkey","CleanupContainerErrorCode","MakeTemporaryErrorCode","PackageRelativeApplicationId","AppContainerName","FolderString","PackageString","PackageFamily","OperationError","RepairTriggerError","Error_while_deleting_file","Error_while_deleting_directory","InformationalString","userSid","numImported","numFailed","TaskType","IsAuditMode","NumPackages","PackageInfo","ReferencesLeaked","ShutdownDelayMsec","OpposingOperation","TaskCanceled","RecoveryType","OutdatedPackages","UpToDatePackages","mainParam","deploymentOperation","deploymentOptions","callerProcess","callstack","UupProductId","TotalSizeInMB","PackageSizeInMB","DataSizeInMB","ProductID","UpdateAttentionRequiredReason","WaitChainInfo","WerSubmitErrorCode","PackageList","OriginalPackageFullName","allowListRule","regExErrorCode","regExErrorDescription","FirewallErrorCode","ScmManagerErrorCode","BfeServiceOpenErrorCode","FirewallServiceOpenErrorCode","BfeServiceCurrentState","BfeServiceExitCode","BfeServiceSpecificExitCode","FirewallServiceCurrentState","FirewallServiceExitCode","FirewallServiceSpecificExitCode","BiStateTransition","SignatureOrigin","CheckResult","ResourceName","ApplicabilityState","IncomingPackageName","OutgoingPackageName","UpstreamDependentPackageFullName","UpstreamDependentPackageKey","InvokeAction","IsImpersonating","BinaryCount","CapabilityCount","PackageFolder","PackageFolderOld","PreAllocatePackage_Start","PreAllocatePackage_End","CurrentPackageFullName","TargetPackageFullName","CurrentFilePath","TargetFilePath","CurrentFileSize","TargetFileSize","ListType","ExtensionsExecutionOrder","ExtensionsCategoryNames","1RunAsSystem","RunAsSystem","ManifestPath","PackageArchitecture","MachineArchitecture","ReferenceString","PriPaths","PackageMonikerOld","PackageMonikerNew","AppDataErrorOperation","PackageTableRowKey","VolumeID","MediaID","Writesize","Filesize","SessionKey","StreamingDataSourcePrefetchCanceled","ColumnNumber","waitResult","RequestCount","ResiliencyCurrentState","BiApplicationStateTransition","PackageKey","ServerSideEnsurePackageFamilyIsRegistered_result","targetPackageFullNameForRepair","currentPackageFullName","currentStepIndex","numTotalSteps","DeploymentPath","FileSystemType","Argument","DestinationPath","DestinationMediaID","SourceMediaID","XapState","TileStore","MissingPackageFamily","CurrentlyInstalledPackages","PackagesToBeInstalled","BundlePackageFullName","MainOrOptionalPackageFullName1","MainOrOptionalPackageFullName2","CallerPackageFullName","with_error","PackageFullNames","RegistrySubKeyName","Creating_registry_key","ValueValue","OriginalUser","PackageMoniker3","OrphanedAppDataVolume","MitigatedAppDataVolume","PackageFullname","ExitingPackageFullname","MutablePackageDirectory","incomingPackageFullName","processIncomingPackage","outgoingPackageFullName","outgoingPackageIsSystemRegistered","ErrorContext","ErrorContext1","ErrorContext2","ReturnVal","ApplicationCount","ActivatableClassIdentifier","ContractID","AttributeName","Content","ErrorCodeDescription","UniqueKey","PackageIndex","PropertyId","ApplicationIndex","ProcessingPackageFullName","ProcessIndex","ProcessCount","UserSID","DeviceCapabilityName","FunctionType","DeviceCapabilityHandlerCLSID","MissingParameter","VetoReason","ElementName","Element","ServiceStatus","ModifiedFile","VolumeKey","VolumeMediaID","CurrentOperation","MofFile","PhaseError","ObjectNum","FirstLine","LastLine","HostingModel","AppExtensionName","PackageExtensionName","IISModuleName","ForMove","PreDowngradeVersion","PostDowngradeVersion","errorString","HostRuntimePackageFullName","UInt32Value","PackageSID","Capabilities","OtherPackageName","DuplicateChannelName","DependencyProviderGuid","DllName","DllPath","StringAddEntryEvent","ExceptionWhatString","DehAction","EntryName","SerializedEntry","StepCounter","IncomingPackage","OutgoingPackage","ItemCounter","ItemName","xmlNamespace","logo","field","fullValue","fieldValue","fieldName","duplicateLineNumber","duplicateColumnNumber","attributeName1","attributeName2","expectedValue","actualValue","packageName","fileId","extensionCategoryName","targetDeviceFamily","mainPackageName","mainPackagePublisher","ignoredElement","xpathToRequiredChildElement","attributeLength","buildVersion","secondAttributeName","zipMode","hashMethod","totalSize","contentType","compressionOption","readerOptions","requestCount","capabilitySid","PDU","TotalEncodedLength","EncodedLength","Encoded","Custom","ErrorCodeExpanded","AboveLockAppAUMID","CustomMessage","RequestAction","Relation","SCSIAddressSize","DeviceType","DMAtoPIO","StepDownInDMAModes","DeviceAddress","RequestSequence","QueueTime","MasterIRP","ActiveRequestCount","IRBFunction","DeviceCommand","IRBStatus","ATAStatus","RequestDuration (in 100ns)","OriginalIrp","RequestDurationin100ns","BusNumber","TransferModeChangeType","LengthOfTransfer (in bytes)","LengthOfTransferinbytes","CurrentRetryCount","PowerStateContext","dwServiceType","dwCurrentState","dwControlsAccepted","dwWin32ExitCode","dwServiceSpecificExitCode","dwCheckPoint","dwWaitHint","dwRestartCount","szInputEndpointName","szOutputEndpointName","pCMonitor","DevicePosition","QPCPosition","pCAudioFormatConvert","ConverstionType","pCCrossProcessClientInputEndpoint","pCCrossProcessClientOutputEndpoint","WriteBytePos","ReadBytePos","BytesToWrite","WriteOffset","ReadOffset","EndOfDataOffset","pCCrossProcessServerInputEndpoint","BytesAvailable","pCCrossProcessServerOutputEndpoint","DroppedBytes","pOwner","NextStreamingPacketToComplete","MaxPacketCount","IoctlTimeHNS","pCAudioBasePin","pLockedDataPointer","bLockedEqualsUnrolled","LockedDataPointer","GlitchStreamPosition","GlitchDuration","pCAudioCapturePinRealtimeStreaming","WritePosition","PlayPosition","StreamPosition","StreamPosMinusReadPos","ReadPosMinusStreamPos","pCAudioRenderPinRealtimeStreaming","TotalPosition","WritePosMinusTotalPos","pCAudioCapturePinStandardStreaming","ValidPositionEnd","ValidPositionStart","StreamPosMinusValidPosEnd","ValidPosStartMinusStreamPos","FrameCount","pCAudioRenderPinStandardStreaming","AvailableFrames","APOCLSID","AudioSignalProcessingMode","InitializeForDiscoveryOnly","object pointer","objectpointer","flow","role","object","ioControlCode","CrossProcessInstance","ReadIndex","WriteIndexIndex","FramesInPacket","QPC","DurationToProcess","DeviceEventType","DeviceEventTypeName","szSubsystemName","dwSubsystemFailureCode","dwAudioDgTerminationCode","dwAudioDgStartupFailureCode","dwAudioSrvStreamFlags","ConsoleLocked","ChangeInLockStatus","SessionDisplayOn","ChangeInSessionDisplayStatus","AudioStandbyPolicy","dwGlitchCount","hnsTimeWindow","PumpInstance","TaskGroup","SoftDeadlineHns","HardDeadlineHns","success","Hns","Endpoint Id","Raw","MatchFormat","ConnectorType","SampleIndex","OrigProcessingStart","NewProcessingStart","StartCorrection","TimeDelta","SampleDelta","DevicePeriod","ActualDevicePeriod","WindowWidth_ms","uEventMask","WakeCategory","WakeValue","WorkDuration","MaxWorkDuration","CurrentPadding","TaskGroupID","threadID","RTMode","ProAudio","PumpQueueID","PumpTaskID","APOQueueID","APOTaskID","QueueID","SoundLevel","Suspended","bIsSuspended","bExclusiveModeStream","bOffloadStream","App_Id","Audio_Stream_Category","CVEID","AdditionalDetails","appName","httpStatusCode","xmlBlob","Error_reason","Source_text","Error_offset","errorReason","sourceText","errorOffset","BackupTime","FailedVolumeNames","BackupTarget","BackupFailureLogPath","ComponentName","LogicalPath","WriterId","BackupTargetList","RestoreTargetNameList","RestoreTime","HandleInstallErrorCode","UnknownRequestCode","ResourceDll","SnapinId","ProviderNameId","ProviderIconId","BackupTemplateID","SystemStateBackup","TargetDeviceName","DetailedHRESULT","BackupState","NumOfVolumes","VolumesInfo","SourceSnapStartTime","SourceSnapEndTime","PrepareBackupStartTime","PrepareBackupEndTime","BackupWriteStartTime","BackupWriteEndTime","TargetSnapStartTime","TargetSnapEndTime","DVDFormatStartTime","DVDFormatEndTime","MediaVerifyStartTime","MediaVerifyEndTime","BackupPreviousState","ComponentStatus","ComponentInfo","SSBEnumerateStartTime","SSBEnumerateEndTime","SSBVhdCreationStartTime","SSBVhdCreationEndTime","SSBBackupStartTime","SSBBackupEndTime","BMR","VssFullBackup","UserInputBMR","UserInputSSB","BackupSuccessLogPath","EnumerateBackupStartTime","EnumerateBackupEndTime","PruneBackupStartTime","PruneBackupEndTime","BackupFlags","ComponentInfoSummary","TemplateId","VolumeNames","VolumeGUID","VolumeFriendlyName","VhdDeleteReason","VhdPath","VolumeAccessPath","TemplateGuid","ScheduleTimesList","BackupSetId","BackupSetTime","RestoreEventId","RestoreState","BackupTargetFriendlyName","PrepareRestoreTime","WriteRestoreTime","FileRestoreTargetPath","NumOfFiles","FilesInfo","FileSuccessLogPath","FileFailureLogPath","MountVhdTime","PreparePassTime","WriteFilesTime","BackupLocation","TotalDataTransferred","VolumeToMount","NeedNetworkShare","TimeTakenToMount","RecoveryFromSSB","BackupTargetPath","AppRestoreAlternateTargetPath","NumOfComponents","AppsInfo","AlternateLocationRecovery","RecreatePath","BackupSetID","RestoreType","AlternateRestoreTarget","SysvolRestoreType","NumOfWriters","WritersInfo","NoOfFilesProcessed","NoOfFilesFailed","NoOfBytesProcessed","TotalNumOfBytes","EnumerateStartTime","EnumerateEndTime","RestoreStartTime","RestoreEndTime","DeleteStartTime","DeleteEndTime","RestoreSuccessLogPath","RestoreFailureLogPath","RestoreCLIOutputLogPath","TargetAccessPath","AlternateRecoveryPath","StatusInfo","MachineAuthenticationMethod","RemoteMachineAccount","UserAuthenticationMethod","RemoteUserAcount","RemoteIPAddress","LocalIPAddress","TechnologyProviderKey","IPsecTrafficMode","BytesTransferredInbound","BytesTransferredOutbound","BytesTransferredTotal","CloseTime","ConnectionUsedId","RejectDetail","ControlCode","requiresTPM","isVBSCapable","hasNonVBSWindowsHello","hasVBSWindowsHello","requiresVBSRunning","requiresVBSEncryptionKeys","requiresEnablement","managedByPolicy","hasNonVBSBiometricEnrollments","hasVBSBiometricEnrollments","hasESSFaceSensor","hasESSFprSensor","requiresIsolatedProcess","hasBlockedNonESSFpr","hasBlockedNonESSCamera","isDeviceEssSourceDefault","CountTpmBindings","TpmBindingsTotalSizeTpmDatumsOnly","TpmBindingsTotalSizeIncludingDigestDatums","CensusData","PCRBitmap","PCRBitmapSource","PCRValuesSize","PCRValues","FilteredLog","TpmSrkAesStrengthInBits","ExcludedPcrsBitmap","PcrProfile","ProtectorGUID","BackendName","Pcr","ProtectorType","ExpectedKeyLength","ActualKeyLength","Unlock_time","UnlockTime","Reseal_time","ResealTime","Localized_Error_Message","JsonErrorCode","LocalizedJsonError","FilteredTcgLogSize","FilteredTcgLog","Suspend_time","TraceId","TraceGUID","Request_Id","Response_Time","Error_Subcode","JsonRequestId","JsonTime","JsonSubCode","JsonMessage","Protector_Type","ProtectorGUIDs","Mount","ReqID","HTTP_Status_Code","RetryRequest","DidSetRetryHint","RetryHintSeconds","HttpStatusCode","RetryHint","SignatureDBType","IdentityGUID","PostBootLockEventPCRBitmap","BinaryDataSize","volume","ReqId","HSTI_provider_count","HSTI_data_version","Expected_HSTI_data_version","HSTIImplID","BoolData","SecFeatureIndex","ProviderErrorMsg","Errorcode","Certificate_thumbprint","BootApplication","BCDSetting","MessageCode","MessageText","Warning_Code","Warning_Text","Shrinkable","Candidate_Volume_Name","ContainsWinRE","VolumeSize","VolumeFreeSpace","VolumeMaxShrinkSize","VolumeFlags","DriveLetter","PartitionNumber","RawCommandLine","ShowUsage","DisplayDriveInfo","TargetDriveLetter","TargetAction","NewSystemDriveLetter","ShrinkSize","QuietMode","AutoRestart","Shrink_Size","NewDriveLetter","Unallocated_extent_offset","New_partition_size","ExtentOffset","NewPartitionSize","Volume_Path","WinREVolumeName","WritePhase","OptionalGUID","Protector_ID","Metadata_check_worker_started_Volume","Metadata_check_worker_completed_Volume","HardwareID","StateOffset","StateSize","ContextFlags","BindingGUID","BindingCreationScenario","DateTimeOfSeal","DateTimeOfMismatch","PcrBitmap","TcgLogIsValidStatus","BindingDatumIsValidStatus","MismatchedPcrInfoFlags","MismatchedPcr","ExpectedHashAlgorithm","ExpectedHashAlgorithmSize","ObservedHashAlgorithm","ObservedHashAlgorithmSize","ExpectedEventsCount","ObservedEventsCount","MismatchedEvent","ExpectedEventType","ObservedEventType","ExpectedDigest","ObservedDigest","ExpectedEventLabel","ObservedEventLabel","SealedPcrValuesSize","SealedPcrValues","DateTime","IsSecureBootOn","TcgLogHashAlgorithm","TcgLogHashAlgorithmSize","AllFinalPcrValuesPcrBitmap","CountPcrsInAllFinalPcrValuesPcrBitmap","AllPcrDatasPcrBitmap","CountPcrsInAllPcrDatasPcrBitmap","FinalPcrValuesSize","FinalPcrValues","SealedPcrDigestsDatumsSize","SealedPcrDigestsDatums","fqdn","authenticated","online","addressCount","addressLength","sourceAddress","packet","searchId","timestamp","requestId","SearchId","rangecount","addresses","FileCount","jobTransferPolicy","globalTransferPolicy","nlmCost","usage","cap","isThrottled","isOvercap","clientAddress","responseXml","ranges","profileType","currSlotStartTime","currSlotBandwidthLimit","nextSlotStartTime","nextSlotBandwidthLimit","BlockReasonErrorCode","JobGuid","peerCacheEnabled","peerClientEnabled","peerServerEnabled","maxPeers","maxClients","maxContentAge","maxCacheSize","minCacheDiskSize","cacheDenyUrls","denyUrlCount","denyUrls","Job","Pgm","PeerProtocolFlags","DayCount","FileList","RetryWaitTime","string2","string3","urlgroup","urlsuffix","suffix","filepath","sddl","DeviceID","ExpectedLengthMin","ExpectedLengthMax","ActualLength","ServiceHandle","MissingDescriptor","PolicyPath","PolicyState","RadioName","BtAddr","Accepted","ServiceGuid","Psm","bthAddr","requiredKeySize","actualKeySize","SubKey","UInt32","UInt64","BinaryLength","CacheSize","cbContentId","ContentId","cbSegmentId","SegmentId","BlockId","PeerAddress","MessageType","HostedCacheAddress","MinutesOfQuarantine","Remote_client_address","FromAddress","HostedCacheLocation","Sub_code","SubCode","CachePath","ConfiguredSize","ActualSize","ServerDNSName","SiteName","Current_Uploads","Maximum_Simultaneous_Uploads","HCClientAddress","CurrentUploads","MaxUploads","ListenPort","Registrar","CompletedDataDownloads","SuccessfulDataDownloads","MaxObservedSimultaneousDownloads","AverageDownloadByteRate","CompletedDataUploads","SuccessfulDataUploads","MaxObservedSimultaneousUploads","AverageServingLatency","MaxObservedServingLatency","CurrentAverageInboundRequestFrequency","MaxObservedAverageInboundRequestFrequency","AverageDiscoveryTime","AttemptedNetworkDiscoveries","AttemptedV1NetworkDiscoveries","AttemptedV2NetworkDiscoveries","SuccessfulNetworkDiscoveries","SuccessfulV1NetworkDiscoveries","SuccessfulV2NetworkDiscoveries","SuppressedDiscoveries","PreDiscoveries","CurrentAverageInboundDiscoveryFrequency","MaxObservedAverageInboundDiscoveryFrequency","TotalBytesServed","TotalBytesRetrieved","ContentIdSize","StringContentId","SegmentIdSize","SegmentOffsetInContent","DataOffsetInSegment","ContentOffset","SegmentOffset","BlockSize","ClientIPv4Address","ClientIPv6Address","RangeRequest","RangeCount","FirstRangeOffset","FirstRangeLenght","PeerDistMinContentInformationVersion","PeerDistMaxContentInformationVersion","PCCRTPProtocolVersion","HTTPProtocolMajorVersion","HTTPProtocolMinorVersion","HTTPStatusCode","OriginalContentLength","EncodedContentLength","ContentHandle","CloseHandleCount","OpenHandleCount","MinHashVersion","MaxHashVersion","ServiceActiveTimeInSeconds","SMBBranchCacheBytesRequested","SMBBranchCacheBytesReceived","SMBBranchCacheBytesPublished","SMBBranchCacheBytesRequestedFromServer","SMBBranchCacheHashesRequested","SMBBranchCacheHashesReceived","SMBBranchCacheHashBytesReceived","PrefetchOperationsQueued","PrefetchBytesReadFromCache","PrefetchBytesReadFromServer","ApplicationBytesReadFromCache","ApplicationBytesReadFromServer","ApplicationBytesReadFromServerNotCached","UserContextId","PsmActivationType","CriticalActivation","TriggerEventId","TriggerEventType","BrokerId","TaskExecuted","CpuThrottleCount","NetThrottleCount","ConditionType","ConditionValue","ConditionDesiredValue","BufferingReason","DeletionReason","StateFlags","ActiveTaskCount","LockScreen","ActiveTasks","Num_HCI_Packets","SentStatus","Connection_Handle","Packet_Boundary_Flag","Broadcast_Flag","Buffer_Length","PDU_Length","Channel_ID","Code","Identifier","Signal_Length","Data_Length","RadioState","CompleteStatus","SystemPowerState","DevicePowerState","SCID","DCID","InfoType","LE_Flink","LE_Blink","BthportFlags","BtStatus","BTHPORT_CONTEXT_SIZE","BTHPORT_RESERVED_FIELD_SIZE","Reserved","BtAddress","RSSI","MaxPowerLevel","CurrentPowerLevel","StringLength","DeviceInterfaceString","NumAddresses","BtAddresses","PSM","IndicationFlags","IndicationCallbackContext","ReferenceObject","ServerHandle","ChannelHandle","Psm_Valid","ChannelFlags","ConfigOut_Flags","ConfigOut_Mtu_Min","ConfigOut_Mtu_Preferred","ConfigOut_Mtu_Max","ConfigOut_FlushTO_Min","ConfigOut_FlushTO_Preferred","ConfigOut_FlushTO_Max","ConfigOut_Flow_Flags","ConfigOut_Flow_ServiceType","ConfigOut_Flow_TokenRate","ConfigOut_Flow_TokenBucketSize","ConfigOut_Flow_PeakBandwidth","ConfigOut_Flow_Latency","ConfigOut_Flow_DelayVariation","ConfigOut_LinkTO","ConfigOut_NumExtraOptions","ConfigOut_ExtraOptions_Open_Channel","ConfigOut_ServiceType","ConfigOut_Latency","ConfigOut_ModeConfig_Valid","ConfigOut_ModeConfig_Flags","ConfigOut_MC_RAF_Mode","ConfigOut_MC_RAF_TxWindowSize","ConfigOut_MC_RAF_MaxTransmit","ConfigOut_MC_RAF_RetransmissionTO","ConfigOut_MC_RAF_MonitorTO","ConfigOut_MC_RAF_MaxPDUSize","ConfigOut_Fcs_Valid","ConfigOut_Fcs","ConfigOut_ExtendedFlowSpec_Valid","ConfigOut_EFS_Identifier","ConfigOut_EFS_ServiceType","ConfigOut_EFS_MaxSDUSize","ConfigOut_EFS_SDUInterArrivalTime","ConfigOut_EFS_AccessLatency","ConfigOut_EFS_FlushTimeout","ConfigOut_ExtendedWindowSize_Valid","ConfigOut_ExtendedWindowSize","ConfigIn_Flags","ConfigIn_Mtu_Min","ConfigIn_Mtu_Preferred","ConfigIn_Mtu_Max","ConfigIn_FlushTO_Min","ConfigIn_FlushTO_Max","CallbackFlags","CallbackContext","IncomingQueueDepth","NewChannelFlags","FailedChannelFlags","TransferFlags","BufferStartSize","BufferStart","BufferEndSize","BufferEnd","RemainingBufferSize","Property_Type","Property_Size","PingRequestLength","PingRequestData","PingResponseLength","PingResponseData","AclMode","Sniff_Max_Interval","Sniff_Min_Interval","Sniff_Attempt","Sniff_Timeout","Beacon_Max_Interval","Beacon_Min_Interval","Hold_Mode_Max_Interval","Hold_Mode_Min_Interval","PacketType","Child_Activity_ID","Related_Activity_ID","FixedChannel","IndicationCallback","FixedChannelServerHandle","DataTransferFlags","DataStartSize","DataStart","DataEndSize","DataEnd","fid_BTHUSB_HC","fid_BTHUSB_HC_SELECTIVE_SUSPEND","fid_BTHUSB_HC_Pdo_Name","BIP_Type","BIP_Length","Eventnumber","EventNumber","3","4","5","6","7","8","9","10","ObjId","Request_thumbprint","RequestThumbprint","Failure","HashAlgorithm","PublicKeyAlgorithm","HashLookupAlgorithm","PublicKeyLookupAlgorithm","SignatureAlgorithm","SignatureAlgorithmPreferred","Pkcs7Signature","AlternateSignatureAlgorithm","NullSignature","Policy_Id","Credential","AuthType","NewCertificate","OldCertificate","TpmError","KspName","CertificateThumbprint","HourNumber","Templates","TemplateList","Container","ExceptionAddress","ExitModuleDescription","NumberOfAttempts","InformationMessage","DN","NumberOfValidKRACerts","RequiredNumberOfValidKRACerts","KRACertIndex","KRACertSubjectName","DefaultProviderName","ExceptionLocation","ExceptionFlags","ExtensionOid","DSErrorMessage","ProvType","CertificateTemplateName","RequiredSignatureCount","AccepedSignatureCount","EnrolleeName","RequestAttributeName","TemplateNames","OldDSHostName","NewDSHostName","MissingIssuancePolicyOIDsInSigningCertificate","RequesterName","NumOfCriteria","bClient","ChainIndex","lElementIndex","Calculated","UPN","EncodingType","EncodedCertLength","EncodedCert","DrivePath","PluginCount","PlugInInitialized","InitTime","PlugIn","InstantiationTime","PluginInstantiationTime","Autorun","IsPluginSelected","IsPluginVisible","InitializationSucceed","InitializationTime","PluginInitializationTime","SpaceUsed","ScanAborted","ScanTime","PluginScanTime","IsUserAdmin","TotalScanSize","PluginScanned","ScanSucceeded","ScanFailed","SizeZeroPlugin","DiskPriority","ClaimedDeleteBytes","ActualDeleteBytes","FreeBytesBefore","FreeBytesAfter","StorageReserveBefore","StorageReserveAfter","IsPurgeAborted","TotalPluginsPurged","TotalPluginsQualified","TotalPurgeSucceed","TotalPurgeFailed","AfterPurgeGetSpaceFailed","TotalSizesZeroPlugins","TotalSelectedPlugins","TotalSkippedPlugins","PluginPurgeTime","TotalPurgeTime","PluginUsedSpaceAfter","PluginUsedSpaceBefore","ReserveAreaBefore","ReserveAreaAfter","HRPurge","HRSpaceUsed","PurgeTime","activityId","cv","HandlerIndex","HandlerId","Variant","ManifestId","ItemId","ContentUri","SyncRootRelativePath","LoadedVersion","SavedVersion","CloudStorePolicyOption","HandlerType","currentThemePath","contrastThemePath","baseContrastThemeName","customThemeName","ContrastThemeLocalPath","isAutoTimeZoneEnabled","timezone","Red","Green","Blue","ProfileId","basePersonalizationThemeName","PlaceholderCount","OriginContext","AppIdOrProducCode","RemoveKind","Heuristic","ReplacedByTileId","accountName","safeCustomerID","propertyName","propertyValue","AppColorMode","SystemColorMode","enableTransperency","colorPrevalnce","accentColorMode","dwmColorPrevalence","StoreResult","AppraiserResult","CalendarType","automaticOnSchedule","automaticOnSunset","manualScheduleBlueLightReductionOnHours","manualScheduleBlueLightReductionOffHours","targetColorTemperature","sunsetHours","sunriseHours","previewColorTemperatureChanges","darkMode","isSupported","CurrentSoundSchemeFile","DefaultSoundSchemeFile","singleClickOverride","singleClickPenWorkspaceVerb","doubleClickOverride","doubleClickPenWorkspaceVerb","longPressOverride","longPressPenWorkspaceVerb","penWorkspaceAppLaunchOnPenDetachEnabled","penEnablePenButtonOverride","singleClickCustomAppPath","doubleClickCustomAppPath","longPressCustomAppPath","singleClickCustomAppID","doubleClickCustomAppID","longPressCustomAppID","OneDrivefolder","Shuffle","TimeInMillSec","LogMessage","RegKeyPath","SettingDataValue","AppIDs","themeType","SchemaProvider","ProviderCount","QualifiedTypeName","SchemaSize","ForceLastWriterWins","OriginalVersion","OriginalTombstoned","OriginalData","TheirsVersion","TheirsTombstoned","TheirsSize","TheirsData","YoursVersion","YoursTombstoned","YoursSize","YoursData","ResolvedVersion","ResolvedTombstoned","ResolvedSize","ResolvedData","ActivitiesCount","RestoreProfileId","DeviceDisplayName","LastSource","LastTarget","Forced","RestorePartitionId","BackupPartitionId","FieldId","BondDataType","Base64String","TranslatedErrorCode","IsProfileUpdate","ProfileCollection","ProfileInstance","SchemaCollection","UpdateID","ClientKey","LastAccessTime","ExistingGuid","NewGuid","InstallPath","UpdatePath","timeoutValue","runIdentifier","clusterName","stackTrace","clusterNodeName","nodeCount","HVCI Audit Failures","HVCIAuditFailures","EKUsSize","EKUs","KnownRoot","DenyingPolicyNameLength","DenyingPolicyName","DenyingPolicySecureSettingIDLength","DenyingPolicySecureSettingID","DenyingPolicyID","DenyingPolicyHashSize","DenyingPolicyHash","OverridingPolicyNameLength","OverridingPolicyName","OverridingPolicySecureSettingIDLength","OverridingPolicySecureSettingID","OverridingPolicyID","OverridingPolicyHashSize","OverridingPolicyHash","DefenderStatusCode","DefenderCatDbFailureStage","DefenderCatDbFailure","DefenderTrustExpiryTime","CachedDefenderTrust","CachedDefenderTrustExpiryTime","DefenderShellExecutedStatusCode","DefenderShellExecutedClientStatusCode","DefenderShellExecutedCloudHTTPCode","DefenderShellExecutedEngineReportGUID","IsUnfriendlyFile","DefenderShellExecutedCalled","DefenderShellExecutedMadeCloudCall","EADefenderTrustCached","TTLValid","DefenderDisabled","EnablementSwitchType","PreviousEnablementState","DefenderThreatNameLength","DefenderThreatName","DefenderShellExecutedThreatNameLength","DefenderShellExecutedThreatName","CatalogNameLength","CatalogNameBuffer","CachedFlags","CacheSource","CachedPolicy","StateData","HTTPHeaderValue","InternetStatus","HTTPHeaderName","HTTPheaderValue","ImpressionId","ParserObjectId","ParserSubElementId","QueryTerm","QueryLength","Headers","AsyncError","QueryBlocked","ShowSettings","RefId","First","Third","evtErrorId","evtHiveNameLength","evtHiveName","evtStatus","evtAdditionalInfo","Value_blocked","evtKeyPathLength","evtKeyPath","evtValueNameLength","evtValueName","Value_set","ResumeCapable","ReasonCodes","Minimum","Maximum","IoSpaceEnabled","PhysicalMemorySizeInBytes","DumpFileSizeInBytes","CreateDumpFileDurationInMs","LargeDumpThresholdGB","User_Storage_Area","Last_error","MasterKeyDisposition","Credential_Key_Identifier","User_Sid","DecryptCredID","DecryptCredKey","fLegacy","fWeakCrypt","dwFallbackLastError","dwEncryptLastError","dwRestoreLastError","dwLastError","Provider_type","UserStorageArea","New_file_name","UserStoragePath","Desired_Access","Share_Mode","Creation_Disposition","ShareMode","CreationDisposition","SecurityInformation","Security_Info","ModificationType","Key_File_Name","ServerThreadId","StatusString","FailuresCount","FailuresCountGlobal","SuccessCountGlobal","SignaledFailure","SignaledSuccess","LsaIsoLaunchAttempted","TotalAttemptedRestarts","TotalSuccessfulRestarts","CanBeEnabled","SourceNumber","BytesProvided","EntropyEstimate","nData","Counter","ResultStatus","TimeTaken","PoolReseedCount","ReseedType","PrngAddress","UserMode","BytesProduced","NetFn","CommandID","PacketSize","PacketData","port","authentication","usessl","skipcacheck","skipcncheck","skiprevocationcheck","timeoutsec","UInt32Param","ifAlias","ifName","NdisPort","ConfigurationLength","RemoteMacAddress","RemoteChassisIdType","RemoteChassisIdLength","RemoteChassisId","RemotePortIdType","RemotePortIdLength","RemotePortId","RemoteTtl","TcsUsed","MaxTcs","TsaAssignmentTableLength","TsaAssignmentTable","PfcEnable","dwError","nInt","strString","strString1","strString2","nInt1","nInt2","bFailureReason","szServerName","szSettingName","bTriggerSource","dwNumFilesUploaded","szHttpObjectNames","szFullpath","cbFileSize","cbRead","szHttpObjectName","cchHeader","cchBody","szHeaders","dwHttpStatusCode","guidSessionId","dwPayloadSize","DiskGuid","PortPoolId","PortDiskId","DirectoryCount","DataCount","FsctlCount","BytesRepaired","BytesFailed","BytesSkippedDueToNoAllocation","BytesSkippedDueToInvalidRun","BytesSkippedDueToIntegrityStream","BytesSkippedDueToRegionBeingClean","BytesSkippedDueToLockConflict","BytesSkippedDueToNoScrubDataFlag","BytesSkippedDueToNoScrubNonIntegrityStreamFlag","DataBytesScrubbed","MetadataBytesProcessed","DataBytesProcessed","TotalMetadataBytesInUse","TotalDataBytesInUse","TotalTimeTaken","PercentComplete","InternalFileReference","ExtentCount","ExtentSize","DiskOffset","MaxThreadCount","wYear","wMonth","wDayOfWeek","wDay","wHour","wMinute","wSecond","wMilliseconds","TimeZoneKey","File_count","Data_Deduplication_warning","System_memory_percentage","Minimum_required_memory","UnoptimizedBytes","MftCacheSizeMB","GrovelerLogBufferMB","DirectoryTableMB","DirectoryNamesMB","IndexMinEntries","IndexMaxEntries","IndexMinRequiredMB","IndexMaxRequiredMB","PipelineMinMB","PipelineMaxMB","ChunkStoreBatchBufferMemoryMB","ChunkStoreContainerListMB","CorruptionTableMemoryMB","HotspotRequiredMB","Skip_Reason","SkipReason","TotalRanges","SkippedRanges","AbortedRanges","CommittedRanges","RangeOffset","RangeLength","MaxSize","CurrentSize","RemainingRanges","MaximumSizeMB","AllocationSizeMB","IndexMinRequiredMb","IndexMaxRequiredMb","PipelineMinMb","PipelineMaxMb","ChunkStoreBatchBufferMemoryMb","ChunkStoreContainerListMb","CorruptionTableMemoryMb","HotspotRequiredMb","Memory_percentage_required","ReconciliationMemoryPercentage","ParentDirectoryId","ParentDirectoryPath","ErorrCount","Fixed","FileLocator","RecordLocator","CorruptionType","ChunkStoreType","HasRedundantCopy","StartingChunkId","StartIndex","FirstRequestChunkId","NextRequest","RootPathLength","RootPath","Synchronous","Block","BufferType","BufferOffset","OutputCapacity","UnderlyingFileObject","CacheFileSize","CacheFileObject","Bcb","ReadLength","PagingIo","TlCache","RequestStartOffset","RequestEndOffset","CurrentOffset","AdjFinalOffset","FirstChunkByteOffset","ChunkRequestsEndOffset","StreamMapEntryCount","BytesCopied","StreamContext","DetectedCorruptionCount","FixedCorruptionCount","CorruptedUserFileCount","FixedUserFileCount","ReadOnlyMode","FixableUserFileCount","TotalChunkStoreCorruptedItemCount","DataChunkStoreCorruptedItemCount","DataChunkStoreCorruptedContainerCount","DataChunkStoreFixedItemCount","StreamMapChunkStoreCorruptedItemCount","StreamMapChunkStoreCorruptedContainerCount","StreamMapChunkStoreFixedItemCount","HotspotChunkStoreCorruptedItemCount","HotspotChunkStoreCorruptedContainerCount","HotspotChunkStoreFixedItemCount","CorruptedReparsePointCount","RecallBitmapCorruptedItemCount","RecallBitmapFixedItemCount","TotalCorruptedItemCount","DataChunkStoreFixableItemCount","StreamMapChunkStoreFixableItemCount","HotspotChunkStoreFixableItemCount","TargetFileId","InvalidFileName","ContainerOffset","Entries","VersionChecksum","UpdateSequenceNumber","ValidDataLength","ChunkCount","NextLocalId","LastAppendTime","BackupRedirectionTableOffset","LastReconciliationLocalId","Checksum","IsBatched","IsCorrupted","Header","ChunkId","LogNumber","FileExtension","DeleteLogOffset","BitLength","MergeLogOffset","SizeBackedByChunkStore","StreamMapInfoSize","StreamMapInfo","ReparsePointSet","BeyondFinalZero","BatchChunkCount","BatchDataSize","FileCopyLevel","TotalEntryCount","policyName","policyValue","ClientPort","VariableWindow","SessionGUID","ClientMAC","ClientDeviceID","ClientArch","MachineOU","InputMetadata","OutputMetadata","ResponseType","Metadata","ObjectID","ObjectMetadata","RequestMetadata","MatchResult","ParentID","ClientHardwareAddress","ClientPrestaged","ClientVersion","WinPEVersion","UnattendMode","ImageGroup","FullUserName","MulticastNamespace","ContenProvider","MulticastType","DriverPackageName","NumDriverPackages","ImageLanguage","ImageArch","SourceFileName","SourceFileSize","SourceDiskSize","DestinationDiskPath","DestinationDiskSize","AepId","ClientProcessName","ClientPid","IsPersisted","IsManagingDevnodes","IsPerUser","PerUserSid","IsPartOfSet","AssociationError","ProtocolError","tid","timeout","AbortingProtocolProvider","InternalError","AumId","packageSid","capabilityName","TokenID","Token","TenantID","TBS256Count","TBS384Count","TBS512Count","HashAlgo","TbsHashLen","TbsHash","SiPolicy","Reboot","FileTime1","FileTime2","PFX_Certificate_Install_Status","PFX_Certificate_Install_Failed_Result","HexInt7","HexInt5","Preview_Builds","ProviderIndex","TotalProviders","UInt8","UInt9","UInt10","UInt11","Message7","HexInt6","HRESULT5","ClientFileName","InterfacePath","aepId","TriggerID","HardwareId","TaskProcessID","Prop_FeatureId","Prop_FeatureEnablement","Prop_IdleWait","Prop_AppUpdatesEnablement","Prop_WindowsUpdatesEnablement","Prop_ServerSelection","Prop_TaskEnablement","Prop_DriverRecoveryRequest","Prop_MetadataPackageId","Prop_StageTimeMilliSeconds","HTTPCode","Prop_IsLegacySigCheckForFile1","Prop_FileName1","Prop_IsLegacySigCheckForFile2","Prop_FileName2","Prop_SoftwareName","Prop_InstallTime","Prop_HiHighPartNew","Prop_LoHighPartNew","Prop_HiLowPartNew","Prop_LoLowPartNew","Prop_HiHighPartOld","Prop_LoHighPartOld","Prop_HiLowPartOld","Prop_LoLowPartOld","Prop_CommandLine","Prop_SoftwareLinks","Prop_InstallType","Prop_CoreServiceState","Prop_JobId","Prop_JobType","Prop_JobStatus","Prop_NotificationHandler","Prop_ServiceInfoNamespace","Prop_CultureCode","Prop_SessionId","Prop_UpdateId","Prop_FlightId","Prop_NumFiles","Prop_RequestSize","Prop_SetId","Prop_SuccessfulUpdates","Prop_TotalUpdates","Prop_ElapsedMilliseconds","Prop_DeviceInstancePath","Prop_DriverPackageId","Prop_ProblemCode","Prop_InstallError","Prop_Version1","Prop_Version2","EnumerationTime","CountOfItems","RootShare","FtDfsName","DfsNamespace","SyncFromPDC","SyncType","DfsReparsepoint","DomainControllerName","LdapError","DfsFolderMetadataRegistryPath","RequestBuffer","RequestBufferLength","ResponseLength","TimeConsumedToResolveInMilliSeconds","PreferredMaxLength","ServerIpAddress","ServerSite","DfsPathLength","TargetCount","DfsTarget","NewDfsPath","ADSite","InputBuffer","InputBufferLength","OutputBuffer","OutputBufferLength","ResponseBuffer","ResponseBufferLength","dc","share","DFSRoot","SMBShare","oldPath","newPath","childDirectory","parentDirectory","directory","DFSLinkDN","NetworkHintString","NetworkHint","DhcpRenewState","InitRebootState","Address3","Address4","Registering_AdapterName","Deregistering_AdapterName","Dword","Str1","Str2","Str3","Str4","ProcID","UniqueID","EventPath","OptListSize","OptList","IsVendor","HRString","FQDNName","ErrorType","Errorvalue","UpdatedVal","OriginalVal","ProcessingOrder","Dword1","Dword2","RefreshTime","SearchOnline","SearchType","LeftValue","EvalValue","RightValue","Operator","ExecuteAs","WidgetID","WidgetAction","Widget","Collector","ProxyType","CommandParam","CallbackReason","MachineNameSize","FunctionIndex","RequestCode","CounterSetNameLength","CounterSetName","ProviderDll","FirstArgument","CounterName","DataCollecotrSet","CabName","RootCauseID","RootCauseName","RootCauseDescription","ResolutionID","RootCauseId","QueryRemoteServer","IndexPath","RequestBody","HttpError","ItemsAdded","UILanguage","ResponseCode","EventDescription","EventVerbosity","NumberOfAttributes","HelperClassAttributes","StandbyTsVersion","StandbyAppCount","StandbyServicesCount","StandbyDevicesCount","StandbyStartTime","StandbyEndTime","StandbySuspendTotal","StandbySuspendTotalChange","StandbySuspendQueryApps","StandbySuspendQueryAppsChange","StandbySuspendQueryServices","StandbySuspendQueryServicesChange","StandbySuspendApps","StandbySuspendAppsChange","StandbySuspendServices","StandbySuspendServicesChange","StandbySuspendShowUI","StandbySuspendShowUIChange","StandbySuspendSuperfetchPageIn","StandbySuspendSuperfetchPageInChange","StandbySuspendWinlogon","StandbySuspendWinlogonChange","StandbySuspendLockPageableSections","StandbySuspendLockPageableSectionsChange","StandbySuspendPreSleepCallbacks","StandbySuspendPreSleepCallbacksChange","StandbySuspendSwapInWorkerThreads","StandbySuspendSwapInWorkerThreadsChange","StandbySuspendQueryDevices","StandbySuspendQueryDevicesChange","StandbySuspendFlushVolumes","StandbySuspendFlushVolumesChange","StandbySuspendSuspendDevices","StandbySuspendSuspendDevicesChange","StandbySuspendHibernateWrite","StandbySuspendHibernateWriteChange","ResumeStartTime","ResumeEndTime","StandbyResumeTotal","StandbyResumeTotalChange","StandbyResumeHibernateRead","StandbyResumeHibernateReadChange","StandbyResumeS3BiosInitTime","StandbyResumeS3BiosInitTimeChange","StandbyResumeResumeDevices","StandbyResumeResumeDevicesChange","StandbyRootCauseDegradationGradual","StandbyRootCauseImprovementGradual","StandbyRootCauseDegradationStep","StandbyRootCauseImprovementStep","StandbyIsDegradation","StandbyIsTroubleshooterLaunched","StandbyIsRootCauseIdentified","DeviceFriendlyNameLength","DeviceFriendlyName","DeviceTotalTime","DeviceDegradationTime","ShellScenarioStartTime","ShellScenarioEndTime","ShellSubScenario","ShellScenarioDuration","ShellRootCauseBits","ShellAnalysisResult","ShellDegradationType","ShellTsVersion","ShellMachineUpTimeHours","ShellMachineSleepPattern","BlockedTime","PercentTime","WorkingSetSizeKb","PeakWorkingSetSizeKb","PercentMemory","DisplayDeviceFriendlyNameLength","DisplayDeviceFriendlyName","MemoryBandwidth","Diagnosis","pID3D11Resource","pIDXGISurface","pID3D11Device","Dimension","Usage","MipLevels","ArraySize","SampleCount","SampleQuality","BindFlags","CPUAccessFlags","MiscFlags","StructureByteStride","hKMResource","hUMResource","UMResourceMiscFlags","Resources","pIDXGISurfaces","hNewKMResources","CurrentMemoryUsage","MemoryBudget","LogStatus","WinError","DirectoryPath","SecurityPackage","AccountDistinguishedName","SystemAssignedAccountName","AccountSID","AccountRID","RemainingRids","OID Object DN","Group DN","Group GUID","Group SID","OIDObjectDN","GroupDN","GroupGUID","GroupSID","DroppedClaims","Error code:","RegistrySDString","MalformedSDString","DefaultSDString","Network_address","Throttle window:","Suppressed Message Count:","Throttlewindow","SuppressedMessageCount","Currently_configured_MinimumPasswordLength_value","Account_DN","Account_SID","KeyHash","AccountDN","Number of RPC methods:","Throttle Window:","NumberofRPCmethods","ThrottleWindow","Retained_account_name","Deleted_account_names","AccountRidHex","AccountRid","SavedAccountName","DeletedAccountNames","Service_startup_error_status","StatusHex","DiagnosticInfo","SDDL_Value","Computer_Account","Computer_Account_Owner","ComputerAccountSID","ComputerAccountOwnerSID","Client_Account","ClientUserAccountSID","pinOutput","pinOutputName","pinInput","pinInputName","subtype","filter","filterName","eventCode","failingFilter","failingFilterName","tStart","pin","pinName","PreferredCount","DontUseCount","clsid","FourCC","dllName","hrString","ReadCacheEnabled","ReadRetentionPriority","WriteRetentionPriority","PrefetchScalar","DisablePrefetchTransferLength","MaximumBlocks","RequestDuration","LengthOfTransfer","RedLuts","GreenLuts","BlueLuts","OldRedGain","NewRedGain","OldGreenGain","NewGreenGain","OldBlueGain","NewBlueGain","ProvidedIid","RequestedIid","HandlerClsid","DnsSuffix","AdSuffix","DnsAddressLength","DnsAddress","DnsSecValidationRequired","DnsQueryOverIPSec","DnsEncryption","DirectAccessServerList","ProxyName","ResponseQuestion","GenericServerList","IdnConfig","NameQuery","SystemCallDisable","ExtensionPointDisable","DynamicCode","ControlFlowGuard","BinarySignature","FontDisable","ImageFlow","ChildProcess","EnforcementKey","Warning","WarningCode","NextState","Updated_Context","Update_Reason","UpdateReasonCode","ReferenceContext","Interface_Guid","ActualServer","OriginalServer","Interception_Dll","ErrorBits","serviceName","ClientSubnetRecord","virtualizationId","TCP","InterfaceIP","RD","XID","AA","AD","DNSSEC","RCODE","StaleRecordsPresent","QXID","RecursionScope","CacheScope","Secure","ForwardInterfaceIP","RRTYPE","QueryGUID","CacheNodeName","ChannelInfo","EdnsInfo","WithWithout","Forwarders","KeyProtocol","Base64Data","CryptoAlgorithm","KeyTag","DigestType","Digest","ListenAddresses","MasterServer","SubTreeAging","SeizedOrTransfered","WithNewKeys","KeyOrZone","KskOrZsk","ActiveKey","StandbyKey","NextKey","ChildZone","NameServer","ClientSubnetList","Criteria","Condition","ZoneName","Scopes","OldPropertyValues","NewPropertyValues","ScopeWeight","ScopeWeightNew","ScopeWeightOld","NewScope","OldScope","RRLExceptionlist","OldFriendlyName","NewFriendlyName","GenerationSize0","TotalPromotedSize0","GenerationSize1","TotalPromotedSize1","GenerationSize2","TotalPromotedSize2","GenerationSize3","TotalPromotedSize3","FinalizationPromotedSize","FinalizationPromotedCount","PinnedObjectCount","SinkBlockCount","GCHandleCount","ClrInstanceID","MethodIdentifier","ModuleID","MethodStartAddress","MethodSize","MethodToken","MethodFlags","HandleID","ObjectSize","MethodNameSpace","Methodname","MethodSig","AppDomainID","WorkerThreadCount","RetiredWorkerThreads","param13","ObjectCountForTypeSample","TotalSizeForTypeSample","RangeStart","RangeUsedLength","RangeReservedLength","IOThreadCount","RetiredIOThreads","ClrThreadID","CpuUtilization","ActiveWorkerThreadCount","RetiredWorkerThreadCount","Throughput","AverageThroughput","NewWorkerThreadCount","ThreadWave","ThroughputWave","ThroughputErrorEstimate","AverageThroughputErrorEstimate","ThroughputRatio","NewControlSetting","NewThreadWaveMagnitude","Reserved1","Reserved2","Allocated","Survived","ProcessSurvived","ManagedThreadID","ManagedThreadIndex","OSThreadID","StubMethodID","StubFlags","ManagedInteropMethodToken","ManagedInteropMethodNamespace","ManagedInteropMethodName","ManagedInteropMethodSignature","NativeMethodSignature","StubMethodSignature","StubMethodILCode","ContentionFlags","MethodID","MethodNamespace","MethodSignature","ReJITID","MethodILSize","AssemblyID","ModuleFlags","ModuleILPath","ModuleNativePath","ManagedPdbSignature","ManagedPdbAge","ManagedPdbBuildPath","NativePdbSignature","NativePdbAge","NativePdbBuildPath","BindingID","AssemblyFlags","FullyQualifiedAssemblyName","AppDomainFlags","AppDomainName","AppDomainIndex","RangeBegin","RangeSize","RangeType","VerificationFlags","MethodBeingCompiledNamespace","MethodBeingCompiledName","MethodBeingCompiledNameSignature","InlinerNamespace","InlinerName","InlinerNameSignature","InlineeNamespace","InlineeName","InlineeNameSignature","FailAlways","Sku","BclMajorVersion","BclMinorVersion","BclBuildNumber","BclQfeNumber","VMMajorVersion","VMMinorVersion","VMBuildNumber","VMQfeNumber","StartupFlags","StartupMode","ComObjectGuid","RuntimeDllPath","CallerNamespace","CallerName","CallerNameSignature","CalleeNamespace","CalleeName","CalleeNameSignature","TailPrefix","TailCallType","MethodExtent","CountOfMapEntries","ILOffsets","NativeOffsets","BytesAllocated","BytesFreed","FreeListAllocated","FreeListRejected","EndOfSegAllocated","CondemnedAllocated","PinnedAllocated","PinnedAllocatedAdvance","RunningFreeListEfficiency","CondemnReasons0","CondemnReasons1","CompactMechanisms","ExpandMechanisms","HeapIndex","ExtraGen0Commit","FinalYoungestDesired","NumHeaps","CondemnedGeneration","Gen0ReductionCount","GlobalMechanisms","PauseMode","MemoryPressure","GCName","EntryEIP","DetectedBy","ActiveOperation","Queueing","HwAccessTargetType","HwAccessTargetSize","HwAccessBufferCount","InterruptMessageNumber","FrameworkVersion","FxVersion","Upgrade","UnstartedService","AvgServiceLockAcquisitionTimeInLastLogPeriodInMicroSeconds","AvgServiceLockAcquisitionTimeInMicroSeconds","TotalAcquisitionCount","FailedAcquisitionCount","ParamNumber","ParamText","ParamErrorCode","ParamErrorMessage","ConsistencyTimerValue","RefreshTimerValue","flag","ReportingTimerValue","resourceName","assemblyName","loadExceptionMessage","typeName","exceptionMessage","errorno","logName","signatureStatus","storeInfo","currentMachinSignatureVerificationPolicy","zipFileName","moduleName","assignedConfigName","StreamID","IsRunning","rtTimestamp","rtNow","rtAhead","SyncPoint","TimeDisc","HaveRun","UsedGetTime","SetTimeToNow","CellTimeDisc","rtTime0","rtNow_Time0","VOBU Len","VOBULen","Max Latency","MaxLatency","HandleMask","WakeIndex","IOIndex","ExtraEventInfo","VTSN","CSSEnabled","DiskRegionMask","DecoderRegionMask","SystemRegionMask","attempted","new","FileSizeInBlocks","FileOffsetHint","IgnoreKeyFailures","Sector","Func","In","Out","actualLen","secondarywindowpointer","representationType","CWindowData","hwndDestination","pwd","pSnapshot","VirtualFunctionIndex","bSecure","pDeviceObject","BucketingString","bGPUpv","SessionType","GraphicsVendorId","AdapterHandle","ComponentIndex","ControlGuid","ComponentType","ComponentTypeId","NumberOfIdleStates","CurrentFState","CurrentLatencyTolerance","FState","NominalPower","TransitionLatency","ResidencyRequirement","Residency","NumberOfPStates","CurrentPState","PState","OperatingFrequency","EProcess","Heap","EndAddress","HeapType","CreationState","pVaAllocator","hProcessId","SupportRuntimePowerManagement","ntStatus","NumberOfComponents","NodeOrdinal","MaxFrequency","MaxFrequencyOC","Voltage","VoltageMax","VoltageMaxOC","MaxTransitionLatency","MethodString","Key Name","TypeId","VendorType","Skipping","NAK","Accept","Packet ID","Packet Length","PacketID","PacketLength","PacketId","Connection Name","Session ID","Function Name","PerfId","Registry Key","RegKeyValue","Reason_code","Eap_Method_Friendly_Name","Root_Cause_String","Repair_String","EAPMethodFriendlyName","EAPErrorRootCause","EAPErrorRepair","debugString","int1","uint1","uint2","CAThumbprint","Method Name","Error Cause","IdType","WebSite","SourceEnterpriseId","SourceAppName","DestinationEnterpriseId","DestinationAppName","DataInfo","DestinationName","PreviousEnterpriseId","FileNumber","Param","CertValidated","cbHash","pbHash","DisplayInformation","dwCapabilities","bIsCurrentKey","eKeyType","Actual","AttackId","Param6","Param7","Param8","Param9","Param10","Param11","Param12","num2","num1","str2","ThreatId","Verdict","DeviceState","DevicePdoCaps","SiloCmd","TcgCmd","ErrorParam1","ErrorParam2","ErrorParam3","ErrorParam4","Win32Err","Expected_Size","Actual_Size","ExpectedSize","CmdStatus","SiloCommand","SiloStatus","TCGInvokingID","TCGMethodID","KeyProtectionMechanism","MaxBandCount","BandMetadataSize","BandID","Authorize","TemplateDetails","CADetails","OIDs","CAConfig","Hours","Collisions","PolicyFieldName","iFile","ibOffset","cbData","tidAlloc","fHeapA","fWrite","EngineFileType","EngineFileId","cusecEnqueueLatency","Iorp","Iors","Ioru","Iorf","grbitQos","cmsecTimeInQueue","cDispatchPass","cIorunCombined","cusecDequeueLatency","fMultiIor","Iort","ParentObjectClass","cbTransfer","qosHighestFirst","cmsecIOElapsed","dtickQueueDelay","fmfFile","dwEngineObjid","qosIOComplete","dwTraceFlags","ifmp","pgno","LatchFlags","objid","PageFlags","dbtimeDirtied","itagMicFree","cbFree","tick","DirtyLevel","fCurrentVersion","errBF","bfef","pctPriority","bflf","bflt","bfrtf","LgposModify","ClientComponent","ClientAction","ClientActionContext","GuidActivityId","SessionNumber","TransactionNumber","TransactionLevel","pgnoFDP","pgnoFirst","cpg","objidFDP","tce","pgnoAlloc","pgnoFree","lgenData","ibLogData","cbLogData","posttTimerHandle","pfnTask","pvTaskGroupContext","pvRuntimeContext","dtickMinDelay","dtickSlopDelay","cRuns","ptm","pfnCompletion","dwCompletionKey1","dwCompletionKey2","gle","dwThreadContext","pgptm","pvParam","pTaskInfo","qwMarkerID","szAnnotation","pfnStart","dwParam","cbfCacheAddressableInitial","cbfCacheSizeInitial","cbfCacheAddressableFinal","cbfCacheSizeFinal","cbfCacheSizeLimitInitial","cbfCacheSizeLimitFinal","iRun","cbfVisited","cbfCacheSize","cbfCacheTarget","cbfCacheSizeStartShrink","dtickShrinkDuration","cbfAvail","cbfAvailPoolLow","cbfAvailPoolHigh","cbfFlushPending","cbfFlushPendingSlow","cbfFlushPendingHung","cbfOutOfMemory","cbfPermanentErrs","eStopReason","errRun","opApi","err","csecCorrelatedTouch","csecTimeout","csecUncertainty","dblHashLoadFactor","dblHashUniformity","dblSpeedSizeTradeoff","dwUserId","bOperationId","bOperationType","bClientType","bFlags","dwCorrelationId","iorp","iors","iort","ioru","iorf","usecsWait","bftcmr","bUserPriorityTag","fOpFlags","Disk","wszFileName","iofr","cioreqFileFlushing","usFfb","dwDisk","hFile","fFlags","bfdfNew","lgposModify","tsidr","dwImageVerMajor","dwImageVerMinor","dwImageBuildMajor","dwImageBuildMinor","wszDisplayName","iInstance","perfstatusEvent","wszInstanceName","dbid","wszDatabaseName","dwDiskNumber","wszDiskPathId","szDiskModel","szDiskFirmwareRev","szDiskSerialNumber","dwEngineFileType","qwEngineFileId","fmf","wszAbsPath","filetype","ulMagic","ulChecksum","cbPageSize","ulDbFlags","psignDb","posdci","posswcp","posdspd","wszFilename","szClientComponent","szClientAction","szClientActionContext","guidActivityId","dwEngineFileId","grbitPurgeFlags","fcbpfr","dtickSpikeLength","p_osf","cioDiskEnqueued","cDispatchAttempts","usPosted","dwDiskId","fFromCompletion","ipass","cioProcessed","usRuntime","cDisksProcessed","qos","iIoreq","usCompletionDelay","cbMemory","cmsecReferenceIntervalMax","cbDirty","iofile","cbPageFree","cLines","bSeekPenalty","TableClass","OrigSize","XpressSize","Xpress9Size","usecXpressTime","usecXpress9Time","ShannonEntropy","ChiSquared","OSDescription","SubscriptionId","ChannelType","EventMetaDataCount","PercentFull","ConfigProperty","FailedLogFilePath","NewLogFilePath","ActualMaxInterval","DiskPmDisabledMaxInterval","DiskPmEnabledFlag","DiskPmEnabledMaxInterval","TimestampForced","DiskPmPolicy","BiasValid","StartBias","SubscriptionManagerAddress","PolicyDescription","Notification","LogTime","Alias","BinaryParameterLength","ShareScopeName","ClusterName","ChkdskLogFile","ResourceGroup","ResTypeDll","MaintenanceTime","ApplicationErrorCode","FromNode","ToNode","FailureString","ClusterIdentity","ObjectGuid","OriginalName","NetBiosName","ServiceSID","DNSZone","DNSServers","ContextRequirement","ConnectionInfo","NetworkProperty","SnapShotID","FunctionalLevel","UpgradeLevel","SpotfixLogFile","FromState","ToState","BlockingResources","FromStateValue","ToStateValue","TimeInLastState","BlockingPriority","PreviousNodeName","DestinationNodeName","MoveReason","ResourceControlCode","LocalEndpoint","RemoteEndpoint","RemoteNodeNames","TimeElapsedSeconds","PreviousGroup","PreviousGroupOwnerNode","NewGroup","NewGroupOwnerNode","QuarantineType","QuarantineExpiryTime","GroupList","OrganizationalUnit","ReasonMessage","FromNodeName","ToNodeName","ProtectorId","TimeInMilliseconds","OperationTimes","TotalTimeInMilliseconds","VolumesExpected","VolumesFound","TimeSinceFailure","Period","DiskDeviceNumber","DiskDeviceGuid","RootName","RenamedDirectoryName","FolderName","CacheSizeInMb","VolumeState","OriginatingNode","SMBInstanceName","SnapshotSet","ResiliencyName","TimeoutInSeconds","MessageDescription","MessageAction","CurrentOwner","NewOwner","ObjectId","HandleType","RpcError","ClusterError","VolumeNumber","MappedPath","TargetPath","IoId","IrpMajorFunction","FileContext","IrpMinorFunction","ShadowFileObject","PathId","PathType","DownPathId","Membership","RegistrationKey","ClusterId","NodeId","MembershipMask","CurrentClusterId","CurrentInstanceId","CurrentSequenceNumber","CurrentMembershipMask","CacheStorePartitionId","ReservePercentage","UnusedSize","CacheStoreDeviceGuid","CacheStoreDeviceId","AddedMissingPages","BindingGuid","HddDeviceGuid","AttributesMask","IOOffset","IOLength","MismatchOffset","MismatchLength","Informational","ExistingIOOffset","ExistingIOLength","IoContext","Protected","DriveRevision","Data1Length","TargetNodeName","TargetNode","Surprise","RemovalReason","RemovalStatus","TimeInMinutes","ErrorSummary","ManagerName","StorePath","InstanceSetupFlags","FsType","DeviceCharacteristicsFlag","Ptr","CallBackStatus","StreamHandleContext","CsvFileId","IgnoreCurrentConditions","FailImmediately","Exclusive","OplockCode","OplockFlags","FileIdHi","Information","VetoFromAltitudeIntegral","VetoFromAltitudeDecimal","RelativeFileObject","SharedAccess","AttributeFlags","Ccb","BytesPerCluster","BytesPerFileRecordSegment","CreateDisposition","CreateFlags","DownLevelStatus","OplockLevel","FullPathLength","FullPath","IsEventCompletion","CountersName","VolumeTargetPath","FsTargetPath","EnableCOW","EnableDirectIo","ForceWriteThrough","TargetNodeId","DcmSequenceId","LastUptime","CurrentDowntime","TimeSinceLastStateTransition","Lifetime","TimeSinceStateTransitionStart","InvalidationReason","FromDirectIo","IrpContext","IrpFlags","IrpContextFlags","IrpSlFlags","IrpContextFlagsUpper","RedirectionReason","ReportCsvFs","VpbFlags","TunnelOperationCode","TunnelActivityId","BookmarkLength","Bookmark","MaxLookAsideDepth","CpuCount","TruncateSize","HasEvent","Fcb","StreamId","FragmentOffset","FragmentLength","Sequence","Resultset","RelativePath","AssociationClass","Static","ParametersNames","Cmdlet","Invocation","LocalAddressIPLength","RemoteAddressIPLength","DeviceContext","MajorFunctionCode","CurProcessId","ReportType","LiveDumpPolicy","ThresholdTime","CurrentTime","TimeDeltaRemaining","RegPath","AdapterContext","NBLContext","NLBCount","Layer2Address","InterfaceStatus","DriverContext","ExpectedCount","ActualCount","MonitorContext","MinTicks","MaxTicks","Tickrate","CurrentCPU","TargetCPU","gap","StartTicks","EndTicks","TickDelta","OldTunnelAddressIPLength","OldTunnelAddress","NewTunnelAddressIPLength","NewTunnelAddress","RouteBlocked","SpecialHBEnabled","MissedHBCount","NextHeader","DestinationAddressIPLength","SourceAddressIPLength","EndpointAddressIPLength","EndpointAddress","WatchdogSource","EndpointContext","IpDadState","ProcessImageNameLength","SourceIPLength","DestinationIPLength","SourceIP","DestinationIP","ContextRouteCount","DelayTicks","TickRate","ScheduledTimeMilliseconds","MinimumToleranceTicks","MaximumToleranceTicks","CurrentTickCount","DiskManufacturer","DiskProductId","DiskSerial","EnclosureSlotNumber","EnclosureManufacturer","EnclosureProductId","EnclosureSerial","EnclosureGuid","CacheMode","NewCacheMode","NewMetadataReserveBytes","NewCacheBehaviorFlags","OldCacheMode","OldMetadataReserveBytes","OldCacheBehaviorFlags","DiskSedState","RecentError1TimeStamp","RecentError1FailedStage","RecentError1ErrorCode","RecentError2TimeStamp","RecentError2FailedStage","RecentError2ErrorCode","RecentError3TimeStamp","RecentError3FailedStage","RecentError3ErrorCode","RecentError4TimeStamp","RecentError4FailedStage","RecentError4ErrorCode","ProvisioningErrorsCount","ProvisioningErrors","CacheMetadataReserveBytes","FthEnabledPID","FthEnabledProcessName","FthEnabledProcessStartup","Value_Name","Value_Type","RegKeyName","ValueType","Feature_id","FeatureId","FeatureState","ProtectedUpToTime","HighLevelHr","LowLevelHr","ConfigFilePath","Hr","Prop_HRESULT","Prop_Message","Backtrace","LogPath","fIsINTEnv","fShowPrompt","Integer","HresultValue","UnicodeString","RequestedState","Boolean","OverridePropertyName","GlobalError","GlobalSyncState","This","CurrentError","CurrentSyncStatus","objectId","ShadowCopyId","FileServerName","MinClientVersion","MaxClientVersion","MinServerVersion","MaxServerVersion","File_system_GUID","File_system_driver","FsGuid","FsDriverNameLength","FsDriverName","GpAllowStatus","GpAllowListLength","GpAllowList","SystemAllowStatus","SystemAllowListLength","SystemAllowList","VolumeAllowStatus","VolumeAllowListLength","VolumeAllowList","AllowAvFilter","AvPolicyIsFromGp","A10_stackSize","A11_oldStackSize","A11_newStackSize","A12_IrpCtrl","A11_newCNode","A10_OpType","A11_irpCtrl","A11_IrpCtrl","A10_irpCtrl","A11_th","A13_i","A10_status","A11_CompNode","A10_DeviceObject","A10__localHead","A10_fileList","A10_newFileList","A10_FileList","A10_DriverObject","A10_i","A10_Irp","A10_Context","A10_regWatchContext","A10_ctxFlags","A10_Buffer","A12_Length","A10_MdlChain","A10_irp","A10__replyWaiter","A10_currentWaiter","A10_Queue","A10_currentLink","A10_FileNameInformation","A10_streamList","A10_newStreamList","A10_StreamList","A10_FltObject","A12_reason","A10_deviceObject","A11_FileObject","A12_Volume","A13_IrpMajor","FUNC","A10_IrpCtrlCompletionStackLength","A10_newCNodeIrpCtrl","A12_newCNodeDataSnapshotMajorFunction","A10_IrpCtrl","A11_CHARnewCNodeDataSnapshotMajorFunction","A12_CHARnewCNodeDataSnapshotMinorFunction","A12_FrameReserveIrpCtrlsStaticOwningThreadOpType","A12_FrameReserveIrpCtrlsEntriesiCount","A11_IrpCtrlDataThread","A10_FsControlDeviceObject","A11_NULL","A12_ControlDeviceName","A13_GET_DEVICE_TYPE_NAMEFsControlDeviceObjectDeviceType","A10_NewDeviceObject","A12__cdoDevExtControlDeviceName","A13_GET_DEVICE_TYPE_NAMENewDeviceObjectDeviceType","A11_volume","A12__volumeDeviceName","A14_DeviceObjectToAttachTo","A13_GET_DEVICE_TYPE_NAMEDeviceObjectDeviceType","A14_NotifyFlags","A15_devExtHeaderAttachedToDeviceObject","A10__VolumeDeviceName","A10_origBufferPtr","A11_origMdlAddressPtrorigMdlAddressPtrNULL","A12_newBufferPtr","A13_newMdlAddressPtrnewMdlAddressPtrNULL","A10_eventIrpPtr","A11_eventMajorFunction","A12_IrpCtrlInitiatingInstance","A13_eventFileObject","A14_eventFsContext","A15_status","A10_KeGetCurrentThread","A11_irpCtrlFileObject","A12_volume","A13_CHARirpMajorId","A14_FltGetIrpNameirpMajorId","A10_irpMajorId","A12_callbackNode","A13_FlagOnirpCtrlFlagsIRPCTRFL_SYNCHRONIZESYNCNotSYNC","A10_TrackingCtrlPointerToFree","A10_CompNodeIrpCtrl","A12_CHARCompNodeDataSnapshotMajorFunction","A10_CHARirpCtrlDataIopbMajorFunction","A11_CHARirpCtrlDataIopbMinorFunction","A12_FltGetIrpNameirpCtrlDataIopbMajorFunction","A13_irpCtrl","A10_CHARlocalIrpCtrlDataIopbMajorFunction","A11_CHARlocalIrpCtrlDataIopbMinorFunction","A12_FltGetIrpNamelocalIrpCtrlDataIopbMajorFunction","A13_localCompNodeIrpCtrl","A10_completionNodeIrpCtrl","A11_completionNode","A12_CHARcompletionNodeDataSnapshotMajorFunction","A10_ExceptionPointerExceptionRecordExceptionCode","A11_ExceptionPointerContextRecord","A12_ExceptionPointerExceptionRecord","A13_ExceptionPointerExceptionRecordExceptionAddress","A11_fileListFlags","A12_fileListUseCount","A11_newFileListFlags","A12_newFileListUseCount","A11_FileListFlags","A12_FileListUseCount","A10_FltGlobalsNumProcessors","A10_KeQueryMaximumProcessorCountExALL_PROCESSOR_GROUPS","A10_FltGlobalsCacheLineSize","A11_FltGlobalsCacheLineSize","A10_FsActiveActivatingfilesystemDeactivatingfilesystem","A11_FsControlDeviceObject","A12_NULL","A13__controlDeviceNameCtrlName","A14_GET_DEVICE_TYPE_NAMEFsControlDeviceObjectDeviceType","A10_FltGetIrpNameirpSpMajorFunction","A11_irpSpMajorFunction","A10_irpSpFileObject","A11__irpSpFileObjectFileName","A10_IrpCtrlIrp","A11_IrpCtrlDataIopbMajorFunction","A10_irpSpMajorFunction","A11_fileObject","A12_iccVolume","A13_fileObjectFileName","A10_fileObject","A11__fileObjectFileName","A11_IrpCtrlFileObject","A13_IrpCtrlDataIoStatusStatus","A10_newDeviceObject","A13_status","A14_FltpGetFsDeviceObjectAfterMountdiskDeviceObject","A15_FsControlDeviceObject","A11__devExtControlDeviceName","A12__devExtControlDeviceName","A13_IrpIoStatusStatus","A11_regWatchContextNotificationStatus","A11__tempString","A10_frameFrameID","A11__frameAltitudeIntervalLow","A12__frameAltitudeIntervalHigh","A11_FltGlobalsManualAttachDelayCounter","A12_FltGlobalsManualDeviceAttachLimit","A10_TopFrameFrameID","A11__TopFrameAltitudeIntervalLow","A12__TopFrameAltitudeIntervalHigh","A13__TopFrameAltitudeIntervalLow","A14_legacyAltitude","A10__DriverObjDriverExtensionServiceKeyName","A11_PCWCHARvalueInfoData","A10_Filter","A11__FilterName","A12_instance","A13_Volume","A14__VolumeDeviceName","A10_InstanceFilter","A11__InstanceFilterName","A12__InstanceAltitude","A10_currentInstance","A11_currentInstanceFilter","A12__currentInstanceFilterName","A13__InstanceAltitude","A10_filter","A11__filterName","A12_Instance","A13_volume","A14__volumeDeviceName","A15_Reason","A11_fileOffsetQuadPart","A11_FileOffsetQuadPart","A10_ULONGreplyMessageId","A10_nameCacheNode","A11_GenCtxFileObject","A12_nameCacheNodeTreeLinkFlags","A13_nameCacheNodeUseCount","A14__nameCacheNodeNameInfoName","A11_nameCacheNodeTreeLinkFlagsflagToClear","A12_nameCacheNodeUseCount","A13__nameCacheNodeNameInfoName","A11_FlagOnnameCacheNodeTreeLinkFlags0x0ffff","A12__nameCacheNodeNameInfoName","A10_GenCtxFileObject","A10_foundNameCacheNode","A12_foundNameCacheNodeTreeLinkFlags","A13_foundNameCacheNodeUseCount","A14__foundNameCacheNodeNameInfoName","A10_IrpCtrlNULLIrpCtrlDataIopbMajorFunction0xff","A11_IrpCtrlNULLIrpCtrlDataIopbMinorFunction0xff","A12__VolumeDeviceName","A13__FileObjectFileName","A14_FileObject","A11_nameCacheNodeUseCount","A10__GenCtxShortFileName","A11__localGenCtxFileNameInformationName","A11__FileObjectFileName","A12_FileObject","A10_NameCtrl","A11_NameCtrlNameGenerationFlags","A12_NameCtrlError","A13_NameCtrlShareNameLength","A14_NameCtrlStreamNameLength","A15__NameCtrlName","A16__NameCtrlCurrentShortName","A11_NameCtrlBufferSize","A12_NewSize","A13__NameCtrlName","A14_NameCtrlFlags","A15_FlagsToSet","A10_GET_NAME_SUPPORT_VOLUME_DEVICE_NAMEGenCtx","A11_GenCtxFileObjectFileNameBuffer0","A12_GenCtxFileObjectFileNameBuffer1","A13_GenCtxFileObjectFileNameBuffer2","A14_GenCtxFileObjectFileNameBuffer3","A11__GenCtxExpandedFileName","A10__GenCtxNameCtrlName","A11__FileNameInformationName","A12__FileNameInformationVolume","A13__FileNameInformationFinalComponent","A14__FileNameInformationExtension","A15__FileNameInformationStream","A16__FileNameInformationParentDir","A10_CallbackDataIopbMajorFunction","A11_iccIrpCtrl","A12_iccIrpCtrlPendingCallbackNode","A13_FlagOniccIrpCtrlFlagsIRPCTRFL_SYNCHRONIZESYNCNotSYNC","A10_irpCtrlIrp","A11_irpCtrlDataIopbMajorFunction","A10__filterName","A11__filterDefaultAltitude","A10__FilterName","A11_streamListFlags","A12_streamListUseCount","A11_newStreamListFlags","A12_newStreamListUseCount","A11_StreamListFlags","A12_StreamListUseCount","A11_PFLT_OBJECTFltObjectPointerCount","A10_CDODriverName","A10_Volume","A11__VolumeDeviceName","A10_FltWork","A11_QueueType","A12_FltGlobalsThrottledWorkCtrlQueuesQueueTypeRunningCount","A13_FltGlobalsThrottledWorkCtrlQueuesQueueTypeRunningLimit","A10_fltWork","A10_NULL","A10_GenericWorkItem","A11_qtype","A12_fltObject","A13_GenericWorkItemGenericWorkerRoutine","A14_GenericWorkItemContext","A15_GenericWorkItemIoPriorityInfoIoPriority","A10_DeferredWorkItem","A13_DeferredWorkItemDeferredWorkerRoutine","A14_DeferredWorkItemContext","A15_DeferredWorkItemIoPriorityInfoIoPriority","A10_FltWorkItem","A11_FltWorkItemQueueType","A12_FltWorkItemFltObject","A13_FltWorkItemGenericWorkerRoutine","A14_FltWorkItemContext","A12_FltWorkItemInstance","A13_FltWorkItemDeferredWorkerRoutine","A12_FltObject","A13_WorkerRoutine","A14_Context","A15_FltWorkItemIoPriorityInfoIoPriority","!FUNC!","A10_IrpCtrl->CompletionStackLength","A10_newCNode->IrpCtrl","A12_newCNode->DataSnapshot.MajorFunction","A11_(CHAR)newCNode->DataSnapshot.MajorFunction","A12_(CHAR)newCNode->DataSnapshot.MinorFunction","A12_Frame->ReserveIrpCtrls.StaticOwningThread[OpType]","A12_Frame->ReserveIrpCtrls.Entries[i].Count","A11_IrpCtrl->Data.Thread","A10_*origBufferPtr","A11_origMdlAddressPtr ? *origMdlAddressPtr : NULL","A12_*newBufferPtr","A13_newMdlAddressPtr ? *newMdlAddressPtr : NULL","A10_event.IrpPtr","A11_event.MajorFunction","A12_IrpCtrl->InitiatingInstance","A13_event.FileObject","A14_event.FsContext","A10_KeGetCurrentThread()","A11_irpCtrl->FileObject","A13_(CHAR)irpMajorId","A14_FltGetIrpName(irpMajorId)","A13_FlagOn(irpCtrlFlags,IRPCTRFL_SYNCHRONIZE) ? 'SYNC' : 'NotSYNC'","A10_TrackingCtrl->PointerToFree","A10_CompNode->IrpCtrl","A12_(CHAR)CompNode->DataSnapshot.MajorFunction","A10_(CHAR)irpCtrl->Data.Iopb->MajorFunction","A11_(CHAR)irpCtrl->Data.Iopb->MinorFunction","A12_FltGetIrpName(irpCtrl->Data.Iopb->MajorFunction)","A10_(CHAR)localIrpCtrl.Data.Iopb->MajorFunction","A11_(CHAR)localIrpCtrl.Data.Iopb->MinorFunction","A12_FltGetIrpName(localIrpCtrl.Data.Iopb->MajorFunction)","A13_localCompNode.IrpCtrl","A10_completionNode->IrpCtrl","A12_(CHAR)completionNode->DataSnapshot.MajorFunction","A10_ExceptionPointer->ExceptionRecord->ExceptionCode","A11_ExceptionPointer->ContextRecord","A12_ExceptionPointer->ExceptionRecord","A13_ExceptionPointer->ExceptionRecord->ExceptionAddress","A11_fileList->Flags","A12_fileList->UseCount","A11_newFileList->Flags","A12_newFileList->UseCount","A11_FileList->Flags","A12_FileList->UseCount","A10_FltGlobals.NumProcessors","A10_KeQueryMaximumProcessorCountEx( ALL_PROCESSOR_GROUPS )","A10_FltGlobals.CacheLineSize","A11_FltGlobals.CacheLineSize","A10_FltGetIrpName(irpSp->MajorFunction)","A11_irpSp->MajorFunction","A10_IrpCtrl->Irp","A11_IrpCtrl->Data.Iopb->MajorFunction","A10_irpSp->MajorFunction","A11_IrpCtrl->FileObject","A13_IrpCtrl->Data.IoStatus.Status","A11_regWatchContext->NotificationStatus","A11_FltGlobals.ManualAttachDelayCounter","A12_FltGlobals.ManualDeviceAttachLimit","A11_fileOffset.QuadPart","A11_FileOffset->QuadPart","A10_(ULONG) replyMessageId","A10_GenCtx->FileObject","A11_nameCacheNode->UseCount","A10_CallbackData->Iopb->MajorFunction","A11_icc.IrpCtrl","A12_icc.IrpCtrl->PendingCallbackNode","A13_FlagOn(icc.IrpCtrl->Flags,IRPCTRFL_SYNCHRONIZE) ? 'SYNC' : 'NotSYNC'","A10_irpCtrl->Irp","A11_irpCtrl->Data.Iopb->MajorFunction","A11_streamList->Flags","A12_streamList->UseCount","A11_newStreamList->Flags","A12_newStreamList->UseCount","A11_StreamList->Flags","A12_StreamList->UseCount","A11_((PFLT_OBJECT)FltObject)->PointerCount","A12_FltGlobals.ThrottledWorkCtrl.Queues[QueueType].RunningCount","A13_FltGlobals.ThrottledWorkCtrl.Queues[QueueType].RunningLimit","A13_GenericWorkItem->GenericWorkerRoutine","A14_GenericWorkItem->Context","A15_GenericWorkItem->IoPriorityInfo.IoPriority","A13_DeferredWorkItem->DeferredWorkerRoutine","A14_DeferredWorkItem->Context","A15_DeferredWorkItem->IoPriorityInfo.IoPriority","A11_FltWorkItem->QueueType","A12_FltWorkItem->FltObject","A13_FltWorkItem->GenericWorkerRoutine","A14_FltWorkItem->Context","A12_FltWorkItem->Instance","A13_FltWorkItem->DeferredWorkerRoutine","A15_FltWorkItem->IoPriorityInfo.IoPriority","ApiName","FromFolder","ToFolder","ErrorDetails","GPFlags","ConfigurationFile","ParentFolder","fmtid","Memory","TunnelName","RoutingDomainName","WinErrorCode","LocalIp","RemoteIp","EncryptionType","IPSecEncryption","IPSecIntegrity","PfsGroup","IkeEncryption","IkeIntegrity","DhGroup","DpdTimeout","SALifeTimeSeconds","SALifeKb","UseNarrowTrafficSelectors","TunctionName","TsId","NumTsis","NumTsrs","TraceString","PortStart","PortEnd","ProtocolId","TxBandwidthKbps","RxBandwidthKbps","CollectionId","UnitId","HResultFailure","ScriptType","IsScriptHidden","IsScriptSync","IsScriptMinimized","ScriptName","ScriptFileSystemPath","ScriptArguments","ScriptElaspedTimeInSeconds","LoadFromCacheTimeElapsedInMilliseconds","FirstWmiQueryTimeElapsedInMilliseconds","NetworkBandwidthInKbps","UpdateCauseExtensionName","UpdateCauseExtensionId","CSEExtensionID","WarningDescription","SlowlinkThresholdInMilliseconds","DcResponseTimeInMilliseconds","LeadProcessor","NopCycles","SourceProcessor","Wave","Initialization_status","FirstPage","LastPage","FaultInformation","FaultReason","APIIndex","FailureInformation1","FailureInformation2","HostIP","RequestID","MalformedTLV","TLVs","FaultSeverity","ResourceType","Remediation","FaultTypeId","FaultId","ClusterInstanceId","ArmId","PublishTime","IsLastMessage","Fault","CounterValue","InstanceType","OriginalTimestamp","EntityType","EntityKey","EntityDescription","EntityLocation","EntityUniqueKey","FaultType","Urgency","Actions","Icon_message_received","Notification_already_exists","CannonicalName","EventVeresion","StateID","CanonicalName","InputString","PinRecoveryEntryType","NgcEnabledPolicyState","EnabledPolicySource","NumberOfAvailableKeys","PinRecoveryPolicyState","Processing_time","ProcessingTime","Scenario_type","HelloScenarioType","Group_A","Group_B","MultiFactorUnlockProvider","MultiFactorUnlockGroupA","MultiFactorUnlockGroupB","CallingAppName","TPM_Manufacturer","Firmware_Version","Is_Ready","FirmareVersion","IsReady","PinMinLength","PinMaxLength","PinUppercase","PinLowercase","PinDigits","PinSpecial","PinAllowSequences","PinHistory","PinExpiration","TPMRequired","MultifactorUnlock","PinProtector","BioProtector","SecureBioProtector","RecoveryProtector","PrebootProtector","Key_name","KeyUseCredUnavailableReason","Correlation_vector","Certificate_type","CertificateType","ContainerVersion","HasCachedLogonKey","ContainerStatus","Existing_container","UsedExistingContainer","cause","Win32LastError","SrcText","policy","HomeGroupID","OldStatus","NewStatus","Detail","SwitchId","PortId","PortType","Paramete3","Paramete1","Paramete2","Parameter5","ServiceOrDriverName","EntityId","FirstMessage","ClientOperationMode","ServerOperationMode","CertificateDataLength","CertificateData","AttestationStatus","AttestationSubstatus","ValidationStatus","CertificateValidTo","EventName_Length","EventProperties_Length","EventProperties","AuthenticationScenarioType","WisprScenarioType","LogFile","SiteId","Directory","ServerSessionId","UrlContext","KernelCached","HttpMajorVer","HttpMinorVer","UriStem","UriQuery","ProtocolStatus","ProtocolSubStatus","UserAgent","Referer","AppContext","ConnectionObj","SecStatus","RequestObj","HttpVerb","RequestQueueName","HeaderLength","EntityChunkCount","CachePolicy","HttpStatus","EndpointConfigObj","CertHashLength","CertHash","CertStoreName","CertCheckMode","RevokeFreshnessTime","RevokeRetrievalTime","CtlId","CtlStoreName","CertificateLoadTime(ms)","CertificateLoadTimems","Abortive","ContentLength","UrlBuffer","ErrorStatus","AuthStatus","ContextAttributes","AuthCacheType","AccessTokenOrHandle","Bandwidth","Software","Present","ResType","HintLength","HintData","Timer","PeakBandwidth","BurstSize","ContentBytes","NumberOfRanges","Range1Start","Range1End","Range2Start","Range2End","NumberOfSlices","SliceIndex1","SliceIndex2","CacheEntryPtr","NofSlicesToMerge","NofSlicesInCache","NoBindBuffers","SecFlags","SecContextL","SecContextH","Hardening","ServiceNameCount","ReplaceConfigOf","NormalizedHost","EndpointName","MatchingEndpointName","AutoGeneratedEndpoint","ResponseId","LastPendingReceiveRequest","LastSucceededReceiveRequest","LastFailedReceiveRequest","ResetCode","BytesIndicated","BytesAccepted","Counts","CountsLength","ExtendedParamType","IpList","Tls13Status","ServerVersion","ResultDocument","CfgType","CfgId","CfgStore","AsyncIoId","WarningTimeMs","DumpFile","InaccessiblePages","OperationMessage","PageCount","LengthOfTransfer (in blocks)","LengthOfTransferinblocks","AdapterLuid","StateMachineType","TransitionType","SourceState","DeviceSetupClass","deviceAddress","linkedDeviceAddress","MacAddress1","MacAddress2","UniqueEventValue","DeviceRole","ProxyState","NotificationKind","IsSerialNumberAuthoritative","IsProxyUp","PciProxyLuid","mLuid","NdisStatus","NdisOidCode","PayloadDetail","DeviceInterfaceKind","LocationPath","VirtualizationSerialNumber","LocationPath1","LocationPath2","LoadFlags","RunningProcessors","AvailableProcessors","Msr","IsWrite","MsrValue","AccessStatus","Pc","ImageTimestamp","BalStatus","HypervisorVersion","VersionSupported","MSRIndex","AllowedZeroes","AllowedOnes","Leaf","Register","FeaturesNeeded","FeaturesSupported","BalInternalError","MemoryRangesCount","MemoryRanges","ExpectedVersion","ActualVersion","ExpectedFunctionTableSize","ActualFunctionTableSize","UpdateDllName","CPU","IoApicId","UnitBaseAddress","MaxDelta","MinDelta","Secure_firmware_update_status","Secure_firmware_version","IsCompletionPacket","PacketFetched","MaximumFetchAllowed","Pointer","VersionLen","SubkeyNameLen","SubkeyName","ContextId","ForwardToPortId","LastContext","SfaEnabled","MemoryRequired","RequestHandled","VfAdapterNameLen","VfAdapterName","NDK_PnP_event_succeeded_PnPEvent","NdkEnabled","NdkState","VmDataPathActive","VfAssociated","VfDatapathActive","VfMacAddress","RequestMacAddress","IoctlControlCode","IoctlVersion","IoctlInputElementCount","IoctlCode","VfLocationPath","ScsiOperation","SenseErrorCode","Initiator","HostNameLength","TimeInMs","LogSize","PrOperation","ReparseTag","TimeoutInMs","Holder","LastStatus","DataTransferLength","DataTransferSize","QueueTimeUSec","ServiceTimeUSec","ChannelUniqueId","LunSrbQueueTag","WWPN","VfId","PfLuid","ContextParam1","ContextParam2","ContextParam3","PktLen","PortFriendlyName","GftFlags","StatusLocation","SrcMacAddr","DstMacAddr","SrcIpv4Addr","DstIpv4Addr","SrcIpv6Addr","DstIpv6Addr","DstPort","IsTcpSyn","ArpType","SenderMacAddr","SenderIpAddr","TargetMacAddr","TargetIpAddr","ProcessingType","ResumeLayer","GreKey","FlowType","EncapType","PortUniqueName","NatPoolId","NatRangeType","Ipv4Addr","StartPort","EndPort","RefLimit","Ipv6Addr","NatPortBindingAction","InternalIpv4Addr","InternalIpv4Port","ExternalIpv4Addr","ExternalIpv4Port","Reference","InternalIpv6Addr","InternalIpv6Port","ExternalIpv6Addr","ExternalIpv6Port","IndexType","IpAddr","MappingType","ProviderIpv4Addr","SerializationAction","SerializationItemType","ItemSize","ItemReference","ItemVersion","AdditionalContext","QueueName","QosQueueAction","EnforceIntraHostLimit","TransmitCap","TransmitReservation","ReceiveCap","TransmitMaxQueue","ReceiveMaxQueue","MaxQueuePointer","Rate","MaxQueueAction","SubscriberContext","NeighborChangesFlags","RouteChangesFlags","NextHop","AccessTime","RuleContext","SrcIP","DstIP","LineId","FailedReason","ReservationMode","DefaultReservation","LinkSpeedPct","LinkSpeedGuaranteePct","ReservableBw","AvailableBw","AllocationEvent","SrcPortId","VLAN","SrcPortName","SrcPortFriendlyName","DstPortId","DstPortName","DstPortFriendlyName","Ext1","Ext2","SaveDataSize","BlockOnRestore","Oid","InnerMacVmqSettingEnabled","InnerMacFilterSet","CachePruningTimeout","CachePruningThreshold","NumNdEntries","PeerOuterIpv4Addr","PeerInnerMacAddr","TNI","SecurityApiName","SelectParamInfo1","SelectParamInfo2","SelectParamInfo3","SelectParamInfo4","DeactivateReason","DtlsContentType","DtlsHandshakeProtocol","GenericNumericParam1","GenericNumericParam2","GenericStringParam1","GenericStringParam2","PADiscoveryFlowState","PADiscoveryType","DiscoveredIpv4Addr","FileOperation","TraceObjectOperationType","SubType","ControlFailureReason","EncapDstIpv4Addr","EncapSrcIpv4Addr","InnerDestMacAddr","EncapDstIpv6Addr","EncapSrcIpv6Addr","GftCounterId","UnifiedFlow","OldGftFlowState","NewGftFlowState","IsPendingDelete","IsMarkedForHwDeletion","ReoffloadReqd","RetryOffload","GftFlowBlockReason","GftFlowRetryReason","ProviderFlowEntryId","GftFlowState","GftFlowOffloadReason","PortContext","TagId","IsMain","NumPackets","NumReversePackets","NumReverseBytes","NumOutboundFlowsReplaced","NumInboundFlowsReplaced","PortTimerFunction","SuspendedLmState","MaxEntries","StepDownMinItem","NextTimerUpdateInterval","OutstandingWorkItems","HeuristicTimerUpdatesEnabled","SwitchContext","MappingIndexType","Ipv6AddrLength","VPortId","UseVlanMask","UseMaxVlanRange","UseMinVlanRange","VlanMask","MaxVlanRange","MinVlanRange","GftClientHandle","GftProviderHandle","GftClientDirectConfigurationRequestCompleteHandler","GftProviderDirectConfigurationRequestHandler","EnableHardwareCaps","EnableHardwareReservations","EnableSoftwareReservations","AttachedFunctionId","HandShakePacketType","TotalPages","VpIndex","ExceptionInfo","ExceptionSyndrome","Gva","Gpa","Pfn","WheaResult","Parameter6","Parameter7","Parameter8","Locator","CollectionName","MinVal","MaxVal","ReplicationSuccessCount","ReplicationSize","ReplicationLatency","ReplicationMissCount","ReplicationFailureCount","NetworkFailureCount","MaxReplicationLatency","ApplicationConsistentSnapshotFailureCount","PendingReplicationSize","MaxReplicationSize","PropertyOf","ResourceSubType","LowerBound","UpperBound","ChildPoolId","ParentPoolId","VMCount","NumberOfMon","VmGuid","GPUName","PoolResourceType","OptionalParameter1","OptionalParameter2","ExpectedMajorVersionNumber","ExpectedMinorVersionNumber","ActualMajorVersionNumber","ActualMinorVersionNumber","StorageType","AbsolutePath","BaseDirectory","DeviceInstaceId","DeviceLocationPath","WALReplicationSuccessCount","VhdFormat","CurrentMB","TotalMB","CopyRateMBSec","VmqIndex","SourceProcIndex","DestinationProcIndex","BytesDropped","NewSendWindow","MinSendWindow","SBytesRequested","DropRate","IdleIntervals","RcSendWindow","RcEpisodeLength","RcStatMuxFactor","RcExitThreshold","AverageMaxBytesRequested","NetLuid","ActiveFlows","ActiveWeight","FlowConformanceEvent","LastConformanceTime","PeakConformanceTime","Tokens","MaxTokens","LastConformanceCredits","FlowSendQueueEvent","IdleTime","DelayTime","BytesRequested","BytesQueued","TimerEvent","TimerId","SetTime","FlowsProcessed","NblsSent","NblsDropped","BytesCompleted","BytesInQueue","BufferAvailable","BetaTerm","AlphaTerm","DeltaSendWindow","Reservation","BurstLimit","DataOidTarget","SrcNicNameLen","SrcNicName","SrcNicFNameLen","SrcNicFName","SrcNicIndex","DstNicNameLen","DstNicName","DstNicFNameLen","DstNicFName","DstNicIndex","StatusTarget","RssQueueIndex","ProcUtil","QueueLoad","SafeThreshold","ReceiveProcIndex","SendProcIndex","DestinationReceiveProcIndex","DestinationSendProcIndex","IsActivate","RoutingDomainCount","MultiTenantStackEnabled","ObjectState","NicState","NicPaused","BuffersNotReady","AclNameLen","AclName","IpsecOffloadInboundDropReason","DestAddressLen","IpsecSaOffloadFailureReason","BufferAddress","DestNicNameLen","DestNicName","DestNicFNameLen","DestNicFName","ExtensionNameLen","ExtensionGuidLen","ExtensionGuid","ExtensionFriendlyNameLen","ExtensionFriendlyName","ReasonLen","MacAddressLen","MemberAdapterNameLen","MemberAdapterName","MemberAdapterFriendlyNameLen","MemberAdapterFriendlyName","TimeDiff","Port1NameLen","Port1Name","Port1FNameLen","Port1FName","Port2NameLen","Port2Name","Port2FNameLen","Port2FName","ServerVersionLen","ClientVersionLen","ExtensionNameLength","FeatureClassId","QueueMode","NicIndex","NetCfgInstanceId","ConfigurationType","VmqSupported","dynamicVmqSupported","EnabledFilterTypes","EnabledQueueTypes","SupportedQueueProperties","SupportedFilterTests","SupportedHeaders","SupportedMacHeaderFields","RoutingDomainGuidLen","RoutingDomainGuid","RoutingDomainNameLen","OldMember","NewMember","Member","TeamNic","Aggregator","StatusBufferLen","StatusBuffer","Receiver","OldAggregator","NewAggregator","BufferLen","Ready","ChurnType","DriverObject","HeaderRevision","HeaderSize","SaveDataSizeOverflow","VlanID","vPortId","VportsSupported","EmbeddedTeaming","DstVPortId","VlanId","MacLength","SrcVPortId","SwitchFriendlyNameLen","SwitchFriendlyName","TeamingMode","LoadBalancingAlgorithm","VmqSumOfQueues","NicFriendlyNameLen","NicFriendlyName","NvgreEnabled","VxLanEnabled","AvailableAddressFilters","RequestedVlanIDs","RdmaWeight","OidFailureStatus","FailureMode","DropLowResourcesPackets","ConnectivityState","MappedNicNameLen","MappedNicNicName","RequestedMappedNicFNameLen","RequestedMappeNicFName","RequestedNumberOfQueue","AdjustedNumberOfQueue","VMSServicingState","ChannelServicingState","ByPassExtensionStack","RequiredExtensionCount","LogRateLimitEventId","DetectionDuration","ProtectionDuration","SkippedLogCount","VFDataPathActive","OldNicIPv4RscEnabled","OldNicIPv6RscEnabled","NewNicIPv4RscEnabled","NewNicIPv6RscEnabled","RscStateModifiedReason","OldPortRscEnabled","NewPortRscEnabled","ChangeStateTo","IovUsage","OldMaxNumVFs","NewMaxNumVFs","FoundMatchedNic","VFNeedToBeAssignedOrRevoked","OldSriovSupport","NewSriovSupport","DefaultNicSwitchCreated","VFDataPathReady","MasterMessageId","CreditsGranted","ResponseTime_QPC","ShareType","MaximalAccess","AllocationSize","LengthRead","LengthWritten","Remaining","WriteChannelInfoOffset","WriteChannelInfoLength","LeaseFlags","LeaseState","LeaseDuration","LeaseKey","IoctlFlags","Infoclass","LengthWrite","GpaPageIndex","FileRelativePath","RamSizeInMb","MemoryFilePath","MinimumSizeInMb","MaximumSizeInMb","RamBlockAddress","RamBlockNumber","FileSizeInMb","ServicingStage","OldImageVersion","NewImageVersion","ServicingType","OldFirmwareVersion","NewFirmwareVersion","Force","Rax","Rbx","Rcx","Rdx","Rsp","Rbp","Rsi","Rdi","R8","R9","R10","R11","R12","R13","R14","R15","Rip","Rflags","FpControlStatus","XmmControlStatus","Cr0","Cr2","Cr3","Cr4","Cr8","Xfem","Dr0","Dr1","Dr2","Dr3","Dr6","Dr7","Es","Cs","Ss","Ds","Fs","Gs","Ldtr","Tr","Idtr","Gdtr","Tsc","ApicBase","SysenterCs","SysenterEip","SysenterEsp","FailureCategory","InstructionByteCount","InstructionBytes","PendingInterruption","VmErrorCode","EmulatorId","EmulatorName","ApiCall","DevicePath","DeviceLuid","VfLuid","HwProviderId","GpaRangeHandle","TargetFrameName","ReferrerUrl","cx","cy","AppPoolId","ConnId","RawConnId","RequestURL","RequestVerb","HttpSubStatus","TotalReqs","CurrentReqs","RedirectedURL","HstsOperation","AccessPerms","RecursiveLevel","FileNameOrURL","OldUrl","NewUrl","OldHandlerName","NewHandlerName","NewHandlerModules","NewHandlerScriptProcessor","NewHandlerType","SupportsIsInRole","Precondition","HeaderName","HeaderValue","Replace","AuthTypeSupported","NTLMUsed","RemoteUserName","AuthUserName","TokenImpersonationLevel","RequestAuthType","KMUsed","APUserName","SPNName","ADConfigIsOK","KerberosInfo","CurrentFlags","NeededFlags","NotificationStatus","OrigURL","OrigPath","MatchingPath","MatchingURL","ScriptMapEntry","FinalURL","FinalPath","OrigUserName","FinalUserName","PasswordChanged","OrigClientHostName","OrigClientUserName","OrigServerName","OrigOperation","OrigTarget","OrigParameters","OrigHttpStatus","OrigWin32Status","FinalClientHostName","FinalClientUserName","FinalServerName","FinalOperation","FinalTarget","FinalParameters","FinalHttpStatus","FinalWin32Status","RequestedURL","DenialReason","OriginalFileSize","CompressedFileName","CompressedFileSize","CompressedSize","Successful","FileFromCache","FileAddedToCache","FileDirmoned","LastModCheckErrorIgnored","LastModifiedTime","URLInfoFromCache","URLInfoAddedToCache","HttpsysCacheable","TimeToLive","fIsPostNotification","fIsPostNotificationEvent","CompletionBytes","HttpReason","ConfigExceptionInfo","PositionInQueue","MaxInstances","IsNewProcess","RequestNumber","ProgId","Blob","FileExistsInMemory","FileLastModifiedTimeInMemory","FileSizeInMemory","FileExistsOnDisk","FileLastModifiedTimeOnDisk","FileSizeOnDisk","IsInMemoryViewOfFileRecent","ConfigFileObjectAddress","CryptoImpersonationToken","FileImpersonationToken","RedirectionPath","Password","WatchSubPaths","IsPollingMonitor","IsSchemaFileMonitor","CallSite","MetadataName","VirtualDirectoryPath","RelativeVirtualPath","ImpersonationToken","IsCustomMapping","ConfigurationElementName","ConfigSourceFilePath","ConfigCacheAddress","FileChangeNotificationMonitorAddress","ConfigFileAddress","lpFileName","dwDesiredAccess","dwShareMode","dwCreationDisposition","dwFlagsAndAttributes","IsTransacted","TokenHandle","TargetType","IsGranular","IsApplicationSpecific","IsLocationTag","OriginalImpersonationTokenHandle","ImpersonationTokenHandle","hSourceHandle","hTargetHandle","RemainingRetryCount","SizeInBytes","LogonID","MetabasePath","CallerImagePath","MetabaseSourcePath","MetabaseDestinationPath","NewKeyName","BackupName","ImportFileName","CLRRunTimeVersion","GLE","IMEType","PreviousKey","CurrentKey","ComponentClsid","InitalizationStep","TableEntryIndex","ApplicationState","HasActionsMenu","DesktopTabletModeState","FailedOperation","DisplayLimit","OpaqueStateDuration","ToastHeight","ToastWidth","NotificationId","DisplayIndex","IsSpecialToast","PlayingNotificationId","OutgoingNotificationId","IncomingNotificationId","CancelStatus","MonitorIdentity","AppUserModelID","MenuOption","ErrorResult","ChangeTo","JSON","ImpressionGUID","ArrowDirection","IsVisible","PartialQuery","SelectedPosition","MaxQueryLengthWithSuggestion","HBT","DroppedAPIcall","InputMethod","FirstItemId","LastItemId","ViewportFlags","ViewMode","Body","QueryString","EndpointCode","HTTPResponseCode","HTTPHeaders","HTTPPostPayload","ScrollDirection","NewVisibilityState","Orientation","LayoutAction","TelemetryId","DataCenter","IsAbandoned","JSONPayload","TelemetryID","EncodedFilePath","UriSchemeOrFileExtension","EntryID","ContractId","Quota","CurrentUsage","BytesToReduce","BytesReclaimed","ReportedError","ContactId","NumberOfContacts","FailedAttempts","ItemCount","LowPriority","CloudPriorityModeEnabled","TileSize","TileType","ShortcutLocation","widthMenu","heightMenu","widthMonitor","heightMonitor","widthGrid","heightGrid","monitorDPI","monitorPPI","QuiesceBool","BlockUnblockBool","IsMainView","IddAdapterLuid","PathCount","ConnectorIndex","DescriptorType","InputModeCount","SevenBitI2CAddress","DataSizeInBytes","LastShapeId","SwapChainPointer","WddmAdapterLuid","VidPnTargetId","FrameNumber","PresentationFrameNumber","FrameStatus","ReencodeNumber","FrameSliceTotal","CurrentSlice","FrameAcquireQpcTime","FrameProcessingStepsCount","SendStartQpcTime","SendStopQpcTime","SendCompleteQpcTime","ProcessedPixelCount","FrameSizeInBytes","Valid","TargetModeIndex","PixelRate","VSync","ActiveWidth","ActiveHeight","RequiredBandwidth","RgbBitsPerComponent","MonitorModeIndex","VSyncDivider","Preferred","PathIndex","MonitorConnectorIndex","PathFlags","ColorSpace","StepIndex","StepType","MftContext","PhysicalWidth","PhysicalHeight","Position.x","Position.y","Resolution.Width","Resolution.Height","Rotation","ColorMode","PhysicalSize.Width","PhysicalSize.Height","ColorimetryFlags","HostAdapterLuid","HostVidPnTargetId","Positionx","Positiony","ResolutionWidth","ResolutionHeight","PhysicalSizeWidth","PhysicalSizeHeight","PhysicalDeviceObject","VendorID","VersionNumber","DeviceInstancePath","DeviceServiceName","DeviceUpperFilters","DeviceLowerFilters","CollectionCount","ReportDescriptorLength","ReportDescriptor","StateMachineCurrentState","OpenCount","LastReadReportSuccessTime","NumReadReports","NumReadReportsSinceStart","NumReadReportsSincePresence","NumReadReportsSinceD0","NumReadReportsSinceCaptureState","DeviceStartStatus","Collections","LocaleName","WinDir","ProdessName","Locale","LCType","lpLCData","Calendar","CalType","lpLCalData","GeoId","AltSort","Win32ErrorCode","Win32ErrorMessage","ServerType","FromVersion","ToVersion","DhcpAuditLogType","DhcpAuditLogDate","OldPort","NewPort","FailureDescription","GroupPolicyObject","GpoName","ServerOperation","CustomFieldName","DatabaseSchemaVersion","IpamServerExpectedSchemaVersion","DatabaseLocale","IpamServerLocale","NewDatabaseType","NewDatabaseAuthenticationType","NewDatabaseName","NewDatabasePath","NewDatabaseServerOrIP","NewDatabaseServerPort","NewDatabaseCredentialUsername","CurrentDatabaseType","CurrentDatabaseAuthenticationType","CurrentDatabaseName","CurrentDatabasePath","CurrentDatabaseServerOrIP","CurrentDatabaseServerPort","CurrentDatabaseCredentialUsername","PreviousDatabaseType","PreviousDatabaseAuthenticationType","PreviousDatabaseName","PreviousDatabasePath","PreviousDatabaseServerOrIP","PreviousDatabaseServerPort","PreviousDatabaseCredentialUsername","CustomField","CustomFieldValue","NodeClass","ActivityStatus","NodeLevel","IpBlock","ConfigurationSettingValue","ConfigurationSettingName","OldConfigurationSettingValue","IpAddressRange","VirtualizationType","StartIp","EndIp","ManagedBy","ServiceInstance","AddressSpace","DeletedValue","LogicalGroupName","ThresholdValue","DcConfigurationSetting","DnsConfigurationSetting","DhcpConfigurationSetting","ServerNameOrIp","AuditLogType","ScopeId","NewAlertLogValue","OldAlertLogValue","ResourceRecordType","ResourceRecordName","CustomFieldValue1","CustomFieldValue2","CustomField1","CustomField2","AccessScopePath","AccessPolicyUser","UserRoleName","PartnerServerName","IpSubnet","AddressSpaceType","NewConfigurationSettingValue","SuperscopeName","SuperscopeNewName","OldAccessScopePath","NewAccessScopePath","DHCPServer","ZoneCategory","ZoneType","DNSServer","DnsConditionalForwarderName","FullException","ScheduleTime","VendorClassName","UserClassName","OptionId","ExclusionRangeStartAddress","ExclusionRangeEndAddress","date","NewLoggingTypeValue","ManagedByService","DaysToExpiry","FileLocation","SoapAction","IPAddressRange","NewUtilizationStatus","OldUtilizationStatus","PercentUtilized","TimeoutValue","ObjectAccessScope","PoliciesMatched","AccessRequired","ClientMachineName","TunnelSourceIP","QuestionName","Translated IPv4 Address","TranslatedIPv4Address","TeredoReasonCode","ProtocolType","ServerUrl","IpHTTPSReasonCode","Router IPv4 Address","Reachable","RouterIPv4Address","RouterName","Resolved","TeredoPacketType","Destination IP Address","DestinationIPAddress","ReceivedTeredoPacketType","SentTeredoPacketType","MappedTeredoPacketType","TeredoProtocolState","Bad or Invalid Packet","BadorInvalidPacket","PreviousTeredoProtocolState","CurrentTeredoProtocolState","SocketAddress","Primary or Secondary","Destination Address","PrimaryorSecondary","Source Ipv6 Address","Socket Address","InterfaceState","Current IPv4 Address","New IPv4 Address","CurrentIPv4Address","NewIPv4Address","Destination IPv4 Address","Next Hop IPv4 Address","NextHopIPv4Address","AddedorDeleted","PrefixLen","InterfaceAlias","ValidLifeTime","Publish","IcsPrivateInterface","AdvertiseDefaultRoute","Advertises","Forwards","New RoutingState","Old RoutingState","NewRoutingState","OldRoutingState","HaveGlobalIpv6Address","ICS Enabled","GlobalIPv4AddressCount","ICSEnabled","Interface Index","RoutingState","PrefixConf","SuffixConf","ProtocolCallback","Windows Error Code","WindowsErrorCode","NetworkType","UpperValue","LowerValue","PortPredicted","Teredo_operation_started","Teredo_operation_ended","Teredo_operation_failed","CertificateCN","Preference","LimitedConnectivity","GlobalIpv6AddressCount","Ipv4Connectivity","Ipv6Connectivity","CorpConnectivity","NetworkGuid","DefaultRouter","IPHTTPS","WmiNotificationType","ProxyAccessType","QueryReceiveInterface","QuerySendInterface","DnsStatus","Object2","PROXYMGR","SiteSelectionMethod","IphttpsProfileName","TeredoServerIp","SiteIpv6Address","AdSiteName","CorporateRanges","SortingSiteName","SortingMetric","ProbingSiteName","SiteUrl","PortProxy","Synthetic_IPv4_Range","IPv4Prefix","Synthetic_IPv4_Address","Synthetic_IPv6_Address","VersionHigh","VersionLow","dwControl","dwPort","szInitiatorName","VirtualDiskIndex","hrErrorString","szTargetName","MaximumAllowedSize","CDBCommand","KeyPath","MRKID","PduType","BeginNonEmptyBuckets","BeginTotalBuckets","BeginTotalEntries","NonEmptyBuckets","TotalBuckets","TotalEntries","KDCName","KDCAddress","TrustStatus","NumerOfFailures","LockedOutPeriod","ServerDomain","KerbErr","SuppliedRealm","AccountSET","AccountKeys","ServiceID","ServiceSET","ServiceKeys","DCSET","DDSET","DCKeys","AdvertizedEtypes","Cipher","CipherName","ClientNetBIOSName","EntryNumber","Machine","DMSA","MigrationState","ResponseTicket","ClientNetbiosName","ResponseExtendedNtStatusCode","ResponseTicketLength","ResponseTicketStartTime","ResponseTicketEndTime","RequestSupportedEncryptionTypes","RequestFullServiceName","RequestFullServiceNameType","RequestClientName","RequestClientNameType","RequestRealm","ResponseTicketFullServiceName","ResponseTicketFullServiceNameType","ResponseTicketRealm","ResponseTicketKeyVersion","ResponseEncryptedDataEncryptionType","ArmorKeyEncryptionType","ClientPreAuthEncryptionType","PacRequestType","CertNotBefore","CertNotAfter","CertSubjectName","PreAuthNonce","LogonStatus","PreAuthSupportedEncryptionTypes","ClientCertificateContextLength","ClientCertificateContext","UsedOldPassword","UserObjectGuid","PacOptions","RequestTicketLength","RequestTicketAuthTime","RequestTicketFlags","RequestTicketRenewUntil","RequestTicketStartTime","RequestTicketEndTime","RequestAuthDataEncryptionType","RequestAuthDataLength","RequestNonce","RequestTicketFullServiceName","RequestTicketFullServiceNameType","RequestTicketRealm","RequestTicketClientName","RequestTicketClientNameType","RequestTicketClientRealm","RequestTicketKeyVersion","RequestTicketEncryptionType","U2UTgtAccountName","U2UTgtCRealm","U2UTgtCName","U2UTicketLength","U2UTicketEncryptionType","U2UTicketHash","U2UTicketKeyVersion","U2UTicketFullServiceName","U2UTicketFullServiceNameType","S4UAccountName","S4UPACClientName","S4UPACClientRealm","S4UTargetName","S4UNonce","S4URequestorSid","S4UAdditionalTicketKeyVersion","S4URequestorServiceName","S4URequestorServiceRealm","S4UAdditionalTicketLength","S4UAdditionalTicketEncryptionType","S4UAdditionalTicketHash","S4UAdditionalTicketFullServiceName","S4UAdditionalTicketFullServiceNameType","ServiceObjectGuid","RequestTicketPacLogonInfoLength","RequestTicketPacLogonInfo","RequestTicketPacUpnDnsInfoLength","RequestTicketPacUpnDnsInfo","RequestTicketPacRequestorSid","RequestTicketPacLogonServer","RequestTicketPacLogonDomainName","RequestTicketPacFullName","RequestTicketPacHomeDirectory","RequestTicketPacGroupIds","RequestTicketPacUserId","RequestTicketPacPrimaryGroupId","RequestTicketPacGroupCount","RequestTicketPacBadPasswordCount","RequestTicketPacLogonCount","RequestTicketPacUserAccountControlFlags","RequestTicketPacUserFlags","RequestTicketPacLogonTime","RequestTicketPacLogoffTime","RequestTicketPacKickOffTime","RequestTicketPacPasswordLastSet","RequestTicketPacLastSuccessfulLogon","RequestTicketPacLastFailedLogon","RequestTicketPacFailedAttemptCountSinceSuccessfulLogon","ResourceFlag","GeneralFlag","TypeSpecificFlag","Granularity","AddressMin","AddressMax","AddressTranslation","GpeRegister","UnexpectedEventMap","ThermalZoneDeviceInstanceLength","ThermalZoneDeviceInstance","_TMP","_PSV","_AC0","_AC1","_AC2","_AC3","_AC4","_AC5","_AC6","_AC7","_AC8","_AC9","_HOT","_CRT","Thermal_zone_device_instance","ActiveCoolingLevel","ActiveCoolingDeviceIndex","FanDeviceInstanceLength","FanDeviceInstance","PowerStateLength","PowerState","AmlMethodNameLength","AmlMethodName","AmlMethodState","AmlElapsedTime","Throttle","Active_cooling","Passive_cooling","DeviceBiosNameLength","DeviceBiosName","DeviceResetType","AcpiOverrideType","ButtonDeviceInstanceLength","ButtonDeviceInstance","ExecutablePathLength","RegistryPathLength","RegistryPath","KeyNameLength","ParentKeyNameLength","ParentKeyName","BitsPerPixel","BytesPerMs","BytesRead","ApplicationGuid","ImageFlags","ErrorIgnored","BootmgrTime","DriveNumber","PreBootMgrTime","UefiVariableName","ImageLoadStatus","PeImageName","PeImageLoadStatus","DeviceFlags","UpdateSupportedStatus","RetrieveDriverListTime","LoadDriversTime","LoadHiveTime","ApplicationIdentifier","ApplicationLoadTime","ApplicationExecutionTime","Command_code","Response_code","Elapsed_time","CommandCode","ResponseMilliseconds","CommandSize","CommandData","ResponseSize","ResponseData","FveGlobalDataFlags","EnvironmentState","File_modification_detected_after_load","UpdateCapsuleStatus","HiveLoadStatus","FailedPath","Import","SiPolicyStatus","TpmBindingProvisioningStatus","TxtErrorCode","KeyGenerationStatus","SealAndSaveStatus","UEFIKeysStatus","UnLatchedCiPolicyVersion","LatchedCiPolicyVersion","LatchedAntiRollbackCounterValue","CurrentCiPolicyVersion","CurrentAntiRollbackCounterValue","MinimumUnsealCiPolicyVersion","AuthorizationIsDelegated","Point","OsDeviceId","SystemRoot","VsmLKeyRelPath","LatchedUnsealPolicyRelPath","UnlatchedUnsealPolicyRelPath","LatchedPrimaryProtectorVariableName","LatchedSecondaryProtectorVariableName","UnlatchedPrimaryProtectorVariableName","UnlatchedSecondaryProtectorVariableName","LatchedProtectorUsedLocal","LatchTheUnlatchedLocal","UnsupportedRollbackLocal","UpgradedAntirollbackPolicyExistsLocal","PkgWasCorruptOrUnavailableLocal","CreationStateVerifiedLocal","PrimaryProtectorTargetPcrSealMaskLocal","LatchedProtectorExists","UnlatchedProtectorExists","KeyPkgIdTpmCounterValue","UseUnlatchedProtector","NeedToResealPrimaryProtector","NeedToResealSecondaryProtector","NeedToResealPca2023Protector","pSubStatusPrimaryBlobUnsealStatus","pSubStatusBackupBlobUnsealStatus","pSubStatusPca2023ProtectorUnsealStatus","pSubStatusBackupBlobValidityCheckStatus","pSubStatusBackupBlobStillValid","pSubStatusPca2023ProtectorValidityCheckStatus","pSubStatusPca2023ProtectorStillValid","pSubStatusPrimaryBlobResealStatus","pSubStatusBackupBlobResealStatus","pSubStatusPca2023ProtectorResealStatus","pSubStatusV2ProtectorsUsed","pSubStatusLegacyUefiVarQueryStatus","pSubStatusLegacyUefiVarCleanupStatus","pSubStatusActivePolicyVersion","pSubStatusLatchedPolicyVersion","pSubStatusUnlatchedPolicyVersion","LatchedUnsealPolicyValid","LatchedUnsealPolicyVersion","LatchedUnsealPolicyVarDataOffset","LatchedUnsealPolicyStructureSize","LatchedUnsealPolicyPolicyVersion","LatchedUnsealPolicyPolicyHashLength","LatchedUnsealPolicyWinloadSVN","LatchedUnsealPolicyWinresumeSVN","LatchedUnsealPolicyBootmgrSVN","LatchedUnsealPolicyLKeyPkgId","UnlatchedUnsealPolicyValid","UnlatchedUnsealPolicyVersion","UnlatchedUnsealPolicyVarDataOffset","UnlatchedUnsealPolicyStructureSize","UnlatchedUnsealPolicyPolicyVersion","UnlatchedUnsealPolicyPolicyHashLength","UnlatchedUnsealPolicyWinloadSVN","UnlatchedUnsealPolicyWinresumeSVN","UnlatchedUnsealPolicyBootmgrSVN","UnlatchedUnsealPolicyLKeyPkgId","PcrSealMask","UpgradedAntirollbackPolicyExists","EncryptionStatus","EncryptedLKeyArrayPkgSize","EncryptedLKeyPkgPdGuid","UnlatchedUnsealPolicySize","LatchedUnsealPolicySize","PrimarySealedBlobName","SecondaryProtectorVariableName","BlobFromUefiVariableSize","UefiContentIsSealed","UnsealedBlobSize","Pcr7SealingUsed","PkgTpmSealMaskLocal","PkgTpmCreationMaskLocal","NeedToResealKeyPkg","NeedToResealBackup","PlaintextBlobSize","PlaintextIsLegacyFormat","UefiBlobIsCorrupt","NewKeyID","ContainsAuthorityData","Authority","SealedBackupEncryptionKeySize","SealedPca2023EncryptionKeySize","ValidatedUnsealPolicyVersion","ValidatedUnsealPolicyVarDataOffset","ValidatedUnsealPolicyStructureSize","ValidatedUnsealPolicyPolicyVersion","ValidatedUnsealPolicyPolicyHashLength","ValidatedUnsealPolicyWinloadSVN","ValidatedUnsealPolicyWinresumeSVN","ValidatedUnsealPolicyBootmgrSVN","ValidatedUnsealPolicyLKeyPkgId","LegacyMainBlobVariableName","LegacySecondaryProtectorVariableName","KeysAreLegacyLocal","OsDataDeviceId","FirstWriteToDiskLocal","WritePkgToUefiLocal","PcrMask","UnsealPolicyPdGuid","SealingProtectorFixedBufferSize","SealingProtectorUsedBufferSize","SealedSecretBufferSize","PcrInfoArrayElCount","UnsealPolicyVersion","UnsealPolicyVarDataOffset","UnsealPolicyStructureSize","UnsealPolicyPolicyVersion","UnsealPolicyPolicyHashLength","UnsealPolicyWinloadSVN","UnsealPolicyWinresumeSVN","UnsealPolicyBootmgrSVN","UnsealPolicyLKeyPkgId","SealedEncryptionKeySize","ProtectorBlobFromUefiVariableSize","algID","digestLength","PcrIndex","PcrValue","OutstandingCount","ApplicationsCount","Vtl","SvnCounterId","SvnValue","PrevSvnValue","Intel_TXT_SENTER_time","SinitTimeMs","Intel_TXT_prepared_ACM_date","AcmDateDay","AcmDateMonth","AcmDateYear","MirrorStatus","MirrorPercentage","AmdSlErrorCode","HotPatchPathLength","HotPatchPath","HostDumpFileName","TargetDumpFileName","EventsLostCount","BcdOption","BcdElement","AcmInfoTableVersion","UpdateStatusEnum","FwLevel","LoadedBootAppSvn","EnforcedBootAppSvn","FwStartPage","FwPageCount","FwMemoryType","FwMemoryAttributes","BlStartPage","BlPageCount","BlMemoryType","BlMemoryAttributes","FailureMsg","ToolsCount","OptionSelected","ResetEndStart","LoadOSImageStart","StartOSImageStart","ExitBootServicesEntry","ExitBootServicesExit","Soft_reboot_cancellation_started","FreePersistentPages","Soft_reboot_cancellation_finished","TryComplete","Soft_reboot_prepare_finished","Soft_reboot_complete_prepare_finished","PpamStatus","KernelAffinitization","RequestedAffinity","DeferredRoutineAddress","RequestedProcessorNumber","DpcRoutineKey","CpuNumber","SoftTimeoutTicks","ModuleNameLength","CumulativeTickCount","CumulativeSoftTimeoutTicks","DpcSequenceNumber","ThresholdTicks","SingleTickCount","Cause","TransferSize","IORequestPacket","HighResResponseTime","AllowCrashDump_policy","BuffersPersisted","BuffersWritten","BuffersLost","SessionGuid","LoggerMode","LogFileName","MinimumBuffers","MaximumBuffers","PeakBuffersCount","CurrentBuffersCount","FlushThreshold","EventsLost","RealTimeBuffersLost","LoggerId","MatchAnyKeyword","MatchAllKeyword","EnableProperty","ProviderGroupGuid","MaximumAllowed","MemoryPartitionHandle","RequestedGroupMask","PermittedGroupMask","TransitionStartTime","SoftRestartCount","BugcheckRecovery","FailureResult","LoaderTime","InternalBootFlags","HalRtcErrorCode","IsSoftBoot","Filter_name","FilterNameLength","DumpEncryptionFailureReason","VHD_name","AddPagesControl","CallbackIdentifier","Duration_ms","MarkRequiredDumpDataDuration_ms","MarkImportantDumpDataDuration_ms","PopulateBitmapForDumpDuration_ms","RemoveSystemCacheFromDumpDuration_ms","CorralDuration_ms","DisableInterruptsDuration_ms","SaveSupervisorStateDuration_ms","SuspendClockTimerDuration_ms","UncorralDuration_ms","EnableInterruptsDuration_ms","RestoreSupervisorStateDuration_ms","ResumeClockTimerDuration_ms","LiveDumpEventDescription","Sizing_Workflow_Estimation_NT","NtEstimatedRequiredPrimaryDataBytes","NtEstimatedPrimaryDataBytes","HvEstimatedPrimaryDataBytes","HvEstimatedSecondaryDataBytes","SkEstimatedPrimaryDataBytes","MemoryEstimationDuration_ms","SystemQuiescedDuration_ms","EndMirroringPhasesDuration_ms","MirrorPhysicalMemoryDuration_ms","MirrorPhysicalMemorySizeInBytes","HvlCalculateLiveDumpSizeDuration_ms","MirrorInProgress","Included","BugCheckParameter1","BugCheckParameter2","BugCheckParameter3","BugCheckParameter4","AbortIfMemoryPressure","DumpCaptureDuration_ms","SelectiveDump","DynamicLowMemoryThresholdBytes","AvailablePhysicalMemoryInBytes","TotalPhysicalMemoryInBytes","IOSpaceEnabled","AllowLiveDump_policy","Proto","OS_Loader_Start","OS_Loader_End","OSLoaderStart","OSLoaderEnd","PreloadEndTime","TcbLoaderStartTime","LoadHypervisorTime","LaunchHypervisorTime","LoadVsmTime","LaunchVsmTime","ExecuteTransitionStartTime","ExecuteTransitionEndTime","PerformanceDataFrequency","Lower_Filters","Upper_Filters","Problem_Status","Last_Device_Instance_Id","Location_Path","Migration_Rank","LastDeviceInstanceId","MigrationRank","DeviceNode","ParentDeviceInstancePath","ReenumerateType","EventGuid","ProblemCode","ProblemStatus","Bus_ID","Device_ID","Instance_ID","BusId","PreviousParent","CurrentParent","SubtreeRootInstanceId","SubtreeIncludesRoot","RebalanceDueToDynamicPartitioning","RebalanceReason","ConflictResourceType","DurationInMs","ResetDeviceWhileStopped","RebalanceFailure","VetoNodeInstanceId","Child_Instance_ID","DeviceStackLocation","ServiceNameLength","HardwareConfigurationId","Thread_ID","EventCategory","EventArgument","EventArgumentStatus","CategorySpecificData_Guid","CategorySpecificData_String","TimeMs","ProcessImageName","DropCount","RegistrationTeardown","NotificationReceivedByClient","NotificationSpecific_Guid","UnicodeStringLength","NotificationSpecific_UnicodeString","NewProblemCode","NewProblemStatus","OldProblemCode","OldProblemStatus","CommandLineLength","VetoingDevicesLength","VetoingDevices","SparePath","ExtendedStatus","TargetAffinity","TargetProcessorCount","TargetMemoryCount","TargetMemorySize","SpareProcessorCount","SpareMemoryCount","SpareMemorySize","TimeTotal","TimeToQuiesce","TimeQuiesced","TimeToWake","TargetProcessors","TargetMemoryRanges","SpareProcessors","SpareMemoryRanges","PropertyKeyGuid","PropertyKeyPid","DeviceInterfaceId","InterfaceClassGuid","AppNameLength","Tid","EffectiveExecutionState","IgnoreReason","RequestedResolution","RequestIgnored","NewResolution","CurrentPeriod","MinimumPeriod","MaximumPeriod","KernelRequestCount","KernelRequestedPeriod","InternalSetPeriod","RequestedPeriod","WakeFromState","Ticks","PreviousPolicy","NewPolicy","User_presence","UserPresence","Session_Id","TransitionCount","Old_value","New_value","Old","New","Zeroed","Computed","SensorDisplayTimeout","DisplayTimeout","SensorInputTimeout","InputTimeout","SessionLockedTimeout","SensorEnabled","SpindownTimeout","TimerInterval","FlushInterval","DiskDeviceObject","SpmStatus","MinSVN","HiberrsmSVN","HiberrsmOSVersion","CoolingModeLength","CoolingMode","PassiveCoolingStateLength","PassiveCoolingState","AffinityCount","_TC1","_TC2","_TSP","DeltaP","_PSL","ActiveCoolingStateLength","ActiveCoolingState","HibernateTime","ProcessorId","ThrottleMSR","LogInterval","MinimumThrottle","Window","AcOnline","RemainingCapacity","FullChargeCapacity","ProgrammedWakeTimeAc","ProgrammedWakeTimeDc","WakeRequesterTypeAc","WakeRequesterTypeDc","_CR3","OverThrottleThreshold","DescriptionLength","_TZP","Firmware_S3_times_ResumeCount","FullResume","AverageResume","ResumeCount","SleepState","ResetReasonMask","ApiCallerNameLength","ApiCallerName","SystemAction","LightestSystemState","LidOpenState","ExternalMonitorConnectedState","ScenarioInstanceId","BatteryRemainingCapacityOnEnter","BatteryFullChargeCapacityOnEnter","ScenarioInstanceIdV2","EnergyDrain","ActiveResidencyInUs","NonDripsTimeActivatedInUs","FirstDripsEntryInUs","DripsResidencyInUs","DurationInUs","DripsTransitions","FullChargeCapacityRatio","AudioPlaying","AudioPlaybackInUs","NonActivatedCpuInUs","HwDripsResidencyInUs","ExitLatencyInUs","DisconnectedStandby","AoAcCompliantNic","NonAttributedCpuInUs","ModernSleepEnabledActionsBitmask","ModernSleepAppliedActionsBitmask","IsCsSessionInProgressOnExit","BatteryRemainingCapacityOnExit","BatteryFullChargeCapacityOnExit","InputSuppressionActionCount","NonResiliencyTimeInUs","ResiliencyDripsTimeInUs","ResiliencyHwDripsTimeInUs","GdiOnTime","DwmSyncFlushTime","MonitorPowerOnTime","SleepEntered","ScreenOffEnergyCapacityAtStart","ScreenOffEnergyCapacityAtEnd","ScreenOffDurationInUs","SleepEnergyCapacityAtStart","SleepEnergyCapacityAtEnd","SleepDurationInUs","ScreenOffFullEnergyCapacityAtStart","ScreenOffFullEnergyCapacityAtEnd","SleepFullEnergyCapacityAtStart","SleepFullEnergyCapacityAtEnd","PowerSchemeInfo","PowerButtonSuppressionActionCount","ScreenOffSwDripsResidencyInUs","ScreenOffHwDripsResidencyInUs","SleepSwDripsResidencyInUs","SleepHwDripsResidencyInUs","ActiveBatteryCount","RemainingPercentage","IsAcOnline","BatteryActionInternalFlags","IsPowerActionCallIgnored","IsPowerPolicyEnabled","PowerPolicyAction","PowerPolicyBatteryLevel","PowerPolicyEventCode","PowerPolicyMinState","ModuleGuid","ModuleVersion","HandlerGuid","HandlerStatus","FrozenProcessID","CapDurationInSeconds","PpcChanges","TpcChanges","PccChanges","IdleState","PerfState","Minimum_performance_frequency_percentage","Minimum_throttled_frequency_percentage","MinPerfPercent","MinThrottlePercent","FailStatus","ObjectPathLength","ProviderID","DroppedEventCount","SemActions","ScenarioCount","ScenarioInflightItems","SectionCount","ValidationBits","CreatorId","NotifyType","RecordId","Trasaction_Type","Transaction_Type","Uncorrectable_Error_Status","Correctable_Error_Status","Header_Log","SourceIdBus","SourceIdDev","SourceIdFun","UncorrectableErrorStatus","CorrectableErrorStatus","HeaderLog0","HeaderLog1","HeaderLog2","HeaderLog3","PlatformDirected","Uncorrected","Persisted","Image_name","IRP_Address","IRP_Stack_Loc_Code","IRP_Parameters","UInt32_Event_Number","Address_Stack","Irql","ErrorLevel","pIrp","PinId","BufSize","FilterAddress","FilterExt","pKsDevice","SdbPath","Generic_Keyboard_Filter_Service_message","Layout","KeyData","Remote","Dot3Allowed","WlanAllowed","CredentialsFound","Network_connection_attempt_result","Interface_GUID","Profile_Name","Windows_authentication_result","Language","PreviousLanguage","CallbackAPIName","BootCount","CurrentSessionRunCount","Account_RID","PolicySource","BackupDirectory","AdminAccountName","PasswordAgeDays","PasswordComplexity","PasswordLength","PasswordExpirationProtectionEnabled","PasswordEncryptionEnabled","PasswordEncryptionTargetPrincipal","PasswordEncryptionHistorySize","BackupDSRMPassword","PostAuthResetDelay","PostAuthActions","AutomaticAccountManagementEnabled","AutomaticAccountManagementTarget","AutomaticAccountManagementNameOrPrefix","AutomaticAccountManagementEnableAccount","AutomaticAccountManagementRandomizeName","Web_status","Error_msg","Encryption_principal_name","Encryption_principal_SID","DSRM_account_name","DSRM_account_RID","HTTP_status_code","Response_text","ExecEnvId","FarmName","ClientComputerName","NumOpens","SecondsIdle","SecondsExisted","LAPSManagedAccountName","LAPSManagedAccountSid","ClientProcessID","ClientProcessExe","RejectReason","AdminParameter","PacketPayloadLength","PacketPayload","PacketDiscardReason","Neighbor_ID","MsapIdLength","MsapId","Existing_Neighbor_ID","Recived_Neighbor_ID","ExistingMsapIdLength","ExistingMsapId","ReceivedMsapIdLength","ReceivedMsapId","ServiceCalled","TicketsCached","PointType","Attempts","latestIterationResult","continueRetry","isConnected","flowUrl","defaultUser","promptType","authUrl","endAuthUrl","ExInfo0","ExInfo1","ComponentMsgId","customString","arg1","CallingCode","component","istakeref","Accuracy","Generate","hint","Latitude","Longitude","Altitude","HorizontalAccuracy","VerticalAccuracy","Heading","Velocity","GnssEventType","NumberOfBytesTransferred","GnssEventSize","RequestParameter","Speed","hAccuracy","vAccuracy","SpeedAccuracy","hDilutionOfPrecision","PositionDilutionOfPrecision","Ioctl","SatelliteData","FixLevelOfDetails","ExpectedMinimumBytes","ExpectedMinimumSatelliteBytes","Pe","AccuracyType","AccuracyValue","AgeValue","IsVenueMandatory","IsClientSession","AttachedAcquireId","OwnerId","SourcePe","Floor","VenueId","ReportStatus","BlobSize","WinHttpResult","OrionResult","Hslp","HslpSource","HslpFromImsi","MPC","PDE","CommandType","InjectionType","InjectionStatus","InjectionDataSize","RequestNotificationType","RequestPlaneType","UserResponse","BlobFormat","RegStatus","Uncertainty","BlobVersion","GeofenceId","ReturnId","ARFCN","BaseStationID","CellID","LocationAreaCode","MobileCountryCode","MobileNetworkCode","BaseLat","BaseLong","NID","Neighbors","Executor","UiccApp","TrackingAreaCode","NeighborsBeaconHash","IsMulticellUsed","SignalStrength","MacAddresses","IsRecoverable","DeviceAvailable","SymbolicLink","DeviceInUse","IsExternal","PE","CachedPositions","IsInsideVenue","Lat","Lon","Acc","DcpProfile","SourcePE","IsReadyForData","IsValidData","rawDataListSize","IsCollectionStateActive","CollectionType","IsBufferFull","IsBatterySavings","IsUserPresenceOn","PrimaryPE","AcquireId","PeRole","RemainingTime","SpeedEstimate","Bearing","NumberOfPositions","UnreliablePositionAccuracy","UnreliablePositionSourcePe","ReliablePositionAccuracy","ReliablePositionSourcePe","PeCount","Pe1","Pe2","Pe3","Pe4","Pe5","Pe6","EndpointLengthInChars","TrackingIdLengthInChars","ServerStatus","MappedHResult","StatusStringLengthInChars","OrionSource","WebproxyRequestId","WebproxyRequestType","WinHttpHandle","WinHttpEventType","WinhttpCallbackStatus","WinHttpApiType","PayloadLengthInChars","ServInd","hrWifiRegistration","hrCellRegistration","WifiConnectionState","WifiThrottlingOn","WifiThrottlingOnElapsedTimeSec","CellThrottlingOn","CellThrottlingOnElapsedTimeSec","ActivityDetectionThrottlingOn","ActivityDetectionThrottlingOnElapsedTimeSec","ADThrottlingOn","ADThrottlingOnElapsedTimeSec","PeName","IsPrimaryNativeTracking","IsSupportsNativePT","IsSupportsNativeDT","IsSupportsRequest","GeolocationClass","PositionStatus","Geolocator","Radius","DwellTime","SingleUse","TriggerType","ForegroundEvent","RegistrationOperation","ProccessId","GeofencesCount","GeofenceReportsCount","WnfForegroundEvent","TaskhostSource","GeoStatus","GeoPermission","Tracker","NumberOfGeofences","TrackedGeofencesCount","InternalTrackedGeofencesCount","TTFF","TriggerState","GeofenceCount","TransitionGeofenceCount","UnconditionalPermissions","PolicyPermissions","WinLegacyPolicyPermission","MasterPermissions","UserPermissions","UserWinLegacyPolicyPermissions","AppPermissions","IsAppContainer","PositionId","InferenceResult","PositionSource","ProgramName","FullCommandLine","ShadowAdmin","ShadowAdminSID","ReturnMessage","TerminationResult","CurrentlyEnabled","NewContextCreated","EnrollmentID","CallerID","componentName","actionsCount","menuItemsCount","submenusCount","submenuItemsCounts","navItemPath","jobID","jobSourceID","foundMachineCount","elapsedMiliseconds","visualType","inRect_x","inRect_y","inRect_width","inRect_height","horizontalOffset","verticalOffset","extentWidth","extentHeight","arg0","arg2","FromLatitude","FromLongitude","ToLatitude","ToLongitude","WaypointCount","TravelMode","RouteOptimization","StartHeadingInDegrees","DWPercent","LengthInMeters","DurationInSeconds","DurationWithoutTrafficInSeconds","GeometryCoordinatesCount","LegCount","ManeuverCount","DistanceInMetersToNext","ManeuverType","TrafficCircleExitNumber","InstructionText","dipX","dipY","MapServiceTokenValue","BingKeyValidationStatus","Error_Propagated","P1_Dword","P2_Boolean","Prop_UInt32_1","Prop_UInt32_2","Prop_UInt32_3","Prop_OLTIEMID0","Prop_OLITEMID1","Prop_OLITEMID2","Prop_ReqGuid","Prop_Handle","Prop_String","Int32","Prop_hr","Prop_string","Prop_unit","Prop_UINT_1","Prop_UINT_2","Prop_UInt32_4","Prop_UInt32_5","Prop_UInt32_6","Prop_SubmissionID0","Prop_SubmissionID1","Prop_HResult","Prop_Dword4","Prop_Status","Prop_String_1","Prop_String_2","Prop_String_3","Prop_Dword_3","Prop_ContentLengthBytes","Prop_ContentChars","ActiveSyncProvider","Prop_Length","Prop_Binary","Prop_Guid","Prop_Ulong","Prop_Hex","Prop_HexInt32","Prop_Id1","Prop_Id2","Prop_1_UInt32","Prop_2_UInt32","Prop_Hr_UInt32","Prop_3_UInt32","Prop_4_UInt32","Prop_2_FILETIME","Prop_3_UnicodeString","Prop_Hr","Prop_Boolean","Prop_1_UnicodeString","Prop_2_UnicodeString","Error_selecting_folder","Prop_Uint","Prop_Uint1","Prop_Uint2","P4_UInt32","AutoConfig_Provider_result","P1_String","Set_PDC_Active","invalid_CCT_state","P1_Boolean","P2_Int32","P3_String","P4_Handle","Invalid_CCT_state","Prop_ansi","Prop_int1","Prop_int2","Prop_Dword_0","P2_UnicodeString","P3_Boolean","P3_UnicodeString","P3_Int32","P3_HexInt32","P1_Pointer","P3_SimAppState","P3_SlotState","P4_UnicodeString","P5_Boolean","P4_Boolean","P3_ResetStateType","Sync_WNF_event","P1_Guid","Notified_golden_account_existence","EngineGuid","Prop_Dword_4","SaverMode","Prop_HResult_2","P2_UInt","Prop_ScheduleTriggerRequirementFlags","WorkType","Prop_StringA_1","Prop_StringA_2","P1_UnicodeString","Prop_UINT1","Prop_UINT2","Prop_UINT3","Prop_UINT4","Prop_Bool1","Prop_Bool2","Prop_Bool3","Prop_HEXINT1","Prop_HEXINT2","Prop_HEXINT4","Prop_HEXINT3","Prop_FileTime1","ThemeFile","WallpaperFolder","RSSURL","Folders","SetupStep","NIC","Firewalls","NhedType","AffCode","Preset","ProtocolInfo","SeekUnit","SeekTarget","CMFTAsyncSimpleBase_ptr","NewCount","FunctionMapOEMValue","Arg1","Arg2","Arg3","Arg4","CMFTAsyncSimpleBase_lock","CMFTAsyncSimpleBase_AcquireStateLock","CMFTAsyncSimpleBase_ProcessOutput","CMFTAsyncSimpleBase_OutputLock","CMFTAsyncSimpleBase_AcquireOutputLock","CMFTAsyncSimpleBase_StateLock","CMSPRLAContentEnabler_ptr","CMSPRMFDecrypterTransform_ptr","PolicyChanged","rate","pts","clock","sampleTime","Ahead","QPC_snapped","PresentFlags","SyncInterval","Repeat","Restart","Now","DeltaToTarget_MS","History_QueuedFrames","History_QueuedFramesWithRepeats","QPC_target","QPC_actual","QPC_actual_behind","FramePeriod","FrameAdjustment","RatioAverage","FramesLate","qpcDeltaFromNow","protected","MaxPresentLatency","Queued","QueuedWithRepeats","EstimatedFramesNeeded","Free","DeltaToTarget","SubmittedAheadDelta","TimeInQueue","MinLatency","TargetQPC","HistoryPresents","TimeToDeadline","BufferIndex","paused","resumed","thinning","NumGlitches","NativeWidth","NativeHeight","EncodedWidth","EncodedHeight","EncodedSize","FramesEarly","QPC_Prev","Delta_us","Delta_Frames","DeltaPerFrame_us","RatioToPrimary","InputFrameIndex","FrameIndex","PreviousFramerate","Framerate","MinFramerate","MaxFramerate","QPC_Actual","QPC_Smoothed","QPC_SmoothedNonQuant","IsIFlip","Frames","Requested","ReferenceCounter","Swapchain","TextureArray","SrcRect_Left","SrcRect_Top","SrcRect_Right","SrcRect_Bottom","DstRect_Left","DstRect_Top","DstRect_Right","DstRect_Bottom","DstSize_Width","DstRect_Height","SwapchainState","NumDisplayGlitches","SampleTime","ReceiveLateness","DisplayGlitchDelta","DidGlitch","FlushLateSamplesOnDisplayChange","FrameDuration","RefreshDuration","RequestedRefreshDuration","ActualRefreshDuration","Dst_left","Dst_top","Dst_right","Dst_bottom","Src_left","Src_top","Src_right","Src_bottom","Backbuffers","ColorSpaceType","SwapChainType","SwapChainRotation","Sample","FirstFrameReady","Dropped","deltaFromLastSample_us","SyncQPC_us","CompMode","SyncQPC_rel_now_us","FrameRate","minFrameRate","maxFrameRate","Ratio","MaxRatio","ClockTime0_us","QPC0_us","SmoothedQPC0_us","QPCDelta_us","WindowCount","WindowWidth_us","sampleTime_us","OrigTargetQPC_us","TargetQPC_us","DeltaQPC_us","framePeriod_us","oldState","QPCnow_us","SampleTime_us","SampleQPC_us","SampleQPCAhead_us","Dejitter","ApproxClockJitter_us","LastQueuedStartQPC","nowQPC","AheadQPC","RepeatCount_Rounded","RepeatCount_x1000","TimeUntilFrame_Orig","TimeUntilFrame_postRepeat","FramesBehindAdjustment","PrimaryFramePeriod","QPCtarget_us","AverageLateness_us","Correction_us","TimeRemaining","deadline","hnsDeltaFromNow","WorkQueueID","VideoBranchWorkQueueID","RequestsPending","FrameQueueCount","TimeToDeadline_us","pRecord","ListCount","DecodeYUV","now","DXObject","DXType","Ratio_x100","MinDuration","MaxDuration","Ahead_us","AverageAhead_us","AverageDeviation_us","SimpleAverageAhead_us","SimpleAverageDeviation_us","Diff_us","RenderLatency_us","hDeadline","hVideoDeadline","GPUdeadline","GPUDeadlineDeltaFromNow_us","length","data","keysystem","defaultCdmStorePath","inprivateCdmStorePath","sessionId","keySystem","code","systemError","enable type","enabletype","Ok","Bits","FullScreenPercent","FullScreenThreshold","buffer","sampleDuration","SampleStartTime","SampleEndTime","CueStartTime","CueEndTime","CueTicket","UseDistinctiveIdentifier","CDMAccess","CDMCustomConfig","MediaKeysObject","SoftwareOverride","configCount","selectedConfigCount","DecodeSwapchainState","IsDecode","DxgiFormat","Buffer Count","Dst_Left","Dst_Top","Dst_Right","Dst_Bottom","ScrubbingState","Inverval","ProjectionMode","Quaternion.W","Quaternion.X","Quaternion.Y","Quaternion.Z","FieldOfView","QuaternionW","QuaternionX","QuaternionY","QuaternionZ","DcValue","Provisioned","QoS","IsDisplayMetadata","MinLuminance","MaxLuminance","IsAC","IsHDRDisabledOnBattery","IsLowerScreenBrightnessActive","IsBrightnessPolicyActive","ContentMaxLuminance","DisplayMaxLuminance","CallId","ResourceManagerObject","bufferCount","colorSpaceType","isHWProtected","presentId","targetTime","timeRemainingInQueue","submittedAhead_us","now vs QPC(us)","QueuedFrames","IsDirectPresentation","nowvsQPCus","dwOldIndex","dwNewIndex","Changed","dwEndIndex","fRemoveEntireChunk","RealDisplayChange","avgDuration","PresentId","regeerated","TimeInQueueAtHWMThreshold","LWM","HWM","ApproxSleepDuration","LWM_PresentId","PresentRetiredCount","RemainingInFlightResourceCount","FenceValue","FrameReturnedTimeDelta_us","AsyncCallbackType","WorkQueueId","Pending Composition count","CompositionFrameId","targetQPC_hns","presentID","OutputCount","AdapterLuid0","VidPnSrc0","uniqueId0","AdapterLuid1","VidPnSrc1","uniqueId1","PendingCompositioncount","Iteration Count","IterationCount","VidPnSrc","uniqueId","displayedQPC","frameDuration","minCompositionDelay_ns","OutputIndex","totalOutputs","targetQPC","targetDeltaFromNowQPC","framePeriod_ns","PendingAsyncPresentCount","SerializerWorkQueueId","Ver0","Ver1","Ver2","Ver3","HWS_SupportedLevel","HWS_Enabled","HWFQ_SupportedLevel","HWFQ_Enabled","Displayables_Supported","RetryPresentTimerKey","ForceXVP","SupportsDisplayables","ForceDisabled","InstanceKind","EntryIndex","WasFound","LookUpOutputIdex","TotalOutputs","PresentId_Skipped","PresentId_displayed","PresentId_delta","CompositionID","SkippedFramePendingCount","DX Device","DXDevice","hrUpdate","timeInQueue_hns","QueueingMode","LwmOverride","SteadyStateQueueingMode","TotalMonitors","vsyncDuration","IsPrimary","IsTimingDisplay","WorkQueue","CallbackWorkQueue","DXGIResource","MainEventType","GlitchCount","DisplayGlitchCount","SeenEventTypes","deltaToTarget","MinCount","AvgFrameDuration","displayFramePeriod","delta","timestamp_Ahead_us","timestamp_shift_Ahead_us","Deadline_us","EnableHDRForPlayback","CaptureEnginePointer","hrStatus","StreamIndex","RefTimestamp","StreamFlags","SourceOrSinkPointer","SourceStreamIndex","SinkStreamIndex","SinkPointer","SamplePointer","PhotoSink","RecordSink","PreviewSink","FrameReaderSink","SampleTimestamp","RecordSinkWriter","PreviewSinkWriter","XVP","dwStreamIndex","dwSourceStreamIndex","pMediaType","guidPropertySet","propertyID","dwSinkStreamIndex","guidExtendedType","dwMediaTypeIndex","CaptureSource","SinkWrapper","bChangeStreamUsers","bPrepare","SourcePointer","CameraSoundState","CameraSoundLevel","CameraSoundObject","InitResult","CaptureEngineObject","QueuingResult","PlaybackResult","Discontinuity","CleanPoint","ClockTime","TimeFormat","VariantType","ActualStreamIndex","MFT","vtable","RequestCounter","Transform","TransformType","OutputStreamIndex","MSVProcObj","fourCCSrc","fourCCDst","fourCC","srcWidth","srcHeight","dstWidth","dstHeight","Mirror","BasePri","ThreadObj","ThreadObject","ThreadPoolObj","VideoDevice","VP","RateConversionIndex","PastFrames","View","OutputSample","uiInputViewCount","uiOutputViewCount","uiOutWidth","uiOutHeight","uiOffsetX","uiOffsetY","SourceFormat","DestFormat","Shader","lightLevelIn","lightLevelOut","srcColorSp","dstColorSp","RedPrimaryX","RedPrimaryY","GreenPrimaryX","GreenPrimaryY","BluePrimaryX","BluePrimaryY","WhitePrimaryX","WhitePrimaryY","InputSample","InputIndex","WorkQueuePointer","MaxThreads","CurThreads","BlockedThreads","Diff","dwConfig","dwScaleX","dwScaleY","dwWindowX","dwWindowY","sample","submittedQPC","originalTargetQPC","targetAhead","submittedAhead","dwmFramesPresented","dwmRefreshStartCount","buffersEmpty","refreshFrameCount","cPresentCount","llPresentTime","screenHeight","frameHeightx1000","frameRatex1000","hThread","sleepType","format","retryCount","dataType","bytesDropped","dropReasons","streamType","stream","transform","userTransform","objectCategory","bufferSize","sampleSize","processTime","processingType","event","fullness","rtpSeq","packetNumber","segmentID","numberPending","bytes","arg","objectCreated","knobID","previousLevel","newLevel","dropTime","originalTime","adjustment","clockTime","refreshRate","left1","top1","right1","bottom1","masterTime","deviceTime","propertyKey","propvariant","streamNumber","sampleByteCount","packetSendTime","packetByteCount","eventTime","lateBy","callback","bstr","graphType","lastHr","initialOffset","finalOffset","bytesInCache","cacheSize","sectorSize","frameIndex","propertyKeyGuid","propertyKeyFmtId","Unknown","ParentQueuePointer","bestFrameIndex","totalFrameDecoded","timeoutin100NS","isTimeout","AdjustedTimestamp","isLowLatency","totalByteCount","isRetryWorkItem","surface","uSubresource","BufferDuration","SrcPtr","DstPtr","PathTaken","dwStreamID","uiPinID","MinSampleCount","Manager","PendingCount","PendingReceives","system","available","functionID","inputbytes","outputbytes","msTransportTime","msExecutionTime","msTotal","manager","isLosigHardwareResource","IsGoingOn","IsMultithread","m_u32StreamingPeriodMS","m_u32RenderBufferSizeInFrames","m_ui64ClockTicksPerSecond","m_u32AudioClientType","IsEventDriven","FillSilenceWhenStarving","FillCompressedSilenceWhenStarving","DropLateData","mfsState","pullPlayPosition","pullRawPlayPosition","pullRawWritePosition","pullDevicePosition","phnsCorrelatedTime","dwBytesWanted","u32FramesToRender","m_bEOSReceived","ullEOSPosition","m_bIsEventDriven","IsOffloadedStream","IsOffloadedCompressedStream","bFirstFill","u32CurrentPadding","u32TimeLeft","BytesInUse","dwBytesStillWanted","bEOS","fInserted","fFlushed","bEngineStarted","bReset","bIsEventDriven","fFillBuffer","DisconnectReason","bReacquire","ui32EndpointRole","eCategory","bIsLowLatency","bBufferDurationSpecified","hnsBufferDuration","bOnlyAudio","bDisableOffload","bNonSeekableStream","hnsSampleTime","hnsSampleDuration","mfRenderTime","mfTimeNow","mfRenderTimeAhead","fDiscontinuity","mfAudioState","IsRateZero","bPrerollSample","bDelayedSample","scenario","fSignalPrerolled","m_cSamplesPrerolled","m_hnsPrerollDuration","m_u32CurrentPrerolledBytes","m_hnsShortSampleTolerance","m_cMaxPendingRequestSample","MarkerType","ControlPoint","bFlushPreroll","IsUninitialized","bInvalidatingStream","mfaOriginalState","phnsTimeNow","m_mftMaxTimePriorToStreamSwitch","m_bInvalidatingStream","hnsSystemTime","llClockStartOffset","StartOffset","mftStartOffset","bResetGapAndStallHandling","bUseResampler","bClockRateMatchEnabled","bUseLightWeightConverters","m_bIsOffloadStream","pullBytePosition","m_bIsCompressedStream","dwSamples","pfDiscontinuity","pullRenderBytePosition","pdwBytesToStall","bConvertToMFPos","pullWritePosition","pullDevicePlayPosition","mftTrimAmount","mftCutoff","bTrimFromFront","bEnable","cPendingRequestSample","cMaxPendingRequestSample","NumContainers","MaxPendingRequestSample","DurationInUse","hnsMinAllocation","TimeOutinMm","bNeedFormatNegotiation","mfaOriginalStreamState","hnsStreamInvalidationEventTime","hnsLastCorrelatedTime","hnsTimeElapsed","hnsLastTime","hnsNewLastTime","bDeviceChange","hnsNewStreamStartTime","bStopped","bReacquireDevice","dwNewState","MFTimeOfLastRenderSample","CorrelatedTime","IsStreamInvalidating","m_pCurrentMediaType","hrAEFormatQuery","hFormatResult","wFormatTag","nChannels","nSamplesPerSec","nAvgBytesPerSec","nBlockAlign","wBitsPerSample","cbSize","clientType","bufferDuration","u32FramesRead","m_u64LastSampleTime","u64Duration","dwFlagsForSample","m_pParent","m_bAudioProcessingRaw","m_bIsLowLatency","m_hnsBufferDuration","m_uiAudioCategory","m_spAudioSessionControl","m_spAudioSessionEvents","wstrEndpointId","uFailedLineNumber","AudioClientProperties_bIsOffload","AudioClientProperties_eCategory","AudioClientProperties_Options","m_spAudioClientForStreaming","m_u32BytesPerFrame","m_u32FramesPerSecond","bFirstRead","m_bEngineStarted","u32ActualFramesInCurrentPacket","fLevel","bMute","pParentObj","dwWorkQueueId","lWorkQueuePriority","m_u32BufferFrameCount","m_ReadySampleCount","m_spCurrentMediaType","guidService","riid","pvObject","ulSamples","ClockOffset","SrcObject","SamplesReceived","LateSamples","TotalLateTime_ms","SampleLatency_hns","SampleTime_hns","SamplePtr","ES_Stream","PackSize","LastPCR","PCR","Selector","MFTName","lResult","QuerySize","ValueDWORD","ValueString","inputType","inputSubtype","outputType","outputSubtype","localMFTs","softwareMFTs","hardwareMFTs","deviceRegHardwareMFTs","packagedMFTs","luidSet","numMFTs","adapterVendorId","adapterDeviceId","adapterSubSysId","adapterRevision","Merit","StartPlayback","Callback","PositionType","PositionValueSize","PositionValue","DurationValueSize","DurationValue","Thin","TimeIn100ns","CancelCookiePtr","MediaItem","SourceObject","Balance","VideoSizeSize","VideoSize","AspectSizeSize","AspectSize","MinSizeSize","MinSize","MaxSizeSize","AspectRatioFlags","ColorRGB","Effect","Optional","StartPositionType","StartPositionSize","StartPosition","StopPositionType","StopPositionSize","StopPosition","Select","CancelCookiePtrPtr","Mute","ForwardDirection","SlowestRate","FastestRate","EventCookie","RemovedMemorySize","MemDiagRawDataLength","MemDiagRawData","LaunchType","CompletionType","TestType","TestDuration","TestCount","NumPagesTested","NumPagesUnTested","NumBadPages","T1NumBadPages","T2NumBadPages","T3NumBadPages","T4NumBadPages","T5NumBadPages","T6NumBadPages","T7NumBadPages","T8NumBadPages","T9NumBadPages","T10NumBadPages","T11NumBadPages","T12NumBadPages","T13NumBadPages","T14NumBadPages","T15NumBadPages","T16NumBadPages","ScheduleType","SymLink","DMFTPtr","CaptureTimestamp","CaptureTimestampPresent","CaptureDelta","BasePrioirity","IsStreaming","AsyncTaskPointer","BufferPointer","PinPointer","ParentPointer","ReadySampleCount","OutputBufferCount","OutputSamplesPtr","StreamingState","PinHandle","PinPtr","D3DManagerPtr","FormatInfoStruct","DeviceStreamName","DeviceStreamId","MFTStreamId","samplePointer","ExpectedSampleCompletionNumber","ActualSampleCompletionNumber","DriverQueueDepth","DriverTimeStamp","SystemTimeStamp","SampleCompletionNumber","FlagTimeStamp","eMessage","ulParam","WrapperPtr","InputQueueLength","on","InputRequestsCount","OutputQueueLength","ObjectPtr","MFTPtr","DeadlineHNS","Duration0","Duration1","DurationResult","ShatterInputSamples","Buffer Index","OrigDuration","AddDuration","NewDuration","fromtype","exitPolling","action","enablerReturned","streamid","policyReturned","streamId","isProtected","attributes","cSchemas","classId","bandwidthInPixels","QueueLen","SampleQueueLen","RequestQueueLen","tsOrig","sysOrig","tsFixed","sysFixed","tsOut","tsOut_ms","Diff_Now_LastSys_ms","timestamps","prevDuration","newDuration","mergedDuration","D3DFmt","Bitpump","QueuePtr","MPStream","PathLock","pSample","MP","node","IsHWMFT","DecoderGUID","RemainingInputRequests","RemainingQueuedInputSamples","Old state","New state","Oldstate","Newstate","UseSampleBasedBuffering","IsEOS","UnprocessedSamples","Prerolled","MemoryType","StatSource","Input","Output","FrameDelayRMSAccumulator","FrameDelayRMSCounter","ExpectedFrameDelay","StreamObject","Send","Cached","FramesFree","hnsTimestamp","hnsDuration","captureTimestamp","interIimestampDelta","captureLatency","processingLatency","nextPreDeadlineDeltaFromNow_us","nextDeadlineDeltaFromNow_us","IsMEP","IsAsyncMFT","hnsDeadline","DeltaFromNow_us","D3dDesc","LUID","SubSysId","Devices","Streams","TimerScope","TimerScopeId","WatchdogOperation","DurationToTriggerInHns","DurationToCompletionInHns","MediaStreamCount","SubObject","IdHigh","IdLow","TableType","Amount","Lsn1","Lsn2","Lsn3","SourceTier","TargetTier","SourceStartOfRange","SourceCountOfRange","TargetPhysicalOffset","SsdFillRatio","HddFillRatio","IsTargetReserved","DestageAllocationCount","FailedSsdDestage","Lcn","PageLcn","PageVirtualClock","VolumeVirtualClock","Scrubbing","StartLsn","EndLsn","TransactionsRemaining","TaskIndex","MediumPriority","UberLowPriority","OriginalBasePriority","PreDuration","ThreadTag","TurboEngaged","TaskName1","TaskName2","funcName","errorDetails","interfaceId","propName","appUserModelId","appPackageFamilyName","culture","profile","appId","Autopilot_successfully_disabled_task","Autopilot_successfully_enabled_task","Hardware_location","ServerState","WaitMs","AttemptNumber","MaxAttempts","VulnerabilityDetected","VulnerabilityFlags","Autopilot_configuration_file_path","Expanded_path","Uint3","Change_type","Host_result","Agent_result","Overall_result","DisplayPageResult","AgentResult","OverallResult","Host_failure_count","Agent_failure_count","ConsecutiveHostFailures","ConsecutiveAgentFailures","Policy_name","Server_time","Client_time","FailedApiState","Trace","Framework_State","MosHost_RegisterClient_PID","MosHost_DeregisterClient_PID","MosHost_GetActiveClients_Total","Unique","MosHost_GetReadSharingToken_Info_Path","MosHost_ConnectivityCallback_Online","MosHost_SetMosOnline_Online","InputID","InputTimestamp","TargetTimestamp","connectionID","remoteIPv4Address","remoteIPv6Address","ispAddress","deviceType","tunnelType","portName","authenticationProtocol","authenticationData","eapTypeId","embeddedEapTypeId","quarantineState","connectionStartTime","isS2SConnection","routingDomainId","bytesIn","bytesOut","disconnectTime","ChannelInstance","RowCount","ErrorLineLength","Row","Base","Interfaces","Algorithms","EventLogType","TargetHandle","ModuleIndex","InputCount","VirtualNodeCount","DelayInMs","BiosNameLength","BiosName","SupportedInputs","SupportedOutputs","InvalidValue","Default","NamedChannelType","ActualChannelCount","MaxChannelCount","MaxBiosNameLength","NtStatusError","TotalValidConfiguration","DefaultValue","MaxValue","MinValue","DomainId","IsTimeParameter","ClaimInterface","DeviceIndex","ConfigVersion","PollingStartValue","TimerTriggerHysteresis","PollingIntervalMs","DefaultPollingTimerMs","FunctionId","InputChannelCount","OutputChannelCount","ChannelIndex","IoTargetState","TimerState","Product_Version","Product_Language","InstallationSuccessOrErrorStatus","RemovalSuccessOrErrorStatus","ReconfigurationSuccessOrErrorStatus","Update_Name","TypeOfSystemRestart","ReasonForRestart","BeginningAWindowsInstallerTransaction","Client_Process_Id","EndingAWindowsInstallerTransaction","InputStreamID","pEvent","OldBitrate","NewBitrate","pOutputSamples","pdwStatus","cSampleLength","bEndOfEncoding","CodingMode","Bitrate","Complexity","pEncoder","MessageIDGUID","MessageIDIdentity","ToolID","ToolThickness","ShapeDrawMode","ToolCrosssection","Saveoperationresult","ResizeskewOperationresult","Widthofthecanvas","Heightofthecanvas","Horizontalresizepercentage","Verticalresizepercentage","Horizontalskewangle","Verticalskewangle","and_Priority","Affinity","NewCacheIndex","LiveCacheIndex","Substatus","ApiFunction","EvColl","CorpCheckDisabledReason","Entered_State","ForceWeb","UseProxyCache","UsedDnsProbe","UsedProxy","ContentComparison","WebCompleted","WebRedirected","LocalErrorOccured","SuspectStateReason","ConnectedInterfaceGuid","DisconnectedInterfaceGuid","ProxiedCapability","NetReady","HasCorporateConnectivity","ActiveProbeResultCode","IPv6_address","IPv4_capability","IPv6_capability","IPv4_test_used","IPv6_test_used","HasPreferredGlobalAddressIPv4","HasPreferredGlobalAddressIPv6","InternetCapabilityIPv4","InternetCapabilityIPv6","InternetTestIPv4","InternetTestIPv6","CorporateLocation","CorporateLocationMetadata","KeyOrValue","LowerIf","Add_PnP_Device","Initialize_Binding__Protocol","ProtocolName","StructType","ParameterLen","ParameterOffset","MiniportIfGuid","MiniportIfIndex","MiniportNetLuid","FilterIfGuid","FilterIfIndex","FilterNetLuid","OriginalMediaType","NewMediaType","SystemState","Set","OpenRef","Packet","CompletedAtOpen","Open","ExpectedMediaType","ErrorValueCount","ErrorValues","CompleteRequest","PnPFlags","OperationalStatusFlags","OperationalStatus","NumberOfNbls","NdisStatusCode","ComponentId","ComponentRefCount","InterfaceRefCount","WakeReason","MiniportEventEnum","MiniportAdapterName","FilterInstanceName","FilterFriendlyName","PowerTransitionCount","RefcountValue","StopFlags","PowerStateFrom","PowerStateTo","IfInUnicastPackets","IfOutUnicastPackets","IfInMulticastPackets","IfOutMulticastPackets","IfInBroadcastPackets","IfOutBroadcastPackets","ParentGuid","BlockerGuid","PhysicalDeviceNode","WakePacketSize","WakePacketPayload","Transport","PnPEvent","SupportFlags","NetworkInterfaceGuid","QueueId","AllocationTime","AllocationTimeThreshold","MiniportStack","DriverServiceName","OriginalFlags","EffectiveFlags","ParentInstanceId","LowerIfIndex","FragmentSize","Fragment","GftFlowEntryId","GftOffloadInformation","MetadataSize","SourcePortId","SourceNicName","SourceNicType","DestinationCount","OOBDataSize","OOBData","RulesCount","UniqueName","Directive","Rundown","RundownId","ParamStr","NetPnpEvent","StatusBufferLength","OidBufferLen","OidBuffer","PacketFilter","Team","_FunctionName","_Status","established_ExePath","SvcTag","PkgName","_Direction","_ExePath","_SvcTag","_PkgName","_UserId","_Pid","Updated_Interface_Stats_IfLuid","_ProfileId","_BytesSent","_BytesRecvd","Updated_Flow_Stats_Flow_Id","_Cookie","_Quota","_BytesLimit","IsCosted","_IsCosted","_SystemSmbCount","_IsContainer","_SessionId","WakeCount","file","Dereference","ContextHandle","ServiceNlmEpoch","ServiceNlmSignature","ClientNlmEpoch","ScheduleUpdate","NlmEpochBefore","NlmSignatureBefore","NlmSignatureStableBefore","NlmEpochAfter","NlmSignatureAfter","NlmSignatureStableAfter","RequestHolder","UpdateRequested","CompleteCall","NlmEpoch","App provided time","Current keepalive time","Lowered keepalive time","WNS test input time","Appprovidedtime","Currentkeepalivetime","Loweredkeepalivetime","WNStestinputtime","Reference_context","Dereference_context","Fired","IsTcpListener","BrokerEventId","CallReason","TriggerReason","NumSockets","IfName","TimeWarningInSec","ExceededCount","LastIntervalInSec","TransactionGuid","EnvironmentType","Api","PluginId","PluginName","PropertyBufferSize","PropertyBuffer","PeripheralName","OverflowingShas","CorrelationIdReceived","CorrelationIdExpected","SHAId","QECId","CurrentIsolationState","ChannelStatus","App_Name","RequestedResourceType","ServerKeepaliveInterval","KeepaliveTrigger_ID","PushNotificationTrigger_ID","ServerKeepaliveIntervalInMinutes","KeepaliveTriggerId","PushNotificationTriggerId","Plugin","profileName","plugin","InitialProfile","InitialEventType","NumPacketsSent","NumPacketsReceived","Posting_Network_Connected_Event_Type","ProfileID","NetworkProfileEventState","Posted_Network_Connected_Event_Type","Posting_Network_Profile_Event_Type","Posted_Network_Profile_Event_Type","Posting_Network_Disconnected_Event_Type","Posted_Network_Disconnected_Event_Type","Registry_Value_Path","Registry_Value_Type","RegistryKeyLength","RegistryValueNameLength","PropertyValueLength","SizeOfXMLInBytes","Carrier_Id","Subscriber_Id","Signer","CertificateIssuer","CertificateSubject","CarrierId","SubscriberId","ErrorOccurred","BoolResult","HandlerName","HasResults","StreamSize","StreamSizeLimit","Line_Pos","LinePos","ActivationMethod","ICarrier_Id","RegisterState","Xml","RulesXml","CallerAppId","NetworkStatus","PacketBoundaryFlag","RadioIsOn","FirmwareFile","RfArrivalDepartureEvent","MibNotificationType","EntityName","IndicatedRowCount","RowsWithInterfacesIndicatedCount","RowInterfaceGuid","NlaState","RetrievedDomain","RetrievedForest","Interface Name","Addresses","Try Count","TryCount","DcName","Try Number","TryNumber","SignatureLength","SignatureSource","AuthCapUnlikelyReason","SpeculativeTimeout","SignatureCharacteristics","CachedRunsRestoredRunCount","CachedRunsRestoredTimeMs","CachedRunsPreparedRunCount","CachedRunsPreparedTimeMs","CachedRunsFilledRunCount","CachedRunsFilledTimeMs","FreeSpaceInBytes","TotalReservedSpaceInBytes","TotalAbortReservationSpaceInBytes","RequestedSpaceInBytes","PageFileSize","File_reference","UnlockReason","MaxDurationMs","WaitDurationMs","HoldDurationMs","FailureStage","FailureStatusCode","ReasonOrigin","RundownVolumeInformation_VolumeId","NtfsLogFileFull_VolumeId","LogFileFullReason","PeriodicCheckpointStart_VolumeId","LogFileUsePercentage","PeriodicCheckpointComplete_VolumeId","DirtyMetaDataPages","CleanCheckpointStart_VolumeId","CleanCheckpointComplete_VolumeId","MftRecordRead_VolumeId","BaseFileId","CacheHit","Volume_guid","Volume_serial","VolumeSerialNumber","KtmTransaction","TornStructureOffset","BlockIndex","ExpectedSequenceNumber","ActualSequenceNumber","FrsFileReference","FrsFileNameLength","FrsFileName","IsChildFRS","Volume_Label","BadFileOffset","BadLcn","AttributeTypeCode","AttributeNameLength","VolumeOffset","CalledFromWorker","WorkerStatus","ReadDataValidOffset","ReadDataValidLength","ReadData","PrevDataValidOffset","PrevDataValidLength","PrevData","MftDataAllocationSize","MftDataFileSize","MftBitmapAllocationSize","MftBitmapFileSize","BytesPerFRS","MftDataAttrAllocatedLength","MftDataAttrFileSize","MftBitmapAttrHighestVcn","MftBitmapAttrAllocatedLength","MftBitmapAttrFileSize","MftLastDataAndBitmapInSameFrs","Starting LCN","Ending LCN","StartingLCN","EndingLCN","A10_IrpContext","A11_Scb","A10_FileObject","A12_StartingVcn","A13_ClusterCount","A14_Flags","A15_CcbForWriteExtend","A10_Scb","A11_PurgeOffset","A12_PurgeChunkLength","A11_ValueLength","A12_AttributeFlags","A11_SizeNeeded","A12_BytesToFree","A13_MappingPairSize","A14_NewMappingPairSize","A11_IrpContext","A12_Scb","A14_NewFinalVcn","A10_Vcb","A12_Fcb","A14_Scb","A13_FileRef","A14_ExceptionStatus","A10_FoundClusterCount","A11_ClustersAllocated","A11_Vcb","A14_StartingVcn","A15_EndingVcn","A13_EndingVcn","A12_AdjLcn","A13_AdjClusterCount","A10_ClusterCount","A13_TotalAllocated","A11_ClustersDeallocated","A11__Bitmap","A12_BaseLcn","A13_CurrentLcn","A12_StartingLcn","A13_StartingLcn","A11_Bitmap","A12_BitMapOffset","A13_NumberOfBits","A12_Bitmap","A13_StartingBitmapLcn","A14_SetBits","A12_StartingBit","A13_EndingBit","A11_Results","A10_Length","A11_BinIndex","A12_Key","A13_BitPosition","A14_GroupIndex","A15_GroupShiftFactor","A12_TotalBins","A10_BinIndex","A11_MAXLONGLONG","A11_MaxLength","A12_GroupIndex","A13_RelativeBinIndex","A14_MaxKey","A10_NtfsCachedRunBinGroupShift","A11_NtfsCachedRunBinGroupSize","A12_NtfsCachedRunBinGroupMask","A12_MaxLength","A11_FirstBitToClear","A10_LengthInExtent","A11_ByteCount","A11_LengthInExtent","A11_StartingOffset","A12_BeyondEndOffset","A10_RemainingClusterCount","A11_DataSetRangeIndex","A10_Index","A12_StartOffset","A13_ByteCount","A10_TypeOfOpen","A10_Status","A11_CreateDisposition","A11_StartingCluster","A12_RunLength","A12_IrpContext","A11_SmallMarkUnusedContext","A12_MarkUnusedContext","A11_MarkUnusedContext","A12_IrpUsed","A12_Status","A11_DeallocatedClusters","A11_All","A11_AcquiredVcb","A12_RunIndex","A13_StartingOffset","A14_LengthInBytes","A12_DataSetRangeCount","A13_McbRunCount","A14_SmartTrimFreeRangeCount","A11_StartingLcn","A12_ClusterCount","A13_FirstTpMapBit","A14_LastTpMapBit","A11_SlabRangeIndex","A11_AcquiredBitmap","A11_TpMapBit","A12_SlabBaseLcn","A13_SlabLengthInClusters","A11_StartingVbo","A12_ByteCount","A12_NewBufferSize","A10_NewBufferSize","A12_OutputBufferLength","A11_MaxRuns","A10_ZeroStart","A11_ZeroEnd","A11_Context","A14_FsControlCode","A10___FUNCTION__","A11_ZeroFlags","A11_EncryptionOperation","A11_InputParameter","A10_InternalFileReference","A11_ScrubIoCount","A11_StartingVcn","A11_FileScrubOffset","A12_SectorAlignedVdl","A11_Status","A11_IrpStatus","A11_StartOffset","A13_StartVcn","A14_BeyondEndVcn","A11_PercentFull","A12_ClearAll","A11_Clusters","A12_i","A14_ClusterCount","A12_runLength","A11_Mcb","A13_Count","A10_Mcb","A12_Vcn","A13_Lcn","A14_RunCount","A11_Result","A14_TruncateOnly","A11_BootSector","A12_CheckNumber","A12_AttrListAllocationSize","A13_AttrListAllocationSize","A10_ExceptionCode","A11_ExceptionCode","A11_Irp","A13_NtfsFailedAborts","A13_NextScb","A12_Irp","A13_IrpContext","A14_Status","A10_MaxTrimTotalSize","A10_MinTrimTotalSize","A12__Bitmap","A10_CurrentClusters","A10_ClustersLinkAsHead","A11_FlagsToMatch","A12_InsertAfter","A10_Clusters","A11_NumberOfRuns","A13_TxfTrans","A11_FailureStatus","A11_TempStatus","A12_TXF_MAX_RESET_ATTEMPTS_ON_MOUNT","A13_OldStatus","A13_LogNestingLevel","A14_DiskNestingLevel","A13_Status","A12_TxfRmcb","A12__OldGuid","A15_Status","A13_FlushStatus","A13_Trans","A13_ExceptionCode","A11_CallStack[0]","A12_CallStack[1]","A13_CallStack[2]","A14_CallStack[3]","A15_CallStack[4]","A13_OldestTrans","A14_OldestTrans","A11_PinnedStatus","A13_SavedReserved","A14_RequiredReserved","A11_WasDirty","A13_Source","A10_ByteRange","A11_SectorAlignedVdl","A10_StartingVbo","A10_Vcn","A11_Attribute->Form.Nonresident.LowestVcn","A12_Attribute->Form.Nonresident.HighestVcn","A13_AllocationClusters","A13_StartingVcn","A15_Flags","A16_CcbForWriteExtend","A11_*LastVcn","A12_Attribute->Instance","A10_NtfsFullFileRefNumber( _Fcb->FileReference )","A13_*(PULONGLONG)_Scb->Fcb->FileReference","A14_LastVcn","A15_NewHighestVcn","A16_PassCount","A14_Context->FoundAttribute.Attribute->Form.Nonresident.LowestVcn","A15_Context->FoundAttribute.Attribute->Form.Nonresident.HighestVcn","A16_Context->AttributeList.Entry->LowestVcn","A17_PassCount","A14_NtfsFrsConsolidationStatistics.MergeSkipCount","A10_FileRecord->SegmentNumberHighPart","A11_FileRecord->SegmentNumberLowPart","A12_NtfsFullSegmentNumber( _FileRecord->BaseFileRecordSegment )","A13_Attribute->TypeCode","A10_Fcb->Vcb","A12_*(PULONGLONG)_Fcb->FileReference","A13_StdInfoAttrListEntry->Signature","A14_StdInfoAttrListEntry->LastCompactedSize","A15_CurrentAttributeListSize","A15_NewStdInfoAttrListEntry.LastCompactedSize","A11_i","A12_MAX_MOVEABLE_ATTRIBUTES","A14_Attribute->RecordLength","A15_Attribute->Instance","A12_Attribute->TypeCode","A13_Attribute->RecordLength","A14_Attribute->FormCode","A13_StartZero","A14_ZeroLength","A10_Scb->Vcb","A14_NewHalfWayVcn","A15_RangePtr","A14_NtfsMcbArray","A15_NtfsMcbArray->StartingVcn","A16_NtfsMcbArray->EndingVcn","A14_NewFinalVcnInMcb","A15_NewFinalVcn","A14_NewStartVcn","A15_DeletedNextAttribute ? NewFinalVcnInMcb : (LastVcn-1)","A15_NewFinalVcnInMcb","A10_PsGetCurrentThread()","A13_*(PULONGLONG)_Fcb->FileReference","A14_AllFlags.FirstRequest","A12_*(PULONGLONG)_FrsConsolidationContext->FileReference","A13_IrpContext->ExceptionStatus","A14_RemovedFcb","A15_AllFlags.FcbAcquired","A16_IrpContext->TransactionId","A12_(EndTime.QuadPart*1000)/NtfsPerformanceFrequency.QuadPart","A13_(FrsConsolidationContext->TotalTime*1000)/NtfsPerformanceFrequency.QuadPart","A15_AttributeListSize","A13__Scb->Mcb","A14_OriginalStartingVcn","A15_ClusterCount","A16_AllocateAll","A17_(TargetLcn != NULL) ? *TargetLcn : (ULONGLONG)-1","A18_PreAllocated","A19_UseDelayedAllocation","A12_Scb->TotalAllocated","A13_Scb->State","A14_IrpContext->State2","A15_AllocateWithNoHole","A11_*(PULONGLONG)_Scb->Fcb->FileReference","A12_DeallocatedClusters->Lsn.QuadPart","A13_DeallocatedClusters->ClusterCount","A14_DeallocatedClusters->Flags","A15_Vcb->DeallocatedClusters","A16_Vcb->DeallocatedClusters + AdjClusterCount","A12_*TotalAllocated","A12_TotalAllocated","A11_Vcb->DeallocatedClusters","A12_Vcb->DeallocatedClusters-ClustersRemoved","A12_FirstBit","A13_BeyondFinalBit","A14_RedoOperation","A15_UndoOperation","A13_*ClusterCount","A11_OriginalSystemBitmap[i / sizeof( OriginalSystemBitmap[0] )]","A10_StartingCluster","A11_ClusterCount","A12_Vcb->TotalClustersCommitted","A13_Vcb->TotalClusters","A14_Vcb->FreeClusters","A12_BeyondLastBitToClear - 1","A11_*FreeClusterBase1","A12_*FreeClusterCount1","A11_*FreeClusterBase2","A12_*FreeClusterCount2","A11_PsGetCurrentThread()","A14_Vcb->TPMap.SizeOfBitMap","A10_IrpContext->MajorFunction","A11_StartingZero","A13_ExtentsDescriptor","A14_*ExtentsDescriptorIndex","A15_*ExtentsDescriptorStartOffset","A16_Offset","A17_MaxRuns","A10_RunIndex","A11_ExtentsDescriptor->Run[RunIndex].BasePage","A12_ExtentsDescriptor->Run[RunIndex].PageCount","A13_ExtentLength","A14_Offset","A15_RunIndexStartOffset","A10_StartingPhysicalAddr.QuadPart","A10_*ExtentsDescriptorIndex","A11_*ExtentsDescriptorStartOffset","A10_DataSetRangeIndex","A11_DsmBuffer->DataSetRanges[DataSetRangeIndex].StartingOffset","A12_DsmBuffer->DataSetRanges[DataSetRangeIndex].LengthInBytes","A10_DsmByteAddressRanges->TotalNumberOfRanges","A11_DsmByteAddressRanges->NumberOfRangesReturned","A11_DsmByteAddressRanges->Ranges[Index].StartAddress","A12_DsmByteAddressRanges->Ranges[Index].LengthInBytes","A14_ExtentsDescriptor","A15_ExtentsDescriptorIndex ? *ExtentsDescriptorIndex : 0","A16_ExtentsDescriptorStartOffset ? *ExtentsDescriptorStartOffset : 0","A11_*AttrCode","A11_CurrentFcb","A12_NtfsFullFileRefNumber( _CurrentFcb->FileReference )","A13_CurrentFcb->TxfRmcb->RmState","A11_*MarkUnusedContext","A12_(*MarkUnusedContext)->DeallocatedClusters","A13__(*MarkUnusedContext)->DeallocatedClusters->Mcb","A11__(*MarkUnusedContext)->DeallocatedClusters->Mcb","A10_Src","A11_Dst","A12_Src->ClustersCount","A13_Src->DeallocatedClusters->ClusterCount","A14_SrcDsmAttr->DataSetRangesLength","A13_Dst->ClustersCount","A14_DstDsmAttr->DataSetRangesLength","A15_DstFirstDataSetRangePtr->LengthInBytes","A16_DstFirstDataSetRangePtr->StartingOffset","A12_Vcb->DeallocatedClusters","A13_Vcb->DeallocatedClustersListLengthInTrim","A14_Vcb->DeallocatedClustersListLengthToDrain","A15_Clusters->ClusterCount","A16_InitialRanges","A14_FreeClusterBase1","A15_FreeClusterCount1","A16_FreeClusterBase2","A17_FreeClusterCount2","A11_Vcb->CloseCount","A12_TrimEntryCount++","A13_DataSetRangePtr->StartingOffset","A14_DataSetRangePtr->LengthInBytes","A13_((MarkUnusedContext != NULL) __ (MarkUnusedContext->DeallocatedClusters != NULL)) ? MarkUnusedContext->DeallocatedClusters->ClusterCount : -1LL","A11_DeallocatedClustersToWaitFor->DeallocatedClusters","A10_IrpContext->Vcb","A10_WaitInSeconds","A11_((CurrentTime.QuadPart > DeallocatedClustersToWaitFor->EndTime.QuadPart) ?                                     (ULONG)(((CurrentTime.QuadPart - DeallocatedClustersToWaitFor->EndTime.QuadPart) * NtfsData.SystemTimeIncrement)/INTERVAL_ONE_SECOND) : 0)","A13_IrpContext->Vcb","A14_DeallocatedClusters","A11_((CurrentTime.QuadPart > DeallocatedClustersToWaitFor->EndTime.QuadPart) ?                                  (ULONG)(((CurrentTime.QuadPart - DeallocatedClustersToWaitFor->EndTime.QuadPart) * NtfsData.SystemTimeIncrement)/INTERVAL_ONE_SECOND) : 0)","A11_Vcb->DeallocatedClustersListLengthInTrim","A13_DataSetRange->StartingOffset","A14_DataSetRange->LengthInBytes","A11_SmartTrimState->SlabRangesCount","A12_SlabRange->FirstTPMapBit","A13_SlabRange->LastTPMapBit","A10_((ULONG)BadVcn)","A11_((PLARGE_INTEGER)_BadVcn)->HighPart","A10_((ULONG)BadLcn)","A11_((PLARGE_INTEGER)_BadLcn)->HighPart","A11_NtfsGetCompressionBufferSize()","A11_NtfsGetUsaBufferSize( Vcb )","A13_NtfsFullFileRefNumber( _Scb->Fcb->FileReference )","A14_MoveData->StartingVcn.QuadPart","A15_TransferClusters","A16_Lcn","A17_MoveData->StartingLcn.QuadPart","A18_CopyLength","A19_Flags.UseDelayedAllocation","A20_Status","A20_MyStatus","A14_Lcn","A15_CopyLength","A16_MyStatus","A14_MoveData->StartingLcn.QuadPart","A18_Flags.UseDelayedAllocation","A19_ValidClusters","A11_Scb->Header.ValidDataLength.QuadPart","A12_Scb->Header.FileSize.QuadPart","A13_QueryDaxExtents->FileOffset","A15_QueryDaxExtents->Length","A10_QueryDaxExtents->FileOffset","A11_QueryDaxExtents->Length","A12_EffectiveInputFileRegionLength","A15_RemainingClusterCount","A16_LastVcnInFile","A10_ExtentsDescriptor->NumberOfValidRuns","A12_*BytesReturned","A11_ExtentsDescriptor->NumberOfValidRuns","A13_*BytesReturned","A10_ExtentsDescriptor->Run[Index].BasePage","A11_ExtentsDescriptor->Run[Index].PageCount","A13_LocalFlags->EntireFlags","A12_LocalFlags.EntireFlags","A10_Vcb->BitmapScb","A10_Vcb->MftScb","A10_((PNTFS_DISK_FLUSH_CONTEXT)Context)->Vcb","A12_NtfsData.DiskFlushContextCompletedWorkItem.List.Flink","A12_IrpContext->Vcb","A13_IrpSp->MinorFunction","A11_(PVOID)Vcb->TxfVcb.DefaultRm","A12_(Vcb->TxfVcb.DefaultRm != NULL) ?                                  _Vcb->TxfVcb.DefaultRm->RmId :                                  NULL","A12_Irp->RequestorMode","A12_IrpSp->FileObject","A10_(PVOID)Vcb","A11_Vcb->VcbState","A10_ScrubResumeContext.SystemScbIndex","A11_ScrubResumeContext.ResumeVcn","A12_ScrubResumeContext.ResumeVcnOffset","A11_Scb->TxfScb","A11_ScrubContext.OperationStatus","A12_ScrubContext.NumberOfBytesRepaired","A13_ScrubContext.NumberOfBytesFailed","A14_ScrubContext.ErrorFileOffset","A15_ScrubContext.ErrorLength","A16_ScrubContext.ParityExtentData->NumberOfParityExtents","A14_ScrubContext.ParityExtentData->NumberOfParityExtents","A12_Irp->Cancel","A13_ScrubContext.ParityExtentData->NumberOfParityExtents","A11_DsmRange.StartingOffset","A12_DsmRange.StartingOffset + DsmRange.LengthInBytes","A13_DsmRange.LengthInBytes","A15_StartingVcnOffset","A16_SectorAlignedVdl","A12_ScrubContext->ErrorFileOffset","A13_ScrubbedLength","A14_ScrubContext->OperationStatus","A15_ScrubContext->NumberOfBytesFailed","A16_ScrubContext->NumberOfBytesRepaired","A17_NewParityExtentCount","A11_RepairDataSetRange->StartingOffset","A12_RepairDataSetRange->StartingOffset +                         RepairDataSetRange->LengthInBytes","A13_RepairDataSetRange->LengthInBytes","A14_RepairFileOffset","A11_RepairCopiesOutput->Status","A11_Output->NumBadRanges","A10_FsInputRangeIndex","A11_FsInputRanges[FsInputRangeIndex].FileOffset","A12_FsInputRanges[FsInputRangeIndex].VolumeOffset","A13_FsInputRanges[FsInputRangeIndex].LengthInBytes","A12_(BOOLEAN)AbnormalTermination()","A11_Vcb->CheckpointInjectionCount","A12_Vcb->WaitForCcLoggedDataActivityCount","A11_Vcb->CleanCheckpointCount","A11_Vcb->OverflowedDPTCount","A11_Vcb->FuzzyCheckpointCount","A11_Vcb->FlushOldestFOCount","A11_NtfsFullSegmentNumber( _Scb->Fcb->FileReference )","A11_DirtyPageContext.OldestFileObject","A11_IrpContext->TransactionId","A11_IrpContext->OriginatingIrp","A12_PsGetCurrentThread()","A14_FailedFlushCount","A11_ActiveLsn->QuadPart","A11_Clusters->ClusterCount","A12_Clusters->ClusterCount","A13_Clusters->Lsn.QuadPart","A14_Clusters->Flags","A12_(ULONG)ClusterCount","A11_StartingLcn + StartingIndex","A10_Mcb->Scb","A12_IrpContext->ExceptionStatus","A10_IrpContext->LogFullReason","A11_BackTrace[0]","A12_BackTrace[1]","A13_BackTrace[2]","A14_BackTrace[3]","A15_BackTrace[4]","A16_BackTrace[5]","A17_BackTrace[6]","A18_BackTrace[7]","A19_BackTrace[8]","A20_BackTrace[9]","A21_BackTrace[10]","A22_BackTrace[11]","A23_BackTrace[12]","A24_BackTrace[13]","A25_BackTrace[14]","A26_BackTrace[15]","A27_BackTrace[16]","A28_BackTrace[17]","A29_BackTrace[18]","A30_BackTrace[19]","A14_GetExceptionCode()","A14_*(PULONGLONG)_NextScb->Fcb->FileReference","A10_IrpSp->Parameters.Write.ByteOffset.HighPart","A11_IrpSp->Parameters.Write.ByteOffset.LowPart","A11_IrpSp->Parameters.Write.ByteOffset.HighPart","A12_IrpSp->Parameters.Write.ByteOffset.LowPart","A10_IrpSp->MajorFunction","A11_IrpSp->MinorFunction","A12__Vcb->TxfVcb.DefaultRm->RmId","A11_Vcb->LogFileObject","A11_FileRecord->SegmentNumberHighPart","A12_FileRecord->SegmentNumberLowPart","A13_NtfsFullSegmentNumber( _FileRecord->BaseFileRecordSegment )","A14_Attribute->TypeCode","A15_LogRecord->RecordOffset","A16_Length","A14_((PATTRIBUTE_RECORD_HEADER)Data)->TypeCode","A14_NtfsFullSegmentNumber( _FileReference )","A11_Scb->TotalAllocated","A11_CurrentClusters->Lsn.QuadPart","A11_Clusters->Flags","A10_!FlagOn( Clusters->Flags, DEALLOCATED_CLUSTERS_FLAG_NO_DANGLING_MDL )","A12_Lcn","A11_CallerFunction","A12_CallerFile","A13_CallerLineNumber","A14_(PVOID)TxfRmcb","A15__TxfRmcb->RmId","A16_(PVOID)TxfTrans","A17__TxfTrans->KtmUow","A18_AbortReasonStatus","A18_Status","A11_(PVOID)TxfRmcb","A12__TxfRmcb->RmId","A14__TxfTrans->KtmUow","A11_(PVOID)CalloutParameters->TxfFlush.TxfRmcb","A12__CalloutParameters->TxfFlush.TxfRmcb->RmId","A13_GetExceptionCode()","A12_(PVOID)Vcb","A11_GetExceptionCode()","A13_(PVOID)Vcb","A11_(PVOID)Vcb","A11_(NT_SUCCESS( Status ) ? 'Succeeded' : 'FAILED')","A12_(PVOID)TxfRmcb","A13__TxfRmcb->RmId","A13__ClfsRestartArea->RmId","A14_AbnormalTermination() ? '(abnormal termination)' : ''","A11_(TxfIsDefaultRm( TxfRmcb ) ? 'default' : 'secondary')","A14_(ForceDirtyShutdown ? 'DIRTY!' : 'CLEAN.')","A10_FILEID_FROM_SOURCE( FileNLine )","A11_LINENUM_FROM_SOURCE( FileNLine )","A13_(PVOID)TxfTrans","A12_(PVOID)FileObject","A11_TransactionNotification","A12_(TransactionAlreadyPrepared ? ' **PREPARED** ' : ' ')","A13__TxfTrans->KtmUow","A16_Status","A11_(PVOID)Trans->TxfRmcb","A12__Trans->TxfRmcb->RmId","A14__Trans->KtmUow","A12_(PVOID)Trans","A13__Trans->KtmUow","A14_(PVOID)Trans","A15__Trans->KtmUow","A14__OldestTrans->KtmUow","A15__OldestTrans->KtmUow","A13_(PVOID)TransToDereference","A14__TransToDereference->KtmUow","A13_(IsEncrypted( _TopsFcb->Info ) ? 'encrypted' : 'compressed')","A12_Vcb->FirstValidUsn","A13_FirstValidUsn","A14_TrackUsnJournalFileSize","A15_TrackUsnJournalAllocationSize","A16_TrackUsnJournalMaxSize","A17_TrackUsnJournalDeltaAllocation","A12_FirstValidUsn - 1","A12_UsnJournal->Header.AllocationSize.QuadPart","A13_UsnJournal->Header.FileSize.QuadPart","A14_UsnJournal->Header.ValidDataLength.QuadPart","A15_UsnJournal->TotalAllocated","A12_IrpContext->OriginatingIrp","A13_PsGetCurrentThread()","A14_Scb->Header.AllocationSize.QuadPart","A15_Scb->Header.FileSize.QuadPart","A16_Scb->Header.ValidDataLength.QuadPart","A17_NewAllocationSize","A17_Scb->TotalAllocated","A12_FileReference","A13_Fcb","A14_Source","A15_TopLevelExceptionStatus","A12_NtfsFullSegmentNumber( _BugCheckFileReference )","A12_IrpContext->TopLevelIrpContext->ExceptionStatus","A12_(ptrdiff_t) Scb","A11_AttributeFormNonresidentLowestVcn","A12_AttributeFormNonresidentHighestVcn","A11_LastVcn","A12_AttributeInstance","A10_NtfsFullFileRefNumber_FcbFileReference","A13_PULONGLONG_ScbFcbFileReference","A14_ContextFoundAttributeAttributeFormNonresidentLowestVcn","A15_ContextFoundAttributeAttributeFormNonresidentHighestVcn","A16_ContextAttributeListEntryLowestVcn","A14_NtfsFrsConsolidationStatisticsMergeSkipCount","A10_FileRecordSegmentNumberHighPart","A11_FileRecordSegmentNumberLowPart","A12_NtfsFullSegmentNumber_FileRecordBaseFileRecordSegment","A13_AttributeTypeCode","A10_FcbVcb","A12_PULONGLONG_FcbFileReference","A13_StdInfoAttrListEntrySignature","A14_StdInfoAttrListEntryLastCompactedSize","A15_NewStdInfoAttrListEntryLastCompactedSize","A14_AttributeRecordLength","A15_AttributeInstance","A12_AttributeTypeCode","A13_AttributeRecordLength","A14_AttributeFormCode","A14_ScbAttributeTypeCode","A15__ScbAttributeName","A16_NewStartVcn","A17_NewHalfWayVcn","A18_NewFinalVcn","A19_PackedMode","A20_TryPrior","A16_FileRecordSequenceNumber","A17_FileRecordSegmentNumberLowPart","A18_NewStartVcn","A19_LastVcn","A20_NewFinalVcn","A10_ScbVcb","A15_NtfsMcbArrayStartingVcn","A16_NtfsMcbArrayEndingVcn","A15_DeletedNextAttributeNewFinalVcnInMcbLastVcn1","A16_PULONGLONG_ContextAttributeListEntrySegmentReference","A17_OldLowestVcn","A18_StartVcn","A19_NewAttributeInstance","A16_OldLowestVcn","A17_StartVcn","A18_OldHighestVcn","A20_FileRecordSequenceNumber","A21_FileRecordSegmentNumberLowPart","A10_PsGetCurrentThread","A12__VcbVolumeName","A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb","A14__VolumeId","A15_VcbVcbState","A13_PULONGLONG_FcbFileReference","A14_AllFlagsFirstRequest","A14_FrsConsolidationContextRestartAttributeTypeCode","A15__FrsConsolidationContextRestartAttributeName","A16_FrsConsolidationContextRestartVcn","A17_FrsConsolidationContextInstance","A18_FrsConsolidationContextRestartAttributeListEntryOffset","A19_AttrContextAttributeListAttributeListFormNonresidentValidDataLength","A12_PULONGLONG_FrsConsolidationContextFileReference","A13_IrpContextExceptionStatus","A15_AllFlagsFcbAcquired","A16_IrpContextTransactionId","A12_EndTimeQuadPart1000NtfsPerformanceFrequencyQuadPart","A13_FrsConsolidationContextTotalTime1000NtfsPerformanceFrequencyQuadPart","A13__ScbMcb","A17_TargetLcnNULLTargetLcnULONGLONG1","A12_ScbTotalAllocated","A13_ScbState","A14_IrpContextState2","A11_PULONGLONG_ScbFcbFileReference","A12_DeallocatedClustersLsnQuadPart","A13_DeallocatedClustersClusterCount","A14_DeallocatedClustersFlags","A15_VcbDeallocatedClusters","A16_VcbDeallocatedClustersAdjClusterCount","A11_VcbDeallocatedClusters","A12_VcbDeallocatedClustersClustersRemoved","A11_OriginalSystemBitmapisizeofOriginalSystemBitmap0","A12_VcbTotalClustersCommitted","A13_VcbTotalClusters","A14_VcbFreeClusters","A12_BeyondLastBitToClear1","A11_FreeClusterBase1","A12_FreeClusterCount1","A11_FreeClusterBase2","A12_FreeClusterCount2","A11_PsGetCurrentThread","A14_VcbTPMapSizeOfBitMap","A10_IrpContextMajorFunction","A14_ExtentsDescriptorIndex","A15_ExtentsDescriptorStartOffset","A11_ExtentsDescriptorRunRunIndexBasePage","A12_ExtentsDescriptorRunRunIndexPageCount","A10_StartingPhysicalAddrQuadPart","A10_ExtentsDescriptorIndex","A11_ExtentsDescriptorStartOffset","A11_DsmBufferDataSetRangesDataSetRangeIndexStartingOffset","A12_DsmBufferDataSetRangesDataSetRangeIndexLengthInBytes","A10_DsmByteAddressRangesTotalNumberOfRanges","A11_DsmByteAddressRangesNumberOfRangesReturned","A11_DsmByteAddressRangesRangesIndexStartAddress","A12_DsmByteAddressRangesRangesIndexLengthInBytes","A15_ExtentsDescriptorIndexExtentsDescriptorIndex0","A16_ExtentsDescriptorStartOffsetExtentsDescriptorStartOffset0","A12_Vcb","A13_CreateContextFileObject","A14_CreateContextFileObjectRelatedFileObject","A15__CreateContextFileObjectFileName","A16_CreateContextIrpSpParametersCreateOptions","A17_CreateContextIrpSpParametersCreateFileAttributes","A18_CreateContextDesiredAccess","A19_CreateContextIrpSpParametersCreateShareAccess","A20_CreateContextIrpSpParametersCreateEaLength","A14_VcbVcbState","A14_IrpSpParametersCreateShareAccess","A15_ReadULongNoFence_VcbCleanupCount","A16_BiasedCleanupCount","A11_FcbVcb","A12__FcbVcbVolumeName","A13_WppCountedStringWFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHFcbVcbVpb","A14_Fcb","A15_NtfsFullFileRefNumber_FcbFileReference","A16_FcbFcbState","A17_IrpSpFlags","A16_IrpContextState","A11_CreateContextCurrentFcbVcb","A12__CreateContextCurrentFcbVcbVolumeName","A13_WppCountedStringWCreateContextCurrentFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHCreateContextCurrentFcbVcbVpb","A14_CreateContextCurrentFcb","A15_NtfsFullFileRefNumber_CreateContextCurrentFcbFileReference","A16_CreateContextCurrentFcbInfoFileAttributes","A17_CreateContextCurrentFcbTxfRmcbRmState","A11_ThisFcbVcb","A12__ThisFcbVcbVolumeName","A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb","A14_ThisFcb","A15_NtfsFullFileRefNumber_ThisFcbFileReference","A16_ThisFcbFcbState","A17_CreateContextIrpSpParametersCreateOptions24_0x000000ff","A18_CreateContextIrpSpParametersCreateSecurityContextDesiredAccess","A16_ThisFcbTxfRmcbRmState","A17_CcbFlags","A16_CreateDisposition","A17_AttrTypeCode","A14_AttrCode","A15_IrpSpParametersCreateSecurityContextAccessStateOriginalDesiredAccess","A11_AttrCode","A11_CurrentFcbVcb","A12__CurrentFcbVcbVolumeName","A13_WppCountedStringWCurrentFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHCurrentFcbVcbVpb","A14_CurrentFcb","A15_NtfsFullFileRefNumber_CurrentFcbFileReference","A16_CurrentFcbInfoFileAttributes","A17_NtfsDataFlags","A12_NtfsFullFileRefNumber_CurrentFcbFileReference","A13_CurrentFcbTxfRmcbRmState","A10_FILEID_FROM_SOURCEFileNLine","A11_LINENUM_FROM_SOURCEFileNLine","A13__ProcessName","A12_MarkUnusedContextDeallocatedClusters","A13__MarkUnusedContextDeallocatedClustersMcb","A11__MarkUnusedContextDeallocatedClustersMcb","A12_SrcClustersCount","A13_SrcDeallocatedClustersClusterCount","A14_SrcDsmAttrDataSetRangesLength","A13_DstClustersCount","A14_DstDsmAttrDataSetRangesLength","A15_DstFirstDataSetRangePtrLengthInBytes","A16_DstFirstDataSetRangePtrStartingOffset","A12_VcbDeallocatedClusters","A13_VcbDeallocatedClustersListLengthInTrim","A14_VcbDeallocatedClustersListLengthToDrain","A15_ClustersClusterCount","A11_VcbCloseCount","A12_TrimEntryCount","A13_DataSetRangePtrStartingOffset","A14_DataSetRangePtrLengthInBytes","A13_MarkUnusedContextNULL__MarkUnusedContextDeallocatedClustersNULLMarkUnusedContextDeallocatedClustersClusterCount1LL","A11_DeallocatedClustersToWaitForDeallocatedClusters","A10_IrpContextVcb","A11_CurrentTimeQuadPartDeallocatedClustersToWaitForEndTimeQuadPartULONGCurrentTimeQuadPartDeallocatedClustersToWaitForEndTimeQuadPartNtfsDataSystemTimeIncrementINTERVAL_ONE_SECOND0","A13_IrpContextVcb","A11_VcbDeallocatedClustersListLengthInTrim","A13_DataSetRangeStartingOffset","A14_DataSetRangeLengthInBytes","A11_SmartTrimStateSlabRangesCount","A12_SlabRangeFirstTPMapBit","A13_SlabRangeLastTPMapBit","A15_IrpSpFlags","A10_ULONGBadVcn","A11_PLARGE_INTEGER_BadVcnHighPart","A10_ULONGBadLcn","A11_PLARGE_INTEGER_BadLcnHighPart","A11_NtfsGetCompressionBufferSize","A11_NtfsGetUsaBufferSizeVcb","A13_NtfsFullFileRefNumber_ScbFcbFileReference","A14_MoveDataStartingVcnQuadPart","A17_MoveDataStartingLcnQuadPart","A19_FlagsUseDelayedAllocation","A14_MoveDataStartingLcnQuadPart","A18_FlagsUseDelayedAllocation","A15_FcbNULLNtfsFullFileRefNumber_FcbFileReference0","A16_CcbNULLCcbFlags0","A11_ScbHeaderValidDataLengthQuadPart","A12_ScbHeaderFileSizeQuadPart","A13_QueryDaxExtentsFileOffset","A15_QueryDaxExtentsLength","A10_QueryDaxExtentsFileOffset","A11_QueryDaxExtentsLength","A10_ExtentsDescriptorNumberOfValidRuns","A12_BytesReturned","A11_ExtentsDescriptorNumberOfValidRuns","A13_BytesReturned","A10_ExtentsDescriptorRunIndexBasePage","A11_ExtentsDescriptorRunIndexPageCount","A14_RenameCleanupTargetLinkFcb","A15_NtfsFullFileRefNumber_RenameCleanupTargetLinkFcbFileReference","A16_RenameCleanupTargetLinkFcbFcbState","A16_RenameCleanupTargetLinkFcbCleanupCount","A14_ScbFcb","A15_NtfsFullFileRefNumber_ScbFcbFileReference","A16_ScbFcbInfoFileAttributes","A14_TargetParentScbFcb","A15_NtfsFullFileRefNumber_TargetParentScbFcbFileReference","A16_TargetParentScbFcbFcbState","A16_NtfsFullFileRefNumber_TargetParentScbFcbFileReference","A16__CcbFullFileName","A16__NewLinkName","A14_LcbFcb","A15_NtfsFullFileRefNumber_LcbFcbFileReference","A16_Lcb","A17_WppCountedStringWLcbFileNameAttrFileNameUSHORTLcbFileNameAttrFileNameLength","A13_LocalFlagsEntireFlags","A12_LocalFlagsEntireFlags","A10_VcbBitmapScb","A10_VcbMftScb","A10_PNTFS_DISK_FLUSH_CONTEXTContextVcb","A12_NtfsDataDiskFlushContextCompletedWorkItemListFlink","A12_IrpContextVcb","A13_IrpSpMinorFunction","A14_CcbNULLCcbAccessFlags0","A14_ActiveRmCount","A15_DefaultRmActive10","A11_PVOIDVcbTxfVcbDefaultRm","A12_VcbTxfVcbDefaultRmNULL_VcbTxfVcbDefaultRmRmIdNULL","A12__VolumeLabel","A13__VcbDeviceName","A14_CcbAccessFlags","A12_IrpRequestorMode","A12_IrpSpFileObject","A14_DasdCcbNULLDasdCcbAccessFlags0","A16_ScbFcbFcbState","A17_HandleInfoHandleInfo","A10_PVOIDVcb","A11_IrpContextVcb","A12__IrpContextVcbVolumeName","A13_WppCountedStringWIrpContextVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHIrpContextVcbVpb","A14_NtfsDataFlags","A11_VcbVcbState","A10_ScrubResumeContextSystemScbIndex","A11_ScrubResumeContextResumeVcn","A12_ScrubResumeContextResumeVcnOffset","A11_ScbTxfScb","A11_ScrubContextOperationStatus","A12_ScrubContextNumberOfBytesRepaired","A13_ScrubContextNumberOfBytesFailed","A14_ScrubContextErrorFileOffset","A15_ScrubContextErrorLength","A16_ScrubContextParityExtentDataNumberOfParityExtents","A14_ScrubContextParityExtentDataNumberOfParityExtents","A12_IrpCancel","A13_ScrubContextParityExtentDataNumberOfParityExtents","A11__ScbAttributeName","A11_DsmRangeStartingOffset","A12_DsmRangeStartingOffsetDsmRangeLengthInBytes","A13_DsmRangeLengthInBytes","A12_ScrubContextErrorFileOffset","A14_ScrubContextOperationStatus","A15_ScrubContextNumberOfBytesFailed","A16_ScrubContextNumberOfBytesRepaired","A11_RepairDataSetRangeStartingOffset","A12_RepairDataSetRangeStartingOffsetRepairDataSetRangeLengthInBytes","A13_RepairDataSetRangeLengthInBytes","A11_RepairCopiesOutputStatus","A16_Scb","A17_ScbAttributeTypeCode","A18__ScbAttributeName","A14_TypeOfOpen","A15_ScbFcb","A16_NtfsFullFileRefNumber_ScbFcbFileReference","A17_CcbNULL_CcbFullFileNameNULL","A18_IrpRequestorMode","A11_TypeOfOpen","A13__VcbVolumeName","A14_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb","A18_VcbVcbState","A16_CcbNULL_CcbFullFileNameNULL","A17_IrpRequestorMode","A17_VcbVcbState","A14_NtfsFullFileRefNumber_FcbFileReference","A15_CcbNULL_CcbFullFileNameNULL","A16_CcbNULLCcbAccessFlags0","A13__DeletedFiles","A13__FileNameToDelete","A11_OutputNumBadRanges","A11_FsInputRangesFsInputRangeIndexFileOffset","A12_FsInputRangesFsInputRangeIndexVolumeOffset","A13_FsInputRangesFsInputRangeIndexLengthInBytes","A12_BOOLEANAbnormalTermination","A10_Table","A11_ParentScb","A12__ParentScbScbTypeIndexNormalizedName","A13_RemainingName","A10_FoundLcb","A11__FoundLcbExactCaseLinkLinkName","A11_NewHashEntryHashValue","A12_NewHashEntryFullNameLength","A13_NewHashEntryHashLcb","A14__NewHashEntryHashLcbExactCaseLinkLinkName","A11_HashValue","A12_HashLcb","A13__HashLcbExactCaseLinkLinkName","A11_VcbCheckpointInjectionCount","A12_VcbWaitForCcLoggedDataActivityCount","A11_VcbCleanCheckpointCount","A11_VcbOverflowedDPTCount","A11_VcbFuzzyCheckpointCount","A11_VcbFlushOldestFOCount","A11_NtfsFullSegmentNumber_ScbFcbFileReference","A11_DirtyPageContextOldestFileObject","A11_IrpContextTransactionId","A11_IrpContextOriginatingIrp","A12_PsGetCurrentThread","A11_ActiveLsnQuadPart","A11_ClustersClusterCount","A12_ClustersClusterCount","A13_ClustersLsnQuadPart","A14_ClustersFlags","A12_ULONGClusterCount","A11_StartingLcnStartingIndex","A10_McbScb","A12_IrpContextExceptionStatus","A10_IrpContextLogFullReason","A11_BackTrace0","A12_BackTrace1","A13_BackTrace2","A14_BackTrace3","A15_BackTrace4","A16_BackTrace5","A17_BackTrace6","A18_BackTrace7","A19_BackTrace8","A20_BackTrace9","A21_BackTrace10","A22_BackTrace11","A23_BackTrace12","A24_BackTrace13","A25_BackTrace14","A26_BackTrace15","A27_BackTrace16","A28_BackTrace17","A29_BackTrace18","A30_BackTrace19","A14_GetExceptionCode","A14_PULONGLONG_NextScbFcbFileReference","A10_IrpSpParametersWriteByteOffsetHighPart","A11_IrpSpParametersWriteByteOffsetLowPart","A11_IrpSpParametersWriteByteOffsetHighPart","A12_IrpSpParametersWriteByteOffsetLowPart","A10_IrpSpMajorFunction","A11_IrpSpMinorFunction","A12__VcbTxfVcbDefaultRmRmId","A11_VcbLogFileObject","A11_FileRecordSegmentNumberHighPart","A12_FileRecordSegmentNumberLowPart","A13_NtfsFullSegmentNumber_FileRecordBaseFileRecordSegment","A14_AttributeTypeCode","A15_LogRecordRecordOffset","A14_PATTRIBUTE_RECORD_HEADERDataTypeCode","A14_NtfsFullSegmentNumber_FileReference","A16_ThisFcbTxfFcbTxfNumWriters","A16_ThisFcbInfoFileAttributes","A17_CcbNULLCcbAccessFlags0","A11_ScbTotalAllocated","A11_CurrentClustersLsnQuadPart","A11_ClustersFlags","A10_FlagOnClustersFlagsDEALLOCATED_CLUSTERS_FLAG_NO_DANGLING_MDL","A11_ScbVcb","A12__ScbVcbVolumeName","A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb","A16_TxfFcbFlags","A17_ShareMode","A16_GrantedAccess","A14_PVOIDTxfRmcb","A15__TxfRmcbRmId","A16_PVOIDTxfTrans","A17__TxfTransKtmUow","A11_PVOIDTxfRmcb","A12__TxfRmcbRmId","A14__TxfTransKtmUow","A11_PVOIDCalloutParametersTxfFlushTxfRmcb","A12__CalloutParametersTxfFlushTxfRmcbRmId","A13_GetExceptionCode","A14_VcbTxfVcbFlags","A12_PVOIDVcb","A11_GetExceptionCode","A13_PVOIDVcb","A11_PVOIDVcb","A11_NT_SUCCESSStatusSucceededFAILED","A12_PVOIDTxfRmcb","A13__TxfRmcbRmId","A13__ClfsRestartAreaRmId","A14_AbnormalTerminationabnormaltermination","A11_TxfIsDefaultRmTxfRmcbdefaultsecondary","A14_ForceDirtyShutdownDIRTYCLEAN","A16_FcbCleanupCount","A13_PVOIDTxfTrans","A11_RmRootFcbVcb","A12__RmRootFcbVcbVolumeName","A13_WppCountedStringWRmRootFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHRmRootFcbVcbVpb","A14_RmRootFcb","A14_BackupInfoFlags","A12_PVOIDFileObject","A12_TransactionAlreadyPreparedPREPARED","A13__TxfTransKtmUow","A11_PVOIDTransTxfRmcb","A12__TransTxfRmcbRmId","A14__TransKtmUow","A11_CallStack0","A12_CallStack1","A13_CallStack2","A14_CallStack3","A15_CallStack4","A12_PVOIDTrans","A13__TransKtmUow","A14_PVOIDTrans","A15__TransKtmUow","A14__OldestTransKtmUow","A15__OldestTransKtmUow","A13_PVOIDTransToDereference","A14__TransToDereferenceKtmUow","A13_IsEncrypted_TopsFcbInfoencryptedcompressed","A12_VcbFirstValidUsn","A12_FirstValidUsn1","A12_UsnJournalHeaderAllocationSizeQuadPart","A13_UsnJournalHeaderFileSizeQuadPart","A14_UsnJournalHeaderValidDataLengthQuadPart","A15_UsnJournalTotalAllocated","A15_Fcb","A12_IrpContextOriginatingIrp","A13_PsGetCurrentThread","A14_ScbHeaderAllocationSizeQuadPart","A15_ScbHeaderFileSizeQuadPart","A16_ScbHeaderValidDataLengthQuadPart","A17_ScbTotalAllocated","A12_NtfsFullSegmentNumber_BugCheckFileReference","A12_IrpContextTopLevelIrpContextExceptionStatus","A14_ByteRange","A15_HIGHEST_WRITABLE_SECTOR_ON_ACTIVE_VOLUMEVcbSectorSizeInfoLogicalBytesPerSector","A12_ptrdiff_tScb","ProcessPID","SingleSignOn","TargetMachine","TargetService","TargetIP","TargetNetworkName","NtlmUsageId","NtlmUsageReason","NegotiatedFlags","NtlmVersion","SessionKeyStatus","ChannelBindingStatus","ServiceBinding","MicStatus","AvlFlags","AvlFlagsStr","RemoteClientMachine","ClientNetworkName","AvFlags","AvFlagsStr","StatusMsg","RemovalPolicy","RequestDuration_100ns","CommandTag","CDW10","CDW11","CDW12","CDW13","CDW14","CDW15","OPC","SQID","DW0","DW1","SCT","SC","DNR","NSID","PRP1","PRP2","NamespaceID","VwcEnabled","ResetStatus","Reject_Scan_Request","AlgorithmId","SSIDCount","SSIDList","Set_DesiredBSSType","BSSIDCount","BSSIDList","AuthCount","AuthAlgorithm","ExpectedCounter","ReceivedCounter","ExpectedVer","ReceivedVer","FrameSequence","SrcMAC","DestMAC","Send_1X_packet_G2","Send_1X_packet_M2","Send_1X_packet_M4","Send_1X_packet","bBlockOidsDueToLowPowerState","QueryAdapterSync_Error","RequestAdapterSync_Error","CallAdapterSync_Error","EndPointType","IHV_Serialization_Enabled","ResetType","DefaultMIB","Reject_Reset_Request","Association_Start","Association_Completion","DisAssoc","PortState_Auth_Failed","SetPortState","Controlled","Authorized","OldPowerState","NewPowerState","Halting","ConfiguredOpMode","IMSupportedOpModes","MiniPortSupportedOpModes","CipherAlgoId","Len","PowerMgmtMode","PowerMgmtModeSupported","Halted","RxUnicastCount","TxBroadcastCount","RxBroadcastCount","TxMulticastCount","RxMulticastCount","TimeDiffMs","TxUnicastCount","SecurityEndpoint","DisconnectInStandby","EnforceDs","BufferAnnotation","pNwifiNbl","pNwifiNblContext","pTOS","pBOS","pOriginalNBL","pOriginalNblContext","Account","MinutesSinceLastSync","FailedFileCount","ServerIsDir","ClientDeleted","ServerChanged","ServerLastWriteTime","ServerChangeTime","ServerAttributes","ServerSize","SyncState","SyncStateText","ClientIsDir","ClientChanged","ClientIsSparse","ClientCreatedOffline","ClientDeletedOffline","ClientLastWriteTime","ClientChangeTime","ClientAttributes","ClientSize","ServerDeleted","EAPMethodType","RootCauseString","UserDataSize","UIRequestCode","ProfilesCount","AuthMode","EapMethodType","AuthIdentity","UIRequestSessionId","ExplicitCredentials","FileIdentifier","ExeptionFlags","OldMajorVersion","OldMinorVersion","NewMajorVersion","NewMinorVersion","ExistingValue","AdjustedValue","serverAddress","errCode","templateName","OTPUserName","DataSourceId","BlockNumber","BlockLength","ReadSize","wimHashFile","wimFile","StateType","ConsistencyHypothesis","Locality","EnumType","Items","OldCollectionId","NewCollectionId","AccountOwner","Rating","RatingsSystem","DescriptorCount","Descriptor","RatingSystemID","CategoryCount","Sender","RecipientCount","Recipient","AttachmentName","ReceivedTime","EmailAccount","PML","Album","ExplicitContent","ConversationID","RequestingIP","JoiningIP","JoiningUser","MemberCount","LeavingIP","LeavingUser","SenderIP","Blocked","OldName","OldAddress","NewAddress","OldID","NewID","UserID","RuleID","Decision","BlockedCategories","SerializedApplication","Referrer","Telemetry","CreationTime","TimeUsed","ContentProviderId","ContentProviderTitle","Ratings","ScenarioID","HiddenPartitionsCount","HiddenPartitions","TransformName","TransformTimeline","SubscriberNotificationScenario","NumberOfPredictions","TransformList","CurrentBootMatchingPcrsBitmap","DeviceDesc","FirmwareResourceId","MeasurementsFilename","FirmwarePcrChangeMask","Send/Receive","SendReceive","ResiliencyType","ClientReferences","Transation_Id","References","ActivatorToken","Reference/Dereference","ReferenceDereference","PDC_received_display_notification","PDC_received_monitor_request_exit_at","At","ConnectedSessionCount","ConsoleSessionId","OnRequestCurrent","OnRequestProcessed","OffRequestCurrent","OffRequestProcessed","BlockingActive","BlockingScenarioCount","BlockingEscapeCount","BlockingPowerPressCount","PDC_monitor_handler_activated_at","PDC_PdcCsEnterExit_handler_activated_at","AppsSvcs","DisableInputToPLMEntry","DisableInputToDAMEntry","DisableInputToLowPowerEpochEntry","PhaseTimesConnection","PhaseTimesPresence","PhaseTimesPlmAndResiliencyNotification","PhaseTimesMaintenance","PhaseTimesDamAndLowPower","ResiliencyExitToLowPowerEpochEntry","ResiliencyExitToDAMEntry","ResiliencyExitToPLMEntry","PhaseTimesResiliencyAndResiliencyNotification","PhaseTimesLowPowerAndDam","PhaseTimesPlmAndPresence","PhaseTimesConnectionAndMaintenanceAndScreenOn","CsDuration","Console_Display_Off_request_status","ResiliencyClientCount","ResiliencyContext","Status/Active","TaskClient","PdcMessage","ClientIdCount","ClientIdList","TestClient","DripsCount","PlatformIdleTranstions","PlatformIdleCount","DripsTimeInUs","DripsTranstions","PlatformIdleTimeInUs","StateCount","States","Acquire","PdcVersion","TaskNameLength","SubTaskLength","SubTaskName","ActivationCount","ActivationsUpCounter","ExpectedMaximumDuration","ActivationHandle","ActivationDuration","RenewalUpCounter","ErrorDetail","BrokeredForPID","DiagStringLength","DiagString","CountChange","WasWorkItemQueued","PreviousTargetPhase","NewTargetPhase","CurrentPhase","IsHandlerEngaged","NotificationsState","NotificationsStatus","PdcSequenceId","EntryWaitTimeInSeconds","EntryWatchdogTimeoutInSeconds","EngageCount","EngageHandlerTotalTime","EngageHandlerNotificationsTotalTime","DisengageCount","DisengageHandlerTotalTime","DisengageHandlerNotificationsTotalTime","PhaseTotalTime","CurrentPhaseNotificationsState","CurrentPhaseNotificationsStatus","CurrentPhasePdcSequence","CallbackStatus","CallbackPdcSequence","SystemIdle","FunctionNameLength","ArgumentNameLength","ArgumentName","HResultParam","WindowID","DoubleParam","FloatParam","RangeMin","RangeMax","ControlId","RectLeft","RectTop","RectRight","RectBottom","ControlName","ControlToolTip","Rect.Left","Rect.Top","Rect.Right","Rect.Bottom","NewZoom","TranslationDelta.X","TranslationDelta.Y","TranslationDelta.IsInertial","TranslationDelta.AnchorPointX","TranslationDelta.AnchorPointY","TranslationDeltaX","TranslationDeltaY","TranslationDeltaIsInertial","TranslationDeltaAnchorPointX","TranslationDeltaAnchorPointY","Aspect","PageIndex","PageSetId","MailtoProtocolString","Page.Id","PageId","IsCancelled","BooleanParam","PageNumber","PageRectLeft","PageRectTop","PageRectRight","PageRectBottom","SameWindow","ScriptUniqueIdentifier","ScriptMetadata","ScriptCompletedSuccessfully","ModelType","2S","NativeError","OdbcApi","ObjectCount","ProcName","IOCompletionNTSTATUS","Available","Required","TraceMergePropertyName","ProfileIds","TotalEvents","DetailLevel","ProfileXml","EventSessionType","DebugType","UnsafeShutdownCount","BaselineUnsafeShutdownCount","LostDataPersistence","LostWritePersistence","FatalError","LostDataPersistenceImminent","LostWritePersistenceImminent","FatalErrorImminent","NvdimmNotArmed","FatalStatus","CriticalStatus","NonCriticalStatus","SpareBlocksRemainingPercentage","LifetimePercentageUsed","AlarmTrip_SpareBlocksRemaining","AlarmTrip_MediaTemperature","AlarmTrip_ControllerTemperature","MediaTemperatureInMultiple","ControllerTemperatureInMultiple","AitDramStatus","LastShutdownStatus","HealthCheckStatus","IsEnergyBacked","EnergySourceFailed","EnergySourceHealthCheckStatus","VendorSpecificDataSize","VendorSpecificData","SecurityState","PersistentMemoryDiskGuid","IRP MJ","IRPMJ","NTSTATUS_code","InterleaveSetSize","InterleaveSet","PhysicalNvdimmGuid","NvdimmHealthStatus","DurabilityMode","CertificationArea","FailureMessage","RestartAddress","RestartLength","VolatileMemory","PersistentMemory","Overflow","NumErrorRecords","DisablePowerfailPersistence","IoDeviceState","DsmStatus","PageAdded","NewRangeCount","RemoveRangeCount","CachedLength","DeviceLength","DirTagIn","PacketsIn","BytesIn","DirTagOut","PacketsOut","BytesOut","EdgeName","EdgeId","IpAddress1","IpAddress2","Port1","Port2","TCPFlags","DestinationMAC","SourceMAC","PktGroupId","PktCount","AppearanceCount","DirTag","DropLocation","PktNumber","OriginalPayloadSize","LoggedPayloadSize","PktContext","DriveLetters","IsEnterprise","FullChargedCapacity","BatteryTag","InformationLevel","ChargingSourceType","VaData","OemCharger","CurrentActivityId","ParentActivityId","currentActivityId","parentActivityId","Connection_URI","Resource_URI","OpenTimeout","CancelTimeout","AuthenticationMechanism","Thumb_Print","MaxUriRedirectionCount","MaxReceivedDataSizePerCommand","MaxReceivedObjectSize","shell","opentimeout","idletimeout","canceltimeout","auth","thumbPrint","redircount","recvdDataSize","recvdObjSize","AmsiContext","DeserializedType","CastedToType","RehydratedType","TypeCastException","TypeCastInnerException","Serialized_type_name","Original_depth","Overriden_depth","Current_depth_below_top_level","SerializedType","OriginalDepth","OverridenDepth","CurrentDepthBelowTopLevel","Overriden_mode","OverridenMode","InnerException","TypeBeingEnumerated","Object_type_at_max_depth","Property_name_at_max_depth","TypeOfObjectAtMaxDepth","PropertyNameAtMaxDepth","Line_number","Line_position","LinePosition","TypeOfObjectWithMissingProperty","SignalCode","Object_Id","Fragment_Id","Start_Flag","End_Flag","Payload_Length","Payload_Data","FragmentId","sFlag","eFlag","FragmentPayload","HostingMode","endpointName","hostingMode","configuration","WorkflowId","ManagedNodes","workflowId","managedNodes","ConfigName","AllowedValue","ValueInQuestion","configName","allowedValue","valueInQuestion","ManagedNode","managedNode","activityTypeName","XamlFile","xamlFile","errorDescription","ActivityDisplayName","activityDisplayName","activityType","failureDescription","Availability","runspaceId","availability","ParentJobId","ChildJobId","ChildWorkflowId","parentJobId","childJobId","childWorkflowId","PersistPath","persistPath","EndpointType","RegisteredBy","endpointType","registeredBy","ModifiedBy","modifiedBy","UnregisteredBy","unregisteredBy","DisabledBy","disabledBy","EnabledBy","enabledBy","Computers","computers","CheckpointPath","ConfigProviderId","checkpointPath","configProviderId","ContainerParentJobInstanceId","WorkflowJobJobInstanceId","WorkflowJobInstanceId","ProxyJobInstanceId","ProxyChildJobInstanceId","CurrentLine","ScheduledJobDefName","GeneratedChecksum","ExpectedChecksum","DestFile","ExceptionSeen","ElevationRequired","IconResID","NewDriver","PrintProcessorName","LanguageMonitor","DirectoryName","NumberOfForms","LogLevel","ProcessorName","DestinationFile","PrintProcessorArchitecture","DriverArchitecture","Label","InfPath","InstallSection","PackageAware","CoreDriverDependencies","DriverSource","OriginalDriver","RestrictionReason","JobOrDocumentName","SucceededRpcCalls","FailedRpcCalls","AccessCode","DestInfPath","RequiredClassDriver","ClassDriverOnly","NonClassDriverOnly","EmptyToken","IncorrectNumberOfTokens","WaitForReboot","EndPoint","ValidatedProtocolSequence","ExpectedProtocolSequence","WindowsStarterEdition","SuiteStorageServer","SystemPrintingDisabled","SuiteBlade","SuiteEmbeddedRestricted","SuiteComputerServer","PrintProcessor","IsXpsPrinter","LocalPrintProcessor","RemotePrintProcessor","DefaultPrintProcessor","LocalDataType","RemoteDataType","DefaultDataType","DocumentName","PrintQueue","ErrorInfo","PrinterPath","PrinterAge","ExpiryAge","FailingLine","AutoAccepted","DatabaseVersion","OldDatabaseVersion","NewDatabaseVersion","RuntimeVersion","ContextString","RuntimeMajorVersion","DatabaseMajorVersion","CallerId","Partner","DownloadResult","CapabilityName","CapabilitySid","PureWorkItems","SystemWorkItems","MixedWorkItems","NetworkTokens","ResolverMap","DialogType","Deprecated_component","DeprecatedComponent","TokenDataSize","TokenData","PCA_Trigger_event","Uptime","SchemaId","SchemaNamespace","ErroneousValue","ErroneousXPath","PropertyCanonicalName","ErroneousFmtid","ErroneousPid","SemanticTypeCanonicalName","SemanticTypePublisher","SemanticTypeProduct","SemanticTypeSourceUrl","AutoPilot_configuration_file_path","File_path_source","Pointer1","HrResult","DeviceCategory","Integer4","TransportType","HrConnectResult","IsConnected","NumApps","ControlChannelTriggerStatus","ProxyHostName","Privilege","NewPrivilege","ResultedPrivilege","CountApplication","MaximumApplication","OldMaximumApplication","NewMaximumApplication","CountAllocated","CountInboxApps","CountPreinstallApps","WpnRecurrence","PdcType","PdcScenario","ScenarioData","PdcNetRefCount","PdcPlatRefCount","BatchingState","DisplayStatus","NetworkCost","Costly","DateSource","BillingCycle","FeatureSet","AuthPayloadSize","AuthPayload","BindPayloadSize","BindPayload","Sending_Channel_WNP_Protocol_command","Sending_Revoke_WNP_Protocol_command","Sending_Options_WNP_Protocol_command","WNP_Protocol_command_response","WNP_Protocol_delivered_notification","MsgId","Sending_Ack_WNP_Protocol_command","Nonce","CommandTrid","ServerKaHint","IdleSucceededInterval","IdleFailedInterval","IdleSucceededCount","PowerManagementType","InitCount","PdcReason","ConnectorId","NotificationSource","Duetime","Callback_unregistered","Mobile_Broadband_Tile_Cap_Queried","SettingsValue","Mobile_Broadband_Tile_Cap_Changed","Mobile_Broadband_Tile_Usage_Queried","WakeupTime","IsValid","WNFEventNameLength","WNFEventName","PhoneVoipAgentId","QueueIndex","OverridedNotificationId","OverridingNotificationId","SessionMask","UpdateIndex","KeystoneNotificationId","KeystoneFlag","Appspace","RequestCountInHighPriority","RequestCountInMedPriority","RequestCountInLowPriority","PriorityIndex","URLCount","URLComplete","SlotIndex","BITSPriority","IsTile","IDM_Enabled","UpdateControl","RequestControl","NewNotificationId","OldNotificationId","DebugTrace","ChannelUri","Expiry","group","OfflineCacheCount","CacheRollover","OfflineBundleId","WorkItemName","SecondsSinceLastSentPacket","OldUserId","OldUserType","NewUserId","NewUserType","TriggerValue","IsFwdToCdpEnabled","IsMirrorMasterSwitchEnabled","MirroringEnabled","IsGPEnabled","MatchOnNotificationId","SendSpec.TokenRate","SendSpec.TokenBucketSize","SendSpec.PeakBandwidth","SendSpec.Latency","SendSpec.DelayVariation","SendSpec.ServiceType","SendSpec.MaxSduSize","SendSpec.MinimumPolicedSize","DsClass","TrafficClass","QoSObjectBufferLen","QoSObjectBuffer","DefaultSystemFlow","SendSpecTokenRate","SendSpecTokenBucketSize","SendSpecPeakBandwidth","SendSpecLatency","SendSpecDelayVariation","SendSpecServiceType","SendSpecMaxSduSize","SendSpecMinimumPolicedSize","NewQoSObjectBufferLen","NewQoSObjectBuffer","AffectedPackets","NdisMediumType","FriendlyNameLen","DeviceNameLen","OldSendSpec.TokenRate","OldSendSpec.TokenBucketSize","OldSendSpec.PeakBandwidth","OldSendSpec.Latency","OldSendSpec.DelayVariation","OldSendSpec.ServiceType","OldSendSpec.MaxSduSize","OldSendSpec.MinimumPolicedSize","NewSendSpec.TokenRate","NewSendSpec.TokenBucketSize","NewSendSpec.PeakBandwidth","NewSendSpec.Latency","NewSendSpec.DelayVariation","NewSendSpec.ServiceType","NewSendSpec.MaxSduSize","NewSendSpec.MinimumPolicedSize","OldSendSpecTokenRate","OldSendSpecTokenBucketSize","OldSendSpecPeakBandwidth","OldSendSpecLatency","OldSendSpecDelayVariation","OldSendSpecServiceType","OldSendSpecMaxSduSize","OldSendSpecMinimumPolicedSize","NewSendSpecTokenRate","NewSendSpecTokenBucketSize","NewSendSpecPeakBandwidth","NewSendSpecLatency","NewSendSpecDelayVariation","NewSendSpecServiceType","NewSendSpecMaxSduSize","NewSendSpecMinimumPolicedSize","DroppedPackets","PacketsScheduled","PacketsTransmitted","BytesScheduled","BytesTransmitted","NblSent","NblComplete","Wmm","Allow","IneligibleCount","IneligibleFirstDelta","IneligibleLastDelta","FlowId","SetFlowType","Failure Activity","Failure Error Code Type","Failure Error Code","FailureActivity","FailureErrorCodeType","FailureErrorCode","LLTD Supported","LLTDSupported","QueryFlowType","NotifyFlowType","TrafficType","SourceAddressLen","Bottleneck Bandwidth","Is 802.1p Supported","BottleneckBandwidth","Is8021pSupported","Available Bandwidth","AvailableBandwidth","Process ID","QoS Handle","QoSHandle","Local Collection Error","Remote Collection Error","Cross Traffic Collection Error","Path Analysis Result","Remote Analysis Result","Local Analysis Result","LocalCollectionError","RemoteCollectionError","CrossTrafficCollectionError","PathAnalysisResult","RemoteAnalysisResult","LocalAnalysisResult","Source Address","Quiescent","Offlink","Non-LLTD Enabled Machine","NonLLTDEnabledMachine","LLTD Enabled Machine","LLTDEnabledMachine","RequestedBandwidth","NumBursts","Start_Port","End_Port","ProtocolID","Start_Address","End_Address","TSID","fDelete","RoutingDomainID","RRASUserName","ConfigurationFilename","ConfigurationExportTime","LastConfigUpdateTimeString","CoId","arg3","ErrorSource","FreeSpace","ReadRate","WriteRate","IORate","StringLabel","Test_result","HbdrvSpeedTestResult","DiskSeqReadKbps","DiskSeqWriteKbps","FlashSeqReadKbps","FlashSeqWriteKbps","FlashRndReadKbps","ClusterSizeBytes","VolumeSizeBytes","FreeSpaceBytes","RedoLogLcnCount","LogicalSectorSizeBytes","PhysicalSectorSizeBytes","ActualPhysicalSectorSizeBytes","VolumeIdForHeat","RootIntegrityStream","UsnSize","SecurityDescStreamSize","DurationMicroSec","DebugVersion","DebuggerEnabled","SsdTierSize","ReadCacheSize","ReadCacheLineSize","ContainerRotationEnabled","DeleteNotificationDisabled","VcbState","VcbState2","CheckpointVirtualClock","LastWriteTime","BootSectorFlags","RefsDataFlags","LastShutdownWasDirty","StreamsSupported","UserStreamsAvailable","SizeOfRandomlyWriteableTier","SizeOfSmrTier","LogRestartStartLsn","LogRestartLastLsn","LogRestartDurationMicroSec","Progress","MajorVersionExpected","MinorVersionExpected","MajorVersionOnDisk","MinorVersionOnDisk","FillRatio","High_latency_IO_count","Failed_writes","Failed_reads","SampleDuration","FreeSpaceInRandomlyWriteableTierMin","FreeSpaceInRandomlyWriteableTierMax","FreeSpaceInRandomlyWriteableTierAvg","FreeSpaceInSMRTierMin","FreeSpaceInSMRTierMax","FreeSpaceInSMRTierAvg","UsableFreeSpaceInSMRTierMin","UsableFreeSpaceInSMRTierMax","UsableFreeSpaceInSMRTierAvg","WriteSerializationAbortedWrites","WriteSerializationEvents","WriteSerializationLatencyAvg","WriteSerializationLatencyMax","WriteSerializationBlockedEvents","WriteSerializationBlockedLatencyAvg","StartGCCallsInvoked","StartGCCallsFailed","StartGCFullSpeedCallsInvoked","StartGCFullSpeedCallsFailed","PauseGCCallsInvoked","PauseGCCallsFailed","StopGCCallsInvoked","StopGCCallsFailed","FullSMRBandClusterAllocations","SharedSMRBandClusterAllocations","GCReadLatencyTotal","GCReadLatencyAvg","GCReadLatencyMax","GCTotalReadIOs","GCWriteLatencyTotal","GCWriteLatencyAvg","GCWriteLatencyMax","GCTotalWriteIOs","DiskFullRequiresGC","SMRZoneFull","CMRZoneFull","InvalidSectorErrors","IoDeviceErrors","IoUnalignedWrite","WriteErrors","ReadErrors","SMRWriteHeadRequeries","RegionNonCompactibleAllocated","RegionStartOfRange","RegionCountOfRange","RegionFlags","RegionFreeCount","RegionFreeBits","RecentlyDeallocatedTrimBits","Pos","StartOfRange","CountOfRange","StreamSnapshotCreateOperationCount","StreamSnapshotCreateOperationDurationMicrosSec","StreamSnapshotCreateOperationMaxDurationMicroSec","StreamSnapshotListOperationCount","StreamSnapshotListOperationDurationMicrosSec","StreamSnapshotListOperationMaxDurationMicroSec","StreamSnapshotQueryDeltasOperationCount","StreamSnapshotQueryDeltasOperationDurationMicrosSec","StreamSnapshotQueryDeltasOperationMaxDurationMicroSec","StreamSnapshotRevertOperationCount","StreamSnapshotRevertOperationDurationMicrosSec","StreamSnapshotRevertOperationMaxDurationMicroSec","StreamSnapshotSetShadowBTreeOperationCount","StreamSnapshotSetShadowBTreeOperationDurationMicroSec","StreamSnapshotSetShadowBTreeOperationMaxDurationMicroSec","StreamSnapshotClearShadowBTreeOperationCount","StreamSnapshotClearShadowBTreeOperationDurationMicroSec","StreamSnapshotClearShadowBTreeOperationMaxDurationMicroSec","StreamSnapshotErrorCount","NumberOfDirtyMetadataPages","NumberOfDirtyTableListEntries","Dismount_notification_duration","DismountNotificationDurationStr","DismountNotificationDurationMs","DismountDurationStr","DismountDurationMs","NumberOfDirtyMetadataPagesOnDismountBegin","NumberOfDirtyTableListEntriesOnDismountBegin","PagesDirtiedDuringDismount","RepairDetail","RepairDataLength","RepairData","ActionTaken","ExecutionTime","CalculationEndingTime","RacError","Stability","InvalidCAServers","OldWorkspace","NewWorkspace","FailureList","WarningList","ConnectToAddress","NLSLocation","NLSCertificateName","NLSurl","NodeType","GPOName","SGType","SGList","DAConfiguration","RootCert","Intermediatecertused","Mgmtserverlist","DnsAddresses","Webproxyserver","MsgAuth","VPNAuthType","Addressassignmenttype","Purpose","RadiusPort","RadiusScore","Radiusserveraddress","Radiustimeout","RemoteAccessType","InternalVIPs","InternalDIPs","InternetVIPs","InternetDIPs","RALBType","RemoteAccessServerName","VPNStartAddress","VPNEndAddress","SGName","AppServerConnectionType","IPsectrafficprotection","RAActionType","RAAcctType","FromDate","EndDate","StoreLimit","UserNameIP","GroupPolicyobjectAction","GroupPolicyobjectName","IPsecRuleName","FirewallRuleName","GroupPolicyobjectNameorId","GlobalLoadBalancingFQDN","EnterpriseName","EntryPointName","EntrypointName","GloballoadbalancingIPaddress","DAInstallType","CurrentEntryPointName","NewEntryPointname","NLBType","MonitorId","MonitorName","FromStateName","ToStateName","DateStr","TimeStr","operationState","HeuristicIdListLen","HeuristicIdList","RadiusName","ErrorReason","CertificateEnrollmentRequestUserName","CurrentActiveServerName","FailoverServerName","failedComponent","TransitionTechnology","ISATAPRouterName","ISATAPPrefix","IPHTTPSprefix","NAT64Prefix","Certhash","IISFilterPrefix","SortedServersNames","StartIPAddress","EndIPAddress","IPHttpsPrefix","RasIPv6prefix","InternalinterfaceGUID","ResourceURL","Discovery_hint","Hint","RemoteAppName","Entering_conditional_block_at_Line","Exiting_conditional_block_at_Line","Remote_OS_Type","FlushTimeMs","FlushIntervalMs","TLSVersion","RequestedMode","AppliedMode","RTT","IPString","AVC_hardware_encoder_enabled","IsHardwareEncode","EncoderMFTName","ConnectionID","task","RDBSS_Name_Canonicalize_Error","Create_VNetRoot_Error","RxContext","Fobx","LogicalPathFromLength","LogicalPathFrom","PhysicalPathFromLength","PhysicalPathFrom","LogicalPathToLength","LogicalPathTo","PhysicalPathToLength","PhysicalPathTo","SrvOpen","SystemCommitLimit","SystemCommitCharge","ProcessCommitCharge","PagedPoolUsage","PhysicalMemorySize","PhysicalMemoryUsage","NonPagedPoolUsage","TotalProcesses","PagedPoolTag_1","PagedPoolUsed_1","PagedPoolTag_2","PagedPoolUsed_2","PagedPoolTag_3","PagedPoolUsed_3","NonPagedPoolTag_1","NonPagedPoolUsed_1","NonPagedPoolTag_2","NonPagedPoolUsed_2","NonPagedPoolTag_3","NonPagedPoolUsed_3","Process_1_Name","Process_1_ID","Process_1_CreationTime","Process_1_CommitCharge","Process_1_HandleCount","Process_1_Version","Process_1_TypeInfo","Process_2_Name","Process_2_ID","Process_2_CreationTime","Process_2_CommitCharge","Process_2_HandleCount","Process_2_Version","Process_2_TypeInfo","Process_3_Name","Process_3_ID","Process_3_CreationTime","Process_3_CommitCharge","Process_3_HandleCount","Process_3_Version","Process_3_TypeInfo","Process_4_Name","Process_4_ID","Process_4_CreationTime","Process_4_CommitCharge","Process_4_HandleCount","Process_4_Version","Process_4_TypeInfo","Process_5_Name","Process_5_ID","Process_5_CreationTime","Process_5_CommitCharge","Process_5_HandleCount","Process_5_Version","Process_5_TypeInfo","Process_6_Name","Process_6_ID","Process_6_CreationTime","Process_6_CommitCharge","Process_6_HandleCount","Process_6_Version","Process_6_TypeInfo","EventGenerationTime","TimeSinceLastUI","DropReasonCode","TimesUIShown","MaxCommit","ResolverID","UIDisplayTime","ResolutionAttempted","ProcessCommit","FuncStatus","JobHandle","IntVal","IntVal1","IntVal2","IntVal3","memLimit","priorityClass","terminal","cbCommit","cbFailed","fReboot","fBool","pPreviousResSet","p1_UINT32","cRequests","pidRequesting","pResourceHandle","p2_RSType","RAM","IO","TempRS","p1_Pointer","p2_Pointer","p1_PID","ResourceSet","IsLegacy","p2_PID","p4_ActType","p5_HRESULT","p0_UInt32","p1_UnicodeString","AcquireRelease","UpdateRate","EmptyFlags","RmSessionId","TSSessionId","nFiles","pbBinary","SvcHostPid","nServices","nRegProcs","nRegServices","Files","RegProcs","RegServices","String1Length","String2Length","ResumeKey","RfsKey","FileAttribs","CreateDisp","FileObjectNameLength","FileObjectName","MajorFunctionName","IoStatus","IoInformation","FltStatus","ErrorState","ErrorPhase","RpcFilterKey","ImangeName","AdditionaData","AddtionalData","AdditionalData1","AdditionalData2","RPC Status","RPCStatus","AddionalData","AdditionalData","ObjectUuid","InterfaceUUID","ObjectUUID","AsyncResult","AsyncResultVTable","Platform","WorkPrivateIndex","workqueue","OldMode","Resolution","ExtRefCount","IntRefCount","CallbackWorkQueueID","LongRunning","WordQueueID","QoSSupported","BaseWorkQueueID","PreviousDeadline","NextDeadline","lDelay_ms","lPreDelay_ms","NextDeadline_RelToNow_us","ItemPointer","GlobalDeadline","DeltaAhead_usec","ItemID","Yield","ImmediateCount","NextDeadline_AddTimeRelNow_us","TimerPointer","IsPeriodic","Tolerance_ms","queryStatus","subscribeStatus","changeStamp","ChangeStamp","CurChangeStamp","PPMMode","QOSSupported","ProcessorGroup","ProcessorMask","dwWorkQueue","pWorkQueue","CurProcessorGroup","CurProcessorMask","NewProcessorGroup","NewProcessorMask","rtStatePointer","RegCount","llDelay","AdaptiveMediaSource","SourceBufferManager","BufferLevel","Stop Reason","StopReason","BytesTransferred","BytesTotal","AsyncOp","OpStatus","AudioDeviceId","VideoDeviceId","FocusState","MediaCapture","ThermalStatus","MediaStreamSource","EventObject","MediaStreamSample","Transcode","EngineType","transcode","remuxing","asyncOperation","asyncObject","obj1","obj2","int2","int3","int4","response","api","win32Api","bytesRead","read","port1","ip","port2","Socket_connection_established","connectorType","resolutionResult","Ignored_server_certificate_error_count","TransferType","CostPolicy","CompletionGroupId","LocationId","General_error","PowerPolicyValue","PromptLogicValue","IsResume","Behavior","NotificationInformationAvailable","TriggerId","ActivationStatus","OldOperationId","NewOperationId","RunningOperationsCount","CopiedOperationsCount","retries","bytesSent","totalBytesToSend","bytesReceived","totalBytesToReceive","responseState","pendingReceiveOperations","Context_handle","Target_name","ReaderName","Retuning_Count","RetuneCount","Hpi_Count","HpiIoCount","HpiExitReason","WorkPacketWorkerProcFunction","WorkEngineCurrentState","WorkEngineFunctionPhase","WorkEngineCommand","WorkEngineArgument","WorkEngineArgument64","Error_Count","CDBLength","CDB","PackedCommandCount","NumIrpsPacked","OldIndexPath","NewIndexPath","Users","MaxUsers","1Catalog","IndexesPerMergeLevel","ExpectedDocCount","MasterMergeReason","OldLength","NewLength","OldNoiseFile","NewNoiseFile","InstanceNum","ProtocolHostProcessID","DiagnosticsInfo","RequestedStatusMessage","PluginManager","ProtocolHandler","SrcFile","DstFile","CorruptionId","OldUserAccount","NewUserAccount","GPO_ID","SYSVOL_Path","GPOID","SysvolPath","Remote_File","Local_File","GPO_Name","RemoteFile","LocalFile","FirewallPolicyStore","Modifiable","CalloutInvolved","CalloutID","OriginalAccessRightsMask","OriginalAccessRights","GrantedAccessRightsMask","GrantedAccessRights","RemovedAccessRightsMask","RemovedAccessRights","FinalAccessRightsMask","FinalAccessRights","SystemAccessRightRequiredForLogon","SystemAccessRightRequiredForLogonUlong","EventIndex","SystemAccessRightSidList","LocalSystemAccessRightSidList","DenySystemAccessRight","DenySystemAccessRightUlong","DenySystemAccessRightsSidList","DenyLocalSystemAccessRightsSidList","AllowSystemAccessRight","AllowSystemAccessRightUlong","PolicyDetails","RollbackFilePath","AnalysisExtension","EntIDString","AppIDString","PolicyString","RemoteMachineName","IdentityUID","IdentityDisplayName","ClientUpn","Refresh","Current_File_Time","LuidHighPart","LuidLowPart","CurrentFileTime","Expected_Domain_Name","ExpectedDomainName","ClientAlgorithms","KdcAlgorithms","Update_Current_Passwords","Update_Old_Passwords","Previous_File_Time","UpdateCurrent","UpdateOld","LastFileTime","SvchostTag","OldAccount","NewAccount","MigrationComplete","PreviouslyAuthorized","KDC","Fetch","Expiration","KeyUpdate","NtlmUpdate","EnforcementMode","MigrationNeeded","NeededSize","RequiredSize","Realm","Forest","ShadowStackOverflowReset","Instruction_address","module_offset","Secure_Channel_name","User_name","Domain_name","Workstation_name","Secure_Channel_type","SChannelName","SChannelType","AccountMachine","ForwarderType","ForwarderName","ForwarderDomain","ForwarderIP","ServerIP","ServerOS","RequestsRejected","DNSDomainName","Additional_Data","Kernel_policies","The_rules_engine_gathered_the_following_context_data","The_following_errors_occurred_during_license_evaluation","Unable_to_update_Windows_PID_information_in_the_registry","Sku_id","Product_key","SLSetGenuineInformation_in_sppcomapi_failed_with_the_following_error_code","LoadLibrary_call_for_loading_Sppcommdlgdll_from_SLUIexe_failed_with_error_code","SLUIexe_was_launched_with_the_following_commandline_parameters","License_Activation_sluiexe_failed_with_the_following_error_code","Commandline_arguments","AuthorizedUpgradeForPID","shKernelCacheValues","shErrorCode","AppMessage","VerificationResult","DriverId","ACGState","DriverId1","DriverId2","RealValue","success_message","Info_message","warning_message","valueName1","valueName2","Received_DLP_policy_type","Policy_Hash","Completed_processing_DLP_policy_type","Ignore_DLP_policy_type","BlobSha256","BlobEpoch","SENSOR_ID","ReportPointer","SensorStateThisSensor","SensorStateAccumulated","QuadrantAngle","SensorState","AccelerationX","AccelerationY","AccelerationZ","PitchCalibration","IsPitchGreaterThanThreshold","PitchAngle","PitchThreshold","Theta","AngularCalibration","GoodAngle","Quadrant","LastQuadrant","TimerQueueStatus","TimerQueueAction","AngularThreshold","WorkingSet","CPUUsage","SensorObjectId","ConnectedClients","SubscribedClients","SilentClients","ClientBitfield","GenericMessage","MethodId","QuadrantChangeInterval","Angle","WdfDeviceInit","WdfDevice","IsStateChangeSupported","IsDriverPowerPolicyOwner","SENSOROBJECT","SensorType","PersistentUniqueID","VendorDefinedSubType","FmtId","IntervalMs","MaxDataSize","BatchSize","pIntervalMs","pThresholds","pSize","pProperties","pDatafield","pHistoryCollection","pBytesWritten","ReportLatencyMs","PeristentUniqueId","ReportIntervalMs","PowerUsage","SensorUsage","ReportIdInCaps","ReportIdInReport","IsWakeReportingStateSupported","IsWakePowerStateSupported","AbsoluteDistanceThreshold","IsPresent","IsEngaged","IsOnlookerPresent","DetectedDistance","SignalType","ControlDeviceName","IoControlCodeString","TransmitTransferSmContext","ReceiveTransferSmContext","TransferSmContext","IOCTLInputBufferLength","IOCTLInputBuffer","IOCTLOutputBufferLength","IOCTLOutputBuffer","TransferModeEvent","BytesSaved","CmdletName","PageName","Cancel","ticks","totalTicks","MI_ResultCode","win32ErrorCode","StartStop","requestGUID","ptzMessage3","facility","lasterror","MillisecondCutOff","LastErrorCode","QfeCheck","TimeElapsed","History","Milliseconds","parameterName","categories","tileName","thumbnailName","machineName","navigationItemName","navigationItemType","associatedViewDescriptorType","newNavigationItem","RoleId","Features","Icon","parentRoleId","totalCount","removedCount","elapsedTime","Targets","channel","fileLocation","DebugMessage","EventReport","DescString","PrevComponent","NewComponent","InstallerEndEvent","updateStateLoc","updateState","updateDisplayName","targetPackageState","targetPackageStateTextized","detectionType","triggerType","repaired","totalCorruption","SettingUnitId","ConflictResult","TotalOperations","CompletedOperations","SETTINGCOLLECTIONBACKUPSTATE","Completed","Total","InitialTimestamp","UpdatedTimestamp","SettingUnitTimestamp","DataStreamTimestamp","PropStoreName","FilterMode","Value4","WriteStatus","HasInternetConnection","Collection","NumberofApps","IsRoamingEnabled","RoamingReasonCode","IsBackupEnabled","BackupReasonCode","ChangesApplied","FailedChanges","MetadataStorePath","ProviderOp","Name0Data0","Name0Data1","Name1Data0","Name1Data1","WebTokenRequestStatus","SetupPhase","Statistic","Start_operation","Stop_operation","Online_gather_starts","OfflineWinDir","MachineSpecific","Online_gather_stops","Installation choice","Host OS Major version","Host OS Minor version","Host OS Build number","Host OS Service pack major number","Host OS Service pack minor number","Installationchoice","HostOSMajorversion","HostOSMinorversion","HostOSBuildnumber","HostOSServicepackmajornumber","HostOSServicepackminornumber","DWORD1","DWORD2","AutoLogonSettingRemovalReason","ExtOrUriScheme","HashInRegistry","ComputedHash","CurrentDefaultProgId","ShouldToast","ApplicableProfileCount","FormFactor","OEMName","Tiles","Placeholders","ItemsExisting","ItemsRemoved","ItemsUpdated","ItemsCached","Scheme","SearchView","ParameterValue","groupCount","tileCount","savedVersion","failureDetails","HResultValue","tileData","tileAumid","groupData","TemplateNameFound","MachineID","TransitionTime","ValidStartState","StartState","EndState","ActionPriority","ActionStartingState","ActionNewState","SourceGroup","DiagnosticEventId","AuthoritativeEventOrder","AuthoritativeEventLength","AuthoritativeEvent","AttestationEventOrder","AttestationEventLength","AttestationEvent","VersionNegotiationVersion","DeclaredVersionMajor","DeclaredVersionMinor","DeclaredVersionBuild","DeclaredVersionRelease","DeclaredVersionLogicalMajor","DeclaredVersionLogicalMinor","AcceptableVersionStartMajor","AcceptableVersionStartMinor","AcceptedVersionStartMajor","AcceptedVersionStartMinor","Uint","MachineGuid","uint","PDKDestinationID","PDKSectionID","DiagnosticID","FailureID","PCRIndex","RelativeOrderToPCR","UnicodeName","TemplateVersionFound","MiError","EventPayloadSizeBytes","EventPayload","InstancePath","Reader","CommandHeader","FullFileHash","AuthenticodeHash","AuthenticodeAlgorithm","MarkOfTheWeb","CallingProcessCreationTime","Enforcement","IP","ReferrerUri","ReferrerIP","HitType","NavigationType","ProductType","ActivitiyId","Exchange","ListHead","ExchangeState","ExchangeStatus","BufferCtxt","MidCharge","CurrentWindowLimit","ThrottlingWindowLimit","CurrentWindowSize","HungSession","MidWindow","OldestPendingMid","NextAvailableMid","VcEndpoint","SendMdl","SendLength","Smb2Fobx","SessionEntry","CreditRequested","AsyncId","CreditGranted","BufferContext","Smb2Command","BlockType","IRP","TotalDuration","Construction","HitCountConstruction","DispatchProcessing","HitCountDispatchProcessing","ReadProcessing","HitCountReadProcessing","CallMiniRdr_MRXSMB","HitCountCallMiniRdr_MRXSMB","LowIoCompletionRoutine","HitCountLowIoCompletionRoutine","CompleteIRP","HitCountCompleteIRP","PostIOCompletion","HitCountPostIOCompletion","PostIORetry","HitCountPostIORetry","AttemptTurboIORead","HitCountAttemptTurboIORead","AttemptTurboIOInit","HitCountAttemptTurboIOInit","TurboIORxCompletion","HitCountTurboIORxCompletion","WriteProcessing","HitCountWriteProcessing","AttemptTurboIOWrite","HitCountAttemptTurboIOWrite","CreateProcessing","HitCountCreateProcessing","CloseProcessing","HitCountCloseProcessing","QueryDirectoryProcessing","HitCountQueryDirectoryProcessing","FsctlProcessing","HitCountFsctlProcessing","RestartCount","ResolvingConnectionObjects","HitCountResolvingConnectionObjects","CommandProcessing","HitCountCommandProcessing","ReadStart","HitCountReadStart","ReadBuildAndSendChunks","HitCountReadBuildAndSendChunks","CommandFinalizationCallback","HitCountCommandFinalizationCallback","Finalize","HitCountFinalize","PostFinalizeWorker","HitCountPostFinalizeWorker","FinalizeWorkerHitCount","HitCountFinalizeWorkerHitCount","TurboIOStart","HitCountTurboIOStart","TurboIOComplete","HitCountTurboIOComplete","WriteStart","HitCountWriteStart","WriteBuildAndSendChunks","HitCountWriteBuildAndSendChunks","CreateStart","HitCountCreateStart","CloseStart","HitCountCloseStart","QueryDirectoryStart","HitCountQueryDirectoryStart","FsctlStart","HitCountFsctlStart","HitCountInitialized","WriteRDMABufferRegistration","HitCountWriteRDMABufferRegistration","RDMAGetDescriptors","HitCountRDMAGetDescriptors","AssociateMID","HitCountAssociateMID","Assembly","HitCountAssembly","BeginSmbSend","HitCountBeginSmbSend","BeginSmbSendAsyncPostWorkerCount","HitCountBeginSmbSendAsyncPostWorkerCount","SmbdPrepareSend","HitCountSmbdPrepareSend","ServerTimeTakenToReply","HitCountServerTimeTakenToReply","ReadReceive","HitCountReadReceive","ReadRDMABufferRegistration","HitCountReadRDMABufferRegistration","WriteReceive","HitCountWriteReceive","CreateReceive","HitCountCreateReceive","CloseReceive","HitCountCloseReceive","QueryDirectoryReceive","HitCountQueryDirectoryReceive","FsctlReceive","HitCountFsctlReceive","ServerShareLength","ServerShare","CallDuration","ThresholdDuration","PersistentFID","VolatileFID","CreateGUID","PreviousStatus","PreviousReason","Days","IrpCode","HistoryCount","CipherSuiteOrder","AsymmetricFlag","IsolatedTransportFlag","IsIsolatedTransportServerEntry","ActiveRdmaResourceCount","NoOp","IsSuccess","LoadStatus","ServicePathLength","ServicePath","ComponentCapabilities","PatchNumber","TransportNameLength","TransportName","SmbDialect","OldDialect","NewDialect","ClientRequireSigning","ClientRequireEncryption","Dialect","SecurityMode","RetryCount","ElapsedTimeInMs","ClientCipherSuiteOrderLength","ClientCipherSuiteOrder","ServerChosenEncryptionCipherLength","ServerChosenEncryptionCipher","ReassembledEventID","FragmentData","PeerAddressLength","Dialect2","SecurityMode2","Capabilities2","MessageSize","OldAuthProtocolId","NewAuthProtocolId","OldMutualAuthState","NewMutualAuthState","ClusteredServer","SessionKeyLength","RequiredSessionKeyLength","AuthProtocol","AdapterAlias","RequiredSges","AdapterSupportedSges","MinValidValue","MaxValidValue","ClosestAdapterSupportedValue","AdapterIfIndex","NdkMajorVer","NdkMinorVer","EffectiveNdkMajorVer","EffectiveNdkMinorVer","MaxRegistrationSize","MaxWindowSize","FrmrPageCount","MaxInitiatorRequestSge","MaxEffectiveInitiatorRequestSge","MaxReceiveRequestSge","MaxEffectiveReceiveRequestSge","MaxReadRequestSge","MaxEffectiveReadRequestSge","MaxTransferLength","MaxEffectiveSendSize","MaxEffectiveReceiveSize","MaxInlineDataSize","MaxInboundReadLimit","MaxOutboundReadLimit","MaxReceiveQueueDepth","MaxEffectiveReceiveQueueDepth","MaxInitiatorQueueDepth","MaxEffectiveInitiatorQueueDepth","MaxSrqDepth","MaxCqDepth","LargeRequestThreshold","MaxCallerData","MaxCalleeData","AdapterFlags","InOrderDma","RdmaReadSinkRequired","CqInterruptModeration","MultiEngine","ReadLocalInvalidate","CqResize","LoopbackConnections","LocalNetAddressSize","LocalNetAddress","RemoteNetAddressSize","RemoteNetAddress","ApplicationInitiated","TimedOut","LocalNetworkAddressSize","RemoteNetworkAddressSize","ViolationType","NdkConnectStatus","NdkCompleteConnectStatus","NdkReceiveStatus","NdkSendStatus","NegotiateStatus","RdmaObjectCreationFailureType","NdkAcceptStatus","RefusalReason","DeadlineInMs","SocketID","PeerMinVersion","PeerMaxVersion","ListenSocketID","SocketState","PeerSendCreditsGranted","PeerSendCredits","SendCreditsReceived","SendCreditsAccepted","SendCredits","IntervalInMicroSeconds","ProcessorIndex","CreditsRequested","PreferredSendSize","MaxReceiveSize","MaxFragmentReassemblyBufferSize","RemainingDataLength","DataOffset","BuildMajor","BuildMinor","ProductMajor","ProductMinor","ParamName","ValueSize","ConfiguredValue","MinSupportedValue","MaxSupportedValue","SelectedValue","NodeNumber","FirstProcessorNumber","LastProcessorNumber","BaseAffinityNode","MaxAffinityNode","BaseAffinityProcessor","MaxAffinityProcessor","ProcessorAffinityMaskSize","ProcessorAffinityMask","ConnectionGUID","TransportLength","TranslatedStatus","SPNValidationPolicy","DomainNameLength","BindingSessionGUID","InvalidateSession","TreeConnectGUID","ShareGUID","ScopeNameLength","ShareProperties","OpenGUID","LeaseId","SharingMode","FileAttributes","IsReplay","AppInstanceGUID","PathNameLength","CSCState","ClusterShareType","CaTimeOut","ShareState","InterfaceNameLength","EndpointState","NdkOperationalState","SubjectLength","ThumbPrintLength","ThumbPrint","RemovedLength","Removed","ClientSocketAddressLength","ClientSocketAddress","SupportedHashAlgsStrLength","SupportedHashAlgsStr","CertChainPropertiesStrLength","CertChainPropertiesStr","DenySidsStrLength","DenySidsStr","AllowSidsStrLength","AllowSidsStr","ServerRequiresSigning","ServerRequiresEncryption","SmbClientDoesNotSupportEncryptionType","ServiceClassIsValid","PrincipalNameIsValid","ComputerNameLength","EndpointNameLength","RKFStatus","TranslatedRKFStatus","DurableHandle","ResilientHandle","PersistentHandle","TaskStatus","TranslatedTaskStatus","ConnectionGuid","DurationInMilliseconds","ThresholdInMilliseconds","CtlCode","TunneledControl","IsRead","CertSubjectNameLength","CertThumbprintLength","Expiring","CloseOperationDurationInMillieconds","EndpointShutdown","EndpointRemoved","Smb2PerfBlock","AcquireLockTime","IoTime","InterfaceID","NumberOfEndpointsFound","NumberOfEndpointsClosed","ServerCipherSuiteOrderLength","ServerCipherSuiteOrder","ClientCipherCount","LoggedClientCipherCount","ClientCipherOrder","CountOfCertsTotal","CountOfCertsRestored","DialectCount","Dialects","ClientGuid","MinSmb2Dialect","MaxSmb2Dialect","SrvNetComponentCapabilities","DescriptorName","CurrentDisableOverrideState","SrvNetEnableRdmaSupport","SrvNetEvaluateRdmaEnabledPolicy","SrvNetIsSMBDirectSupported","MappingNameLength","MappingName","ThumprintLength","ServerSocketAddressLength","ServerSocketAddress","MutualAuthentication","AccessControlCheck","ShareId","DomainAndUserNameLength","ClientOsLength","ClientOs","LastActiveTime","SrvInstances","VcNumber","SecurityFlags","RequestedOplockLevel","RootDirectoryFid","CreateContextsCount","LeaseLevel","CloseFlags","FileGUID","MinimumCount","RemainingBytes","ReadChannelInfoOffset","ReadChannelInfoLength","WriteFlags","CurrentLeaseState","NewLeaseState","BreakReason","AccessMaskHint","ShareMaskHint","LockCount","Locks","FileInformationClass","QueryDirectoryFlags","ChangeNotifyFlags","CompletionFilter","QueryInfoFlags","Srv2Instance","ProcessingHits","QueueHits","FileSystemFastHits","FileSystemFastTime","FileSystemSlowHits","FileSystemSlowTime","TransportFastHits","TransportFastTime","TransportSlowHits","TransportSlowTime","SecurityHits","SecurityTime","DialectRevision","MaxTransactSize","MaxReadSize","MaxWriteSize","SessionFlags","CreateAction","LastChangeTime","EndOfFile","ChangeTime","TransportDPHits","TransportDPTime","SharePathLength","MappedAccess","ShareSecurityDescriptorLength","ShareSecurityDescriptor","WitnessServerIP","Sleep","WitnessServer","FileServerIP","Clients","NumResources","DestinationNode","vmGuid","tempFileName","Controller","ScopeTag","IoTotalByteCount","TransferIndex","TransferDirection","TransferTotalByteCount","SpbIoTarget","Opcode","InputLine","wordlist","languageTag","WordlistType","Wordlist","OffsetAddress","_HR","_TableName","_ApplicationName","_InterfaceLuid","_Costed","_BytesReceived","_InterfaceGuid","_Application","_ProfileFlags","BatteryDrainRate","PowerBitpack","AppCpuCyclesBitpack","JoulesPerHourScreenOnDC","JoulesPerHourScreenOffDC","DCTimeBitpack","CPUCyclesOnDCBitpack","DiskMBRead","DiskMBWritten","PowerInMilliwatts","CpuStatsBitpack","DiskAndNetStatsBitPack","DurationBitPack","ModernAppPackageName","PreviousBrightnessLevel","PreviousBrightnessDurationInSeconds","NewBrightnessLevel","CurrentBrightnessLevel","PreviousStateDurationInSeconds","NewEnergySaverState","EnergyLoss","CpuEnergyConsumption","SocEnergyConsumption","DisplayEnergyConsumption","DiskEnergyConsumption","NetworkEnergyConsumption","MbbEnergyConsumption","OtherEnergyConsumption","TotalEnergyConsumption","MeasuredPower","OnBattery","Foreground","ScreenOn","BatterySaverActive","LowPowerEpochActive","RepairStatus","NumAttempts","NumRootCauses","WorkId","FoundSchemaVersion","CreatedSchemaVersion","LastKnownStatus","TransactionCallerId","Priorities","Found","Try","FirstReportedUptime","FirstReportedWhen","FixCount","Fields","ResolvedCount","TransientCount","PersistedCount","SuccessCount","FailureCount","CsvNameLength","CsvName","Report","FasterTierSize","TotalIOPercentFromPerfTier","SizeOfPerfTierPinnedFiles","PercentOfPerfTierPinnedFilesIO","SizeOfCapacityTierPinnedFiles","PercentOfCapacityTierPinnedFilesIO","VolumeIdHash","FileIDLower","FileIDUpper","MessageString","Callee","DiskPath","Alignment","MbrPartitionType","MbrBootIndicator","GptPartitionType","GptPartitionId","GptAttributes","GptName","LoadPhase","SubsystemID","SubsystemURI","ExtendedStatusMsgId","SecondaryErrorCode","InitializationPhase","NodeState","ControlCodeName","Nodes","UnresponsiveNodes","PoolName","PoolVersion","PoolMetadataLength","PoolMinimumAllocationSize","SpaceName","SpaceProvisioningType","SpaceAllocationSize","SpaceResiliencyType","MinimumFreeSizeRequired","ReplicationGroupNameLength","ReplicationGroupName","ReplicationGroupId","ReplicaNameLength","ReplicaName","ReplicaSetId","LogGeneration","LogFileId","CLFSLsn","BytesRecovered","RecoveredBytes","PrimaryLsn","SecondaryLsn","StateMachineState","ReplicationState","SourceReplicationGroupNameLength","SourceReplicationGroupName","SourceReplicationGroupId","SourceReplicaNameLength","SourceReplicaName","SourcePartitionId","TargetReplicationGroupNameLength","TargetReplicationGroupName","TargetReplicationGroupId","TargetRpo","CurrentRpo","LogTimeInMs","StateMachineTimeInMs","StartTimeInMs","PartitionDBReplicationGroupId","DirectoryPathLength","LogPathLength","LogFileNameLength","ClfsLsn","LogFileNameNameLength","LogRecordSize","SrpStatus","BitmapFileNameLength","BitmapFileName","PhysicalDeviceNameLength","PhysicalDeviceName","TargetDeviceNameLength","DiskReplicationState","DiskAttributeOffline","DiskAttributeReadOnly","ExistingDeviceNameLength","ExistingDeviceName","ExistingDiskId","ExistingPartitionId","ExistingPartitionNumber","PartitionOffset","PartitionLength","PartitionTypeGuid","PartitionType","PartitionNameLength","PartitionState","OldReplicationState","NewReplicationState","DiskAttributesMask","DiskAttributes","DiskAttributeRelinquishOwnership","DiskOwnerGuid","PartitionEvent","StateMachinePhase","StateMachinePhaseStatus","ValidMask","IoCost","ReplicationMode","DestinationReplicationGroupId","SourceLogDiskSectorSize","DestinationLogDiskSectorSize","SourceLogSize","DestinationLogSize","SourceReplicaSetSize","DestinationReplicaSetSize","SourceDataPartitionSize","DestinationDataPartitionSize","SourceDataDiskSectorSize","DestinationDataDiskSectorSize","IRPAddress","MessageXId","LogPartitionId","Create","StabilizeLedger","PhysicalFileId","PartnerReplicationGroupId","RawHandleFileOffset","RawHandleFileSize","SpecificReplicationGroup","LedgerEntryStartingOffset","LedgerEntryType","MaxLedgerSize","LedgerEntryStatus","RecordLength","PayloadLength","Lsn","ReconcileStartLsn","TruncateLsn","WriteIO","SyncReplicationGroupId","InSync","PossibleOwners","ReplicationStatus","PossibleOwnersUpdated","ReplicationStateUpdated","ReplicaState","ReadConfigurationTimeInMilliSeconds","DeterminePrimaryTimeInMilliSeconds","OfflineSecondaryTimeInMilliSeconds","UpdateDiskConfigTimeInMilliSeconds","OnlineSecondaryTimeInMilliSeconds","CreateDriverConfigTimeInMilliSeconds","ResourceOnlineTimeInMilliSeconds","ReplicaReadyTimeInMilliSeconds","PDRResourceName","DependentResourceName","PDRResourceGroup","SecondaryResource","SecondaryResourceGroup","PairedClusterName","SourceComputerName","DestinationReplicationGroupName","DestinationComputerName","PartnerReplicationGroupName","LogSizeInBytes","NewLogSizeInBytes","CategorySize","FreeSize","CategoryExId","InitCV","ReserveID","ActualInstantiationTime","ActualInitializationTime","ActualInitTime","RefreshOperationType","CV","CreateInstanceFailed","ScanNonZero","TotalAutoRun","ShowReserve","StorageReserve","UnclaimableSpace","ScanCV","TotalPurgeSize","PluginPurged","PurgeSucceeded","PurgeFailed","PurgeNonZero","ReserveAreaInfoAfter","PurgeCV","SpaceToFree","SpaceFreed","CleanupTime","ActualCleanupTime","PluginReserveAreaUsage","CompatibleVersion","DriveIds","Persist","RelinquishOwnership","Hidden","FirstDataIndex","Transaction","DispatchTransactionDurationIn100Ns","PrepareCommitDurationIn100Ns","CommitTransactionDurationIn100Ns","CommitDevicesDurationIn100Ns","NeedCapacity","BytesProcessed","BytesSkipped","ConfigId","DriveCount","ScmCount","SsdCount","HddCount","AddCount","RemoveCount","SpaceOffset","ColumnToReallocate","CopyToReallocate","ColumnMissingFdInfo","CopyMissingFdInfo","Frame0","Frame1","Frame2","Frame3","LogType","Serial","DriveIoSummary","PoolSequenceNumber","AttachedDurationInUs","DetachDurationInUs","DetachReason","NumberOfEntries","FlushStatus","FirstWriteStatus","SecondWriteStatus","IoStateCountSize","IoStateCount","IoStateBytesSize","IoStateBytes","IoReasonCountSize","IoReasonCount","IoReasonBytesSize","IoReasonBytes","RepairReplacementCount","RebalanceReplacementCount","FailedReplacementCount","ScopeRegenerationCount","RepairReplacementBytes","RebalanceReplacementBytes","FailedReplacementBytes","ScopeRegenerationBytes","NeedRepairPhase2Count","NeedRepairPhase6Count","RepairPhasesSize","RepairPhases","RepairStatusSize","PauseCount","PausedCount","LastChkLsn","PrevChkLsn","SessionNum","MissingMask","UsedLineCount","ReservedLineCount","SynchronizingCount","ReplayCount","ActiveCheckpoint","StartSlot","EndSlot","Wrap","NumberOfBitmaps","SstLength","Sst","ReserveBytesWritten","SlabOffset","SourceCopy","BitMapSize","BitMap","MetadataDriveCount","OldTolerance","NewTolerance","StoreId","TotalPaths","PresentPaths","PrimaryPathId","ReadStatuses","Sequences","StoreStates","Id1","Id2","TransactionStatus","WitnessStatus","WitnessSequence","Tolerance","EnclosureModel","Asc","Ascq","StatusCodeType","ColumnData","EnclosureRevision","OldHealth","NewHealth","Retries","PageBytes","PageData","DescirptorBytes","DescirptorData","SlabIndex","ColumnOffset","CopiesMask","StaleMask","StaleBytes","UsedBytes","RelativeOffset","CacheOffset","Cdb","KernelModeStatus","UserModeStatus","DiskInstancePath","RequestProcessTime","CurrentIOCount","ActiveIOCount","ServiceAction","UpperLevelIrp","DsmFlags","DataSetRangesCount","DataSetRanges","SrbFlags","MaxAllowedLbaCount","MaxAllowedBlockDescriptorCount","LbaSizeinBytes","Srb_BlockDescriptorCount","Srb_BlockDescriptors","FirstStartingLBA","TransferredLength","NumberOfTimesRetried","IsPartial","StartingOffset","ResetAll","SrbFunction","PnPType","PnPUsageInPath","CurrentPnpState","PreviousPnpState","PagingPathUsageCount","HibernationPathUsageCount","DumpPathUsageCount","PowerSystemContext","PowerStateType","PowerShutdownType","CurrentPowerState","ContextPowerChangeState","WmiDataBlockGUID","WmiProviderId","PortDriverCodeSet","FirmwareGetInfoSupport","QueryFlag","HWFirmwareSupportUpgrade","ImagePayloadAlignment","SlotCount","FWImageVersion","FWSize","FWSlot","FWImageBufferSize","FWImageOffset","T10VendorIdLength","T10VendorId","DataSet1Length","DataSet2Length","DataSet3Length","DataSet4Length","ReasonIdentifierLength","ReasonIdentifier","DsmAction","DefaultValueUsed","SectorShift","ActualZoneCount","DeviceZoneCount","ZoneGroupCount","CommandOpCode","T2CDLPage","CDLPage","CDLSupported","PageSavable","StateMachineName","ParentPath","MiniportExtension","PauseTime","LinkDownTime","PivotField","PivotValue","OriginalValue","CurrentDepth","NewDepth","MaxDepth","StorportApi","InitialCount","ResourceSize","CurrentOutstanding","OldHighWaterMark","NewHighWaterMark","HighWaterMark","MemAllocFailures","ConsecutiveFailures","SuspendCount","ConcurrentChannels","FirstRedirectionMessageNumber","LastRedirectionMessageNumber","HwInitializationDataSize","DeviceExtensionSize","SpecificLuExtensionSize","SrbExtensionSize","FeatureSupport","SrbTypeFlags","AddressTypeFlags","HwFreeAdapterResources","HwProcessServiceRequest","HwCompleteServiceIrp","HwInitializeTracing","HwCleanupTracing","NumberOfBuses","MaxNumberOfTargets","MaxNumberOfLogicalUnits","MaxNumberOfIO","MaxIOsPerLun","InitialLunQueueDepth","RequestedDumpBufferSize","SrbType","AddressType","Dma64BitAddress","BusResetHoldTime","InterruptSynchronizationMode","CachesData","VirtualDevice","Duration_100ns","ChangedEntity","HwStateChange","HwStateChangeContext","ZoneSize","ZoneLengthInLogicalSectors","PCIVendorID","PCISubsystemVendorID","TunneledDevice","DLRMDsmSupport","DLRMSystemThreadCreated","PciLinkConfigInterfaceAllocated","EffectivePowerModeCallbackRegistered","EffectivePowerMode","InDrips","CurrentDLRMPowerMode","TargetDLRMPowerMode","DLRMWorkerAction","AvailableLinkSpeeds","CurrentLinkSpeed","LinkWidth","DesiredSpeed","WaitForRetrain","NewLinkSpeed","ThermalThrottle","LinkSpeedChangeTime","DlrmAction","PciGen1TotalTime","PciGen2TotalTime","PciGen3TotalTime","PciGen4TotalTime","PciGen5TotalTime","PciGen6TotalTime","ScaleUpRequestCount","ScaleDownRequestCount","TotalLinkRateChangeCount","AverageLinkRateChangeTime","MaxLinkRateChangeTime","MinLinkRateChangeTime","EffectivePowerModeChangeCount","DripsChangeCount","LinkConfigInterfaceErrorCount","ThermalThrottleCount","UnexpectedLinkSpeedCount","LogicalBlockAddress","BytesPerBlock","SrbInXrb","GenericEventFlags","ProtocolSpecificEventFlags","EventDataLength","DeviceAlignmentMask","DataBufferOffset","SubsystemId","ControllerId","TransportAddress","NamespaceId","Completion_SQID","Command_OPC","Command_CID","NVMeStatus_SC","NVMeStatus_SCT","Completion_DW0","Completion_DW1","Completion_DW2","Completion_DW3","DiscoveryControllerHandle","SubsystemPortTransportType","SubsystemPortAddressFamily","SubsystemType","SubsystemPortId","SubsystemNqn","SubsystemPortTransportAddress","SubsystemPortTransportServiceId","MatchCount","PerfOptFlags","PriorState","SurpriseRemovalControlSupported","SurpriseRemovalControlStatus","OpCode","CommandCDW10","CommandCDW11","CommandCDW12","CommandCDW13","CommandCDW14","CommandCDW15","Duration_us","IoSizeBuckets","TotalSuccessIoCount","ReadIoSizeBucket1IoSuccess","ReadIoSizeBucket1IoLatency","ReadIoSizeBucket2IoSuccess","ReadIoSizeBucket2IoLatency","ReadIoSizeBucket3IoSuccess","ReadIoSizeBucket3IoLatency","ReadIoSizeBucket4IoSuccess","ReadIoSizeBucket4IoLatency","ReadIoSizeBucket5IoSuccess","ReadIoSizeBucket5IoLatency","ReadIoSizeBucket6IoSuccess","ReadIoSizeBucket6IoLatency","ReadIoSizeBucket7IoSuccess","ReadIoSizeBucket7IoLatency","ReadIoSizeBucket8IoSuccess","ReadIoSizeBucket8IoLatency","ReadIoSizeBucket9IoSuccess","ReadIoSizeBucket9IoLatency","WriteIoSizeBucket1IoSuccess","WriteIoSizeBucket1IoLatency","WriteIoSizeBucket2IoSuccess","WriteIoSizeBucket2IoLatency","WriteIoSizeBucket3IoSuccess","WriteIoSizeBucket3IoLatency","WriteIoSizeBucket4IoSuccess","WriteIoSizeBucket4IoLatency","WriteIoSizeBucket5IoSuccess","WriteIoSizeBucket5IoLatency","WriteIoSizeBucket6IoSuccess","WriteIoSizeBucket6IoLatency","WriteIoSizeBucket7IoSuccess","WriteIoSizeBucket7IoLatency","WriteIoSizeBucket8IoSuccess","WriteIoSizeBucket8IoLatency","WriteIoSizeBucket9IoSuccess","WriteIoSizeBucket9IoLatency","ByteLengthOfTransfer","BuildIoDuration_100ns","StartIoDuration_100ns","BuildIoDuration","StartIoDuration","MiniportDuration","DpcRoutine","DpcRoutineName","CompletionCount","QpcTicks","SwitchDpcProc","RevertDpcProc","IsrRoutine","PoHandle","DIrpRequested","DPNRDurationMsec","IdleTimeoutMsec","RegistrationStatus","Requested_D3ColdSupported","Requested_WakeCapable","Requested_IdleTimeoutInMS","NumberOfFStates","Actual_D3ColdSupported","Actual_WakeCapable","Actual_IdleTimeoutInMS","D3ColdEnabled","IdleTimeoutInMS","PlaceHolderModeEnable","EnqueueReason","QueuedIoCount","OutstandingIoCount","Requested_AdapterIdleTimeout_ms","Actual_AdapterIdleTimeout_ms","CurrentPowerCycleCount","PotentialPowerCycleCount","MinPowerCyclePeriodInMS","CurrentD3IdleTimeout","NewD3IdleTimeout","IoCoalescingOn","OnBatteryPower","PreviousPowerHint","PreviousResumeLatency_ms","NewPowerHint","NewResumeLatency_ms","ActiveRefsDuringMaintenanceTime","IOCTLCode","AdapterRequest","ReturnStatus","UntaggedRequest","TcgStatus","SubsystemVendorID","VirtualAddress","PendingIoCount","ResetWritePointerAll","MFNDInterfaceName","OperationPrivilege","StartingLBA","LBACount","DataSizeToWrite","ControlAction","NVMeNamespaceCount","SmartReturnStatus","SmartAttributesLength","SmartAttributes","GeneralLength","General","FreeFallLength","Freefall","RotatingMediaLength","RotatingMedia","GeneralErrorsLength","GeneralErrors","TemperatureLength","Temperature","SolidStateDeviceLength","SolidStateDevice","TemperatureMax","ManufactureDate","StartStopCycleCount","StartStopCycleCountMax","LoadUnloadCycleCount","LoadUnloadCycleCountMax","WriteErrorsTotal","WriteErrorsCorrected","WriteErrorsUncorrected","ReadErrorsTotal","ReadErrorsCorrected","ReadErrorsUncorrected","WorkloadUtilization","BackgroundScanStatus","PowerOnMinutes","WriteErrorCountersLogLength","WriteErrorCountersLog","ReadErrorCountersLogLength","ReadErrorCountersLog","TemperatureLogLength","TemperatureLog","EnvironmentalReportingLogLength","EnvironmentalReportingLog","StartStopCycleCountersLogLength","StartStopCycleCountersLog","UtilizationLogLength","UtilizationLog","SolidStateMediaLogLength","SolidStateMediaLog","BackgroundScanResultsLogLength","BackgroundScanResultsLog","PanicId","LogLength","ErrorRecoveryLog","CdbLength","SrbTimeout","AbortSupported","IoctlSignature","QosEnabled","SrbDataBufferLength","SrbDataBuffer","BusResetReason","UnresponsiveRequests","QosGuaranteeFailures","QosGuaranteeThreshold_s","UnitQueueTimeoutCount","AdapterQueueTimeoutCount","HwQueueTimeoutCount","MaxUnitQueueDepth","MaxAdapterQueueDepth","IoDispatchToResetTime_100ns","AbortedReq_SrbFunction","AbortedReq_CdbLength","AbortedReq_Cdb","AbortSrbTimeout","AllocationPolicy","DeviceMinSizeInBytes","DevicePreferredSizeInBytes","PolicyMaxInBytes","TargetAllocationSizeInBytes","ActualAllocationSizeInBytes","RangesAllocated","RequestLBA","CurrentLBA","FaultDescription","AdditionalDataSize","CriticalDataSize","CriticalData","SuccessIoCount","FailedIoCount","Threshold_100ns","ConcurrentChannel","AdapterVendorId","IssueType","BootAdapter","PciDeviceType","ResetDuration_100ns","LogPageCode","LogPageLength","LogPageData","PerformanceOptimizationFlags","MaximumProcessorCount","ActiveProcessorCount","ProcessorCountPerGateway","AllocatedGatewayCount","ActiveGatewayCountRequired","InUseGatewayCount","SystemThreadMaximumCount","SystemThreadCurrentCount","TcgSSC","LockingSupported","LockingSpPresent","SingleUserModeSupported","NumberOfLockingObjectsSupported","MaxRangesSupported","BlockSIDSupported","InitialSIDPin","SIDPinBehaviorOnRevert","MaxDatastoreTablesSize","DatastoreTableSizeAlignment","MaxNumberOfDatastoreTables","SubOperation","SubmissionQueueId","CommandStatus","VendorInfoAvailable","CommandSpecificInfo","ErrorInfoLog","PowerDown","ResetFlags","TotalUnitCount","UnitCountRequestedD3ForPLDR","UnitCountRequestedD0ForPLDR","PoweredDownUnitCountForPLDR","PoweredUpUnitCountForPLDR","PLDRCountInitiatedFromIoctl","PLDRCountInitiatedFromMiniport","PnPAction","PnpSubFunction","PnPRequestTimeoutCount","Flags2","StartFailureCode","InterfaceDriverName","StorStatus","LastLogicalBlockAddress","LogicalSectorSize","ErrorZoneCount","ZoneCount","CurrentLogicalBlockAddress","ZoneIndex","ReconfigureType","ChildPFCountToCreate","MaxPFCount","ChildControllerID","ChildPFCount","OperationSelect","NamespaceMetadataSize","NamespaceLBADataSize","NamespaceDPS","NamespaceNMIC","IoQueuePairCount","InterruptCount","NamespaceCount","NS1StorageProvisionUnitCount","NS2StorageProvisionUnitCount","NS3StorageProvisionUnitCount","NS4StorageProvisionUnitCount","QoSPolicy","ReserveReadBandwidthInMBps","ReserveWriteBandwidthInMBps","LimitBandwidthInMBps","LimitWriteBandwidthInMBps","ReserveReadIops","ReserveWriteIops","LimitIops","LimitWriteIops","CommandCount","CommandPermissionEntriesLength","CommandPermissionEntries","LimitRandomIops","LimitRandomWriteIops","ChildControllerId","SubmissionQueueCount","CompletionQueueCount","AdminSubmissionQueueID","AdminSubmissionQueueHeadPointer","AdminSubmissionQueueTailPointer","AdminCompletionQueueID","AdminCompletionQueueHeadPointer","AdminCompletionQueueTailPointer","AdminCompletionQueueFlags","AQAER1CommandID","AQAER2CommandID","AQAER3CommandID","AQAER4CommandID","ValidAERFlags","QueuesStateSize","QueuesState","FeatureEnable","QoSStatisticsMonitorPeriod","SwapBucketPeriod","NS1NUSE","NS2NUSE","NS3NUSE","NS4NUSE","LogEntryFormatVersion","LogSequenceNumber","LogEntry0Timestamp","LogEntriesCount","LogEntriesSize","LogEntries","CFS","ErrorStatusAsyncEvent","SmartHealthAsyncEvent","DevicePanicAsyncEvent","QoSStatisticsLogUpdated","ErrorStatusAERDw0","SmartHealthInforAERDw0","DevicePanicAERDw0","MFNDSupported","BadIdentifyMFNDData","SubVersion","AvailablePFCount","MaxQPairCount","AvailableQPairCount","MaxMSIXMessageCount","AvailableMSIXMessageCount","MaxNamespaceCount","AvailableNamespaceCount","TotalNVMStorageSize","AvailableNVMStorageSize","StorageProvisionGranularity","TotalReadBandwidth","AvailableReadBandwidth","TotalWriteBandwidth","AvailableWriteBandwidth","TotalReadIOPS","AvailableReadIOPS","TotalWriteIOPS","AvailableWriteIOPS","MaxSupportedCCNamespaceCount","MappedPageTrackingGranularitySize","DirtyPageTrackingGranularitySize","ResetOperationStatus","ChildPFDataLength","ChildPFData","DataProtectionType","SettingsFlags","QoSVersion","QoSSize","PageMapDataQualifier","PageMapDataSizeInBytes","NVMeoFTransportType","NVMeAddressFamily","TransportServiceId","HostTransportAddress","SubsystemTransportAddress","SubsystemTransportServiceId","Functionality","ManuallyAdded","TransportErrorCode","TransportErrorDescription","Fuse","PoliciesEnabled","VolumeStatus","TargetSizeMB","CleanedBytes","CleanupSucceeded","CleanupFailed","HrReserveInit","IsLowStorage","CurrentRunLevel","TargetRunLevel","AgentName","ChannelNumber","NodeTopologyString","BasePath","ActionFilePath","FilePattern","BrokeredEventId","ProductCategory","SuccessString","isEnabled","CorpDeviceOperationPhase","Pfns","fShowIHM","fPenOrTouch","fLastTouchInThisControl","fInPasswordField","hwndElementFocusEvent","hwndRootFocusEvent","dwProcess","rcBoundLeft","rcBoundTop","rcBoundRight","rcBoundBottom","fRequireTouchInControl","fCanProcessEvent","fOnPersistenceList","KeyboardType","KeyboardCalloutResult","UIActionType","IdleTaskId","DetectionResult","InfoCode","LauncherId","CurrentQuota","TaskEngineName","LogPoint","TaskPath","StoppedTaskInstanceId","NewTaskInstanceId","RequiredVersion","SynAttacksDetected","ReassemblyLimitViolations","ConnectionRateLimitBacklog","ConnectionRateLimitViolations","LandAttackSegmentsDropped","ConnectionRateLimitDepth","NumberOfPorts","HighPagedPoolEvent","LowPagedPoolEvent","IsbSize","SourceActivity","DestinationProcessor","DestinationActivity","PartitionMovesRemaining","TableEntry","Round","DWnd","BaseRtt","Mss","ThAck","BHMSS","OriginalMSS","TcbState","OcbState","ModuleNameString","AllocationObjectString","PMax","DadState","PrefixOrigin","SuffixOrigin","Advertise","Forward","ForwardMulticast","UseNud","AdvertisingEnabled","WeakHostSend","WeakHostReceive","StrictSourceForwarding","Route","Loopback","AutoconfigureAddress","Immortal","IPUnicastroutedeletionreason","DlAddress","AssignedBlocks","AllocatedBlocks","PrevDWnd","AvgRtt","DiffWnd","DwndIncrement","Gamma","AverageBacklog","AverageBacklogAcrossLFP","OldDeliveryState","NewDeliveryState","ReceiveLinkSpeed","MediaConnectState","TcpWsdEtwPoint","ProbeCountWs","Qualified","EreQualified","OldEnabledState","NewEnabledState","OldThreshold","NewThreshold","PhysicalPages","NonPagedPoolPages","CurrentWatermark","PeakWatermark","HighWatermark","LowWatermark","LowNppEventState","HighNppEventState","EpisodeStartTick","EpisodeStopTick","ReentryWatermark","EpochStartTick","EpochStopTick","OldSynDropRate","NewSynDropRate","OldTcbKillRate","NewTcbKillRate","SynDropRate","TcbKillRate","SndRound","EcnTotalByteCount","EcnTotalMarkedCount","EcnAlpha","StateV4","FailureReasonV4","StateV6","FailureReasonV6","Bind","ExistingInterfaceIndex","ExistingPortNumber","ReferenceAdded","CapabilitiesFlags","NumberOfInterruptMessages","NumberOfReceiveQueues","AvailableProcessorsSize","NewAdapterIndex","PreviousAdapterIndex","TriggeringProcessorIndex","IndirectionIndex","OldProcessorIndex","NewProcessorIndex","NdkAdapter","CqDepth","CqNotificationContext","AffinityMask","AffinityGroup","RequestContext","NdkObject","NdkObjectType","NdkCq","ArmType","QpContext","ResultIndex","NdkPd","FastRegister","NdkQp","SgeAddress","SgeLength","SgeMemoryRegionToken","NumSge","SgeIndex","NdkMr","Mdl","AdapterPageCount","RemoteAccess","NdkSrq","SrqDepth","NotifyThreshold","NdkConnector","SrcSockAddrLength","SrcSockAddr","DestSockAddrLength","DestSockAddr","IRD","ORD","NdkSharedEndpoint","PrivateDataLength","DisconnectEventContext","NdkListener","SockAddr","SrqNotificationContext","ReceiveCq","InitiatorCq","QPContext","ReceiveQueueDepth","InitiatorQueueDepth","ConnectEventContext","LAMBuffer","LAMBufferSize","CqStatus","SrqStatus","SockAddrType","NdkMw","AdapterPageArray","FBO","BaseVirtualAddress","RemoteToken","NDKOperational","PatternFriendlyName","SrcDLAddress","DestDLAddress","SilentModeEvent","NcmContext","PushNotificationGuid","Delivered","Indicated","FinalEvent","SystemReserved","WolHandle","ModerationInterval","ModerationCount","IsRedirected","WfpFailure","WaitStatus","LocalIPv4Address","LocalIPv6Address","RemoteIPv4Address","RemoteIPv6Address","OldBaseTime","OldValidTime","OldPreferredTime","NewBaseTime","NewValidTime","NewPreferredTime","IpAddressLifetimeChangeReason","PowerSource","OldPartitionCount","NewPartitionCount","PowerStateTransition","RuleExtension","TypeSpecificCompletionOutput","ProviderErrorCode","UdpEndpoint","Activated","SackCount","SackBytes","SackInFlight","SackIsLost","RequireAddressCoalescing","RtcStartPort","RtcEndPort","AssignedFromRtcRange","TcbOrEndpoint","InterfaceUpdateEvent","IsShutdown","ClonedNbl","WoLEvent","TargetIPAddress1","TargetIPAddress2","ScopeLevel","EndpointRecord","PartitionMask","OldPartitionMask","NewPartitionMask","LedbatEvent","BaseDelayMs","CurrentDelayMs","RemainingTimeMs","DelayBasedCwndFactorPercent","EndpointObj","IsConnectionObj","NameResContext","DestinationAddressLength","RouteMetric","ConstrainScope","BlockReason","EndpointAddressLength","SendAddressLength","SendAddress","FailedQueueString","SynRcvdLimit","ProcessorUsage","Private","DomainNetworkLocation","DomainType","NetworkSignature","SubIfIndex","OldConnectivityStatus","NewConnectivityStatus","NotifyFlags","NotificationState","OldDadState","NewDadState","SkipLocal","SkipOnLink","BytesOutstanding","QuantizedAllowance","Allowance","OriginalBytesToSend","Fallback","Successes","Failures","RouterAddrLength","RouterAddress","DnsAddrLength","DNSSuffix","InProbe","PathsProbed","FastopenState","ShutdownStatus","ProbeStatus","ConnectivityStatus","BaseEndpoint","AcquireType","SocketIoctl","IPv4SourceAddress","IpSourceAddrLength","Ce","Ect0","Ect1","NotEct","FragmentContextDirection","GroupChangeType","Release","Subtask","IPv4DestinationAddress","IPv4NextHop","IPv6DestinationAddress","IPv6NextHop","ReassemblyId","SocketLevel","SocketOption","TcpRscEnabledIpv4","OffloadRscEnabledIpv4","TcpRscEnabledIpv6","OffloadRscEnabledIpv6","SegCount","SegSize","DisableUro","DisableUso","ReservationType","TunnelType","CurrentProgress","IdentifierLength","DlSourceAddress","IpSourceAddress","IpTargetAddress","Directed","NumSackTransmits","Shutdown","PacingAllowance","Wnd","WndWs","DrainedBytes","ReceiveHigh","TsHigh","LastRollOverTimeMs","EndReductionTimeMs","MinDelaySampleMs","MinBaseDelayMs","CurrentLocalAddressLength","CurrentLocalAddress","ModifiedLocalAddressLength","ModifiedLocalAddress","EndpointRestored","MaxReorderingBytes","Fack","EndSeq","Multiplier","Reownd","ReorderingSeen","DSackSeenOnLatestAck","InLossRecovery","DupAckCountReached","DSackRound","DSackRoundValid","bbr_bw","min_rtt_us","mode","cycle_idx","RackXmitTimeStampValid","RackXmitTimeStampInUs","RackEndSeq","RackRttInUs","NowInUs","TimeStampInUs","PrefixSharing","SndWndChanged","SackUpdated","OldForwardingTag","NewForwardingTag","RssEnabled","NextToExpire","TotalBytesBuffered","UpperLimit","IPv4DestinationPrefix","IPv4NextHopAddress","SourceAddrLength","PolicySourceAddrLength","PolicySourceAddress","PolicyNextHopAddrLength","PolicyNextHopAddress","PolicyInterfaceLuid","FastPath","ThSeq","RSC","SegmentCount","NblHead","NblTail","ProviderDisconnectReason","ProviderSupportedNDKVersionMajor","ProviderSupportedNDKVersionMinor","FlConfiguredNdkpiVersionMajor","FlConfiguredNdkpiVersionMinor","ActualSupportedNDKVersionMajor","ActualSupportedNDKVersionMinor","IF_INDEX","OldFlVersionMajor","OldFlVersionMinor","NewFlVersionMajor","NewFlVersionMinor","OverrideStatus","ConsumerSpecifiedNdkpiVersionMajor","ConsumerSpecifiedNdkpiVersionMinor","StandbyEvent","DSState","HwUroEnabled","PowerPolicy","RouterSolicitationReason","LastTick","LifeTime","LifetimeFactor","CompartmentGuid","VirtualIfIndex","OldFlowLabel","NewFlowLabel","SenderLimitedBytes","ReceiverLimitedBytes","CongestionLimitedBytes","ChangeReason","NewUroState","CurrentUroState","LastScheduledState","FailureReasonFlags","ClientNpiVersion","NblContextSize","VirtualIfId","InjectionIfIndex","PrefixAddrLength","RoutingEpoch","NsiAction","HeadSeq","AckedData","PrrDelivered","PrrOut","UdpUsoDisabledMask","P1_Ptr","Call","Call2","Prop_VerbName","Prop_CallId","Prop_CompletionContext","Prop_CallId1","Prop_CallId2","Prop_CallType","Prop_CallerIdOption","Prop_HexInt32_1","Prop_HexInt32_2","CellVoiceCallId","CallId1","CallId2","Prop_MCC","Prop_MNC","Prop_NameDiff","SystemType","IntParam","VoiceDomain","RegStat","Prop_UInt_1","Prop_UInt_2","ParamsMask","LongName","ShortName","NumericName","CountryCode","NumberPres","NamePres","VerbName","P1_Int","Prop_State","Prop_UInt_3","Prop_UInt_4","MCC","MNC","ModemIndex","SlotPointer","Prop_Address","P1_SupSvcCode","P2_Int","P3_HexInt","P2_SvcCode","P3_Action","Prop_BOOL","isChangePending","homeMcc","homeMnc","dataAffinityExists","Prop_UINT","InfoTag","Prop_BOOL1","Prop_BOOL2","Prop_Ptr1","Prop_Ptr2","Prop_Ptr","VoipAudioRoute","VoipCallAttributes","RpcCallType","Prop_LinePtr","Prop_ControllerCallId","Prop_VoipAppCallId","Prop_AudioRoute","Prop_AvailableAudioRoutes","Prop_CPI","Prop_HR","Prop_Direction","asyncRequestId","VoicemailSource","ToneParamMask","Ril3gppTone","Ril3gpp2Tone","Ril3gpp2Alerting","Prop_UInt","Services","dwParams","dwPersoFeature","dwPersoCheckState","LockAttempts","PUKAttempts","Prop_Int1","Prop_Code","Prop_HexInt32_3","Prop_HexInt32_4","Prop_Action","RadioConfigType","Prop_VideoContext","ValidParams","ValidStateParams","PeerCaps","ContextID","SubscriberNumber","videocapable","RegState","ImsSystemType1","ImsSystemType2","hrHandOverResult","dwOldSystemType","dwNewSystemType","PerSimConfigAvailable","IsCapabilitySharingEnabled","HomeMcc","imsVoiceAvailable","imsVideoAvailable","videoCallingEnabled","imsVoiceSupported","registration0SystemType","registration0VoiceDomain","callPresence","currentLineSystemType","newLineSystemType","radioAccessTechnology","toIms","toGsm","toCdma","fromIms","fromGsm","fromCdma","To3GPP","currentPresence","aggregatePresence","allSameType","audioType","shouldEnableAudio","audioAllowed","inProgress","isHandoverNotification","oldType","newType","callInfoParams","handoverStateParams","dwLockState","RilAudioCodec","PhoneMediaQuality","ImsFailureMessageType","SetIndex","dwMediaPreference","ExecutorIndex","dwExecutor","dwReferenceNumber","dwNumberOfDetailItems","totalNewMessages","SipCallId","Ims_CallIsConference","callToDial","DialString","callToAccept","completionContext","callToEnd","Prop_UnicodeString_1","Prop_UnicodeString_2","PhMsg","SupSvc","HCall","CallVerb","AudioEndpoint","BluetoothState","IsIncoming","ToneType","ToneDigits","OnTime","OffTime","AudioType","Prop_Guid2","int","Muted","executorIndex","cellularAudioType","audioActive","CallToHold","CallToUnhold","lineId","inCallToneType","inCallToneName","DisableExecutorIndex","EnableExecutorIndex","overrideMcc","mcc","OperationContext","OperationTimeout","OperationActualTime","ChangeEvent","OldUpgradeState","NewUpgradeState","Prop_Guid1","PhoneLineChangeKind","PhoneLineProperties","VoicemailCount","VoicemailMessageString","PhoneNumber","UdmCallItemEventType","existingInitialBootSequenceComplete","cachedLineCount","existingSuppressLineChangedTrigger","screenIsOn","LookupState","DesiredState","ConferenceCallId","callRecordingOff","TelString","TupleIndex","ServiceIdentifier","telUriString","AudioTypeCancelled","AudioTypeBeingEnabled","isCapabilitySharingEnabled","previousValue","rcsServiceStatus","updatedValue","networkType","Prop_AudioRoutingState","callId","supSvcCode","Prop_Int32_1","Prop_Int32_2","brandingArea","simState","registrationState","brandingFlags","ids","brandingText","ClientCallbacks","CanPointer","CanGuid","ModemPointer","ModemGuid","SlotState","UICCPointer","HexInt","Pointer2","LineIndex","LinePointer","RoamingMode","AppPointer","Prop_HexInt64","Lhs","Rhs","Rhs2","Prop_Int64_1","this","keyName","actionName","String4","ExistingHeader","ConfiguredHeader","NetworkingStack","InvalidGuid","BuildDate","BuildTime","ArchAndFlavour","ChannelID","TotalTimeWithoutAdal","AdalTime","NumberOfFeeds","ResourceIndex","UserNameHash","TimeZoneName","refreshTime","numberOfFeeds","RadcClientType","RadcClientStage","RadcHttpEvent","deviceName","InitCmdPid","Win32kPid","InitCmdName","messageName","CallerImageName","UInt32_1","UInt32_2","UInt32_3","UInt32_4","StringParameter","UInt32Parameter","UINT16_FORMAT_TAG","UINT16_NUM_CHANNELS","UINT32_SAMPLES_PER_SECOND","UINT32_AVERAGE_BYTES_PER_SECOND","UINT16_BLOCK_ALIGN","UINT16_BITS_PER_SAMPLE","UINT16_STRUCTURE_SIZE","listenerName","isSuccess","objectPointer","nameString","LocalTime","TimeProvider","UtcLeapSecondString","ExpectedSystemTimeUTC","ActualSystemTimeUTC","SecureTimeMsg","Peer","TimeDifferenceSeconds","TransmissionDelayMilliseconds","ChainingCountRequests","ChainLoggingRate","ChainingCountSuccess","ChainingCountFailure","ClientRID","RpcEndPointError","MasterClockId","MasterPortNum","DomainNumber","UTCValid","CurrentUTCOffset","GrandMasterClockId","StepsRemovedFromGrandMaster","TimeSourceCode","LogAnnounceInterval","ActiveMasterCount","LocalIfIndex","BestMasterName","MasterAddress","AnnounceTimeoutMsec","AllowedMastersList","AnnounceIntervalMsec","DelayPollIntervalMsec","IfTstmp","BMAddress","BMClockId","BMPortNum","BMLastTimeSampleTickCount","MulticastRxEnabled","E2ECorrectionEnabled","HWTstmpingIfIndex","MulticastOnlyTxEnabled","MulticastIfIndex","AllowAnyMaster","LocalDomainNumber","MasterDomainNumber","IfIndexList","SWTSIfIndexList","AmbiguousTSIfIndexList","NoTSIfIndexList","ClearReason","OldOSManagedAuthLevel","NewOSManagedAuthLevel","Json","FilesCount","Millisecondstaken","HealthAttestationServer","DeviceAttributes","BucketId","BucketConfidenceLevel","LearnMoreURL","TunnelReasonCode","Forwarding","MediaStatus","ReadError","InterfaceOperation","TeredoFlowTuple","LocalIpv6Address","LocalIPv6","RemoteIPv6","TunnelInterfaceIndex","YesorNo","OffloadedNblCount","ReturnedNblCount","DroppedNblCount","FilterID","TimeZoneId","SidLength","ProcessImageNameBuffer","TargetFileNameLength","TargetFileNameBuffer","Exclusions","XAMLView","ServiceIndex","TemplateID","AccentIndex","ColorString","Visibility","ColumnsWrappedAt","LaunchMode","PercentageFullInEachRingBuffer","UploadQuota","PercentageQuotaUsed","AgentId","IdleDurationMillis","fid_Controller","fid_WdfDevicePowerState","fid_UsbTtHubDevice","fid_UsbDevice","DeviceSpeed","PortPathDepth","PortPath","fid_MaUsbDeviceHandle","fid_DeviceIsHub","fid_NumberOfPorts","fid_NumberOfTTs","fid_USB_Device_Descriptor","fid_Endpoint","fid_USB_Endpoint_Descriptor","fid_IsLinkManaged","fid_CreditConsumptionUnit","fid_BufferSize","fid_IsochProgrammingDelay","fid_IsochResponseDelay","fid_IsochSegmentsPerFrame","fid_MaxIsochSegmentSize","fid_DeviceState","fid_PowerAction","fid_NtStatus","fid_Capability","fid_NumStaticStreams","fid_WdfRequest","fid_SubType","fid_DeviceHandle","fid_DeviceAddress","fid_Ssid","fid_StatusCode","fid_DialogToken","fid_Error","fid_ExpectedSubtype","fid_ActualSubtype","fid_Subtype","fid_Size","fid_ObjectHandle","fid_TransitionType","fid_SourceState","fid_Event","fid_TargetState","fid_Exception","fid_State","fid_MaUsbEndpointHandle","fid_UsbTransferRequest","fid_TransferType","fid_TransferDirection","fid_TransferBufferLength","fid_BytesTransferred","fid_EndpointHandle","fid_RemainingSizeOrCredit","fid_BytesTotal","fid_RequestId","fid_SequenceNumber","fid_FlagBitRetry","fid_MaUsbStatus","fid_Length","fid_AckRequest","fid_EndOfTransfer","fid_MAUSB_Device_Speed_Capability_Descriptor","fid_MAUSB_Device_P_Out_Capability_Descriptor","fid_MAUSB_Device_Synch_Capability_Descriptor","fid_MAUSB_Device_Container_Id_Capability_Descriptor","fid_MAUSB_Device_Link_Sleep_Capability_Descriptor","fid_Irp","fid_IoChannelHandle","fid_NumberOfBytes","fid_FdoContext","fid_LocalAddressLength","fid_LocalAddress","fid_RemoteAddressLength","fid_RemoteAddress","fid_ControllerResetReason","fid_NegativeCredit","fid_NumberOfIsochHeaders","fid_MTDValid","fid_ASAPDelivery","fid_PresentationTime","fid_NumberOfIsochSegments","fid_NominalBusInterval","fid_PortNumber","fid_RemotePortNumber","fid_IsUdp","fid_NumberOfEndpoints","fid_NumberOfDevices","fid_NumberOfStreams","fid_DeviceType","fid_MaxOutstandingTransferRequests","fid_MaxOutstandingManagementRequests","fid_HeaderVersion","fid_HeaderFlagBitHost","fid_HeaderFlagBitRetry","fid_HeaderFlagBitTimeStamp","fid_HeaderSubType","fid_HeaderType","fid_HeaderLength","fid_HeaderDeviceHandle","fid_HeaderDeviceAddress","fid_HeaderSSID","fid_HeaderStatusCode","fid_HeaderDialogToken","fid_ResponseTimeout","fid_RouteStringPort1","fid_RouteStringPort2","fid_RouteStringPort3","fid_RouteStringPort4","fid_RouteStringPort5","fid_USBSpeed","fid_HubDeviceHandle","fid_ParentHSHubDeviceHandle","fid_ParentHSHubPort","fid_MTT","fid_LaneSpeedExponent","fid_SublinkType","fid_LaneCount","fid_LinkProtocol","fid_LaneSpeedMantissa","fid_USBDeviceHandle","fid_EP0Handle","fid_MaxPacketSize","fid_NumberOfEpHandlesToInactivate","fid_SuspendFlag","fid_UpdateDevReqFields","fid_NumberOfEpHandlesWithError","fid_NumberOfEpHandlesToDelete","fid_NumberOfEPHandlesWithError","fid_EPHandle","fid_NumberOfEPResetInformationBlocks","fid_TransferStatePreserve","fid_UsbDeviceAddress","fid_NumberOfEpDescriptors","fid_DescriptorCount","fid_DescriptorLength","fid_SizeOfEPDescriptor","fid_NumberOfEpHandlesToActivate","fid_DeviceInstanceId","fid_Service","fid_FailureType","fid_FailureSubType","fid_AssociatedUcsiCommand","fid_UcsiCommand","fid_Status","fid_UcxController","fid_ParentBusType","fid_PciBus","fid_PciDevice","fid_PciFunction","fid_PciVendorId","fid_PciDeviceId","fid_PciRevisionId","fid_AcpiVendorId","fid_AcpiDeviceId","fid_AcpiRevisionId","fid_DeviceInterfacePath","fid_HubDevice","fid_PipeHandle","fid_UCX_Endpoint_Descriptor","fid_EndpointPipeHandle","fid_StreamID","fid_StreamPipeHandle","fid_IRP_Ptr","fid_URB_Ptr","fid_UCX_URB_CONTROL_TRANSFER","fid_IRP_NtStatus","fid_URB_TransferDataLength","fid_URB_TransferData","fid_UCX_URB_CONTROL_TRANSFER_EX","fid_UCX_URB_BULK_OR_INTERRUPT_TRANSFER","fid_UCX_URB_NumberOfPackets","fid_UCX_URB_ISOCH_TRANSFER","fid_UCX_URB_ISO_PACKETS","fid_URB_PipeHandle","fid_SmEngineContext","fid_UCX_URB_SECURE_BULK_OR_INTERRUPT_TRANSFER","fid_UCX_URB_SECURE_ISOCH_TRANSFER","fid_DomainId","fid_DpOutRouterTopologyId","fid_DpcdCmId","fid_DpOutAdapterNumber","fid_DpInRouterDepth","fid_DpInAdapterNumber","fid_IsRebuilding","fid_Attempts","fid_DpOutLocalCapabilities","fid_DpInLocalCapabilities","fid_MaskedRemoteCapabilities","fid_DpRxPollingDuration","fid_CommonCapabilities","fid_BandwidthUsed","fid_DpBwAllocationModeSupported","fid_DpBwAllocationModeEnabled","fid_ALPMEnabled","fid_LastCL1ExitTime","fid_USBHUB_HC","fid_USBHUB_Hub","fid_USBHUB_Hub_State","fid_USB_HubDescriptor","fid_USBHUB_CD_Error_Information","fid_USBHUB_ID_Error_Information","fid_PortAttributes","fid_USBHUB_Acpi_Upc_Package","fid_USBHUB_Acpi_Pld","fid_USBHUB_Device","fid_USBHUB_Device_State","fid_DeviceDescriptor","fid_DeviceDescription","fid_PowerState","fid_Class","fid_UsbdStatus","fid_DebugText","fid_PortStatusChange","fid_TimerTag","fid_TimeElapsedBeforeLogStart","fid_USB30_HubDescriptor","fid_CurrentWdfPowerDeviceState","fid_USB20_HubDescriptor","fid_ConfigurationDescriptorLength","fid_ConfigurationDescriptor","fid_PdoName","fid_Suspended","fid_PortPathDepth","fid_PortPath","fid_Usb20LpmStatus","fid_ControllerParentBusType","fid_PortFlagAcpiUpcValid","fid_PortConnectorType","fid_UcmConnectorId","fid_GetFirmwareImageHashSupport","fid_DisallowFirmwareUpdateSupport","fid_GetFirmwareHashNtStatus","fid_GetFirmwareHashUsbdStatus","fid_UsbCPortCapabilitiesValid","fid_Usb4Supported","fid_PcieTunnelingSupported","fid_Tbt3AltModeSupported","fid_DpAltModeSupported","fid_RetimerCount","fid_DsdUsb4String","fid_WaitWakePending","fid_IoctlCode","fid_UrbFunction","fid_USBPORT_URB_HEADER","fid_PortStatus","fid_PortChange","fid_Context","fid_StartIndex","fid_Depth","fid_PreviousPortStatus","fid_CurrentPortStatus","fid_CurrentPortChange","fid_idVendor","fid_idProduct","fid_bcdDevice","fid_DeviceIsComposite","fid_DeviceWakeupSupport","fid_InterfaceRemoteWakeupCapable","fid_CachedSerialNumber","fid_CachedSerialNumberLength","fid_NewSerialNumber","fid_NewSerialNumberLength","fid_EventCount","fid_bNumberOfAlternateModes","fid_bPreferredAlternateMode","fid_VconnPower","fid_AdditionalInfoUrlString","fid_Svid","fid_AlternateMode","fid_AlternateModeString","fid_ConfigurationStatus","fid_DripsWatchdogResult","fid_EnumMsgId","fid_DeviceSpeed","fid_TotalHubDepth","fid_PortProtocol","fid_CumulativePortChange","fid_CurrentFeatureSelector","fid_bNumberOfPorts","fid_idVendorParentHub","fid_idProductParentHub","fid_bcdDeviceParentHub","fid_bEndpointAddress","fid_bInterfaceNumber1","fid_bAlternateSetting1","fid_bInterfaceNumber2","fid_bAlternateSetting2","fid_FwUpdateDevice","fid_FwUpdateProtocol","fid_WdfPowerDeviceState","fid_RemoteTarget","fid_ParentDeviceObject","fid_IsPortCycled","fid_enteringPowerLevel","fid_status","fid_USBPORT_HC","fid_USBPORT_HC_Idle_Status","fid_USBPORT_HC_Pdo_Name","fid_RunTimePmSetupStatus","fid_DevicePowerState","fid_AcpiInstanceId","fid_USBPORT_Device","fid_USBPORT_Device_Descriptor","fid_USBPORT_Device_Driver_Name","fid_USBPORT_Device_Idle_State","fid_USBPORT_Device_Pdo_Name","fid_USBPORT_Device_Idle_Previous_State","fid_USBPORT_Device_Idle_New_State","fid_USBPORT_Endpoint","fid_USBPORT_Endpoint_Descriptor","fid_URB_Length","fid_URB","fid_Configuration_Descriptor_Length","fid_Configuration_Descriptor","fid_URB_FrameNumber","fid_USBPORT_URB_CONTROL_TRANSFER","fid_USBPORT_URB_BULK_OR_INTERRUPT_TRANSFER","fid_USBPORT_URB_NumberOfPackets","fid_USBPORT_URB_ISOCH_TRANSFER","fid_USBPORT_URB_ISO_PACKETS","fid_USBPORT_URB_URB_PIPE_REQUEST","fid_USBPORT_URB_INVALID_PIPE_REQUEST","fid_UsbStatus","fid_USBPORT_Usbuser_Op_Send_One_Packet","fid_PacketDataLength","fid_PacketData","fid_USBPORT_Execution_Metrics","fid_CodeTag","fid_AdapterObject","fid_NumPutScatterGatherList","fid_WriteData","fid_FlushLength","fid_CurrentVA","fid_LengthRemaining","fid_MiniportStatus","fid_SuspendPortStatus","fid_ResumePortStatus","fid_HcSuspendedFlag","fid_SuspendHcNotHalted","fid_HostSystemErrorCount","fid_HostSystemErrorResetNeeded","fid_StatAsyncEnableCount","fid_StatAsyncDisableCount","fid_StatPeriodicEnableCount","fid_StatPeriodicDisableCount","fid_StatAsyncEnableTimeoutCount","fid_StatAsyncDisableTimeoutCount","fid_StatPeriodicEnableTimeoutCount","fid_StatPeriodicDisableTimeoutCount","fid_StatRingDoorbellDisabledCount","fid_StatRingDoorbellDisablingCount","fid_StatRingDoorbellEnablingCount","fid_StatRingDoorbellEnabledCount","fid_StatRingDoorbellHwRemovedCount","fid_StatAnswerDoorbell","fid_StatAsyncCacheFlushIdle","fid_StatAsyncCacheFlushNormal","fid_StatAsyncCacheFlushRetry","fid_StatIntOnAsyncAdvancePendingCount","fid_StatIntOnAsyncAdvanceSyncRoutineCount","fid_StatRingDoorbellEnabledWithRetryCount","fid_StatRingDoorbellEnabledWithRetryIgnoredCount","fid_StatAsyncCacheFlushPrevented","fid_CurrentRingDoorbellDisablingTimerCount","fid_CurrentRingDoorbellEnablingTimerCount","fid_CurrentRingDoorbellEnabledTimerCount","fid_CurrentIntOnAsyncAdvancePendingCount","fid_StatResetNeededCount","fid_ResetNeeded","fid_ResetRecoveryEnable","fid_ResetRecoveryBreak","fid_AsyncScheduleState","fid_AsyncDoorbellState","fid_PeriodicScheduleState","fid_EhciInternalFlags","fid_PreventCmdChangesWithDoorbellPending","fid_OptimizeInactiveQhFlush","fid_DisableTwoDoorbellWorkaround","fid_StrictTransitionChecksEnabled","fid_IntegratedTTSupportRegistryOverride","fid_CurrentAsyncEnableCount","fid_InitialDoorbellRetryEnableValue","fid_CurrentDoorbellRetryEnableValue","fid_DoorbellRetryRequired","fid_PeriodicEnableChangeWithDoorbellPending","fid_PeriodicDisableChangeWithDoorbellPending","fid_RunTimePmEvent","fid_NakReloadCount","fid_MajorVersion","fid_MinorVersion","fid_FirmwareVersion","fid_S0IdleStatus","fid_InstanceNumber","fid_WdfPowerReferenceForDebuggerAcquired","fid_IsSecureDevice","fid_DMAModeInVSM","fid_NumberOfDMATargetsInVSM","fid_VTIOProgrammingMethod","fid_UsbEndpointOffloadMode","fid_IsTimeTrackingEnabled","fid_DeviceFlags_0","fid_DeviceFlags_1","fid_CachedHcsParams1","fid_CachedHcsParams2","fid_CachedHcsParams3","fid_CachedHccParams1","fid_CachedHccParams2","fid_MapRegisterCount","fid_SecondaryInterrupterCount","fid_InterruptMechanism","fid_SupportedNumberOfStreams","fid_ControllerSuspendResumeCount","fid_Controller_Counters","fid_Device_Capabilities","fid_SlotId","fid_IsSecureUSBDevice","fid_IsProxyUSBDevice","fid_IsDeviceContextLocal","fid_ConfigurationValue","fid_InterfaceNumber","fid_AlternateSetting","fid_LastConfigureEndpointStatus","fid_IsFirmwareHashValid","fid_IsFirmwareHashQueried","fid_IsFirmwareHashFromDevicePresent","fid_IsFirmwareHashFromSDEVEntryPresent","FirmwareHashFromDevice","FirmwareHashFromSDEVEntry","fid_USB_SuperSpeed_Endpoint_Companion_Descriptor","fid_USB_SuperSpeedPlus_Isoch_Endpoint_Companion_Descriptor","fid_PreProcessedSystemPowerAction","fid_CrbPointer","fid_Command_TRB","fid_CommandWaitlistReason","fid_CompletionStatus","fid_CompletionCode","fid_IsStartupDelayTolerable","fid_RequestorMode","fid_TimeTrackingHandle","fid_IsCloseHandleFromClient","fid_NumberOfGetFrameQpcCalls","fid_NumberOfFrameQpcTranslations","fid_ErrorPortNumber","fid_PortStatusAndControl","fid_IsPortErrorRecovered","fid_WasPortErrorReported","fid_WasPortRecoveryAssisted","fid_ReasonCode","fid_RecoveryAction","fid_Parameter3","fid_Parameter4","DeviceDescLength","StartDeviceFailReason","IdpDomain","TenantDomain","JoinTypeSymbolicName","ParameterName","PackageMessage","Email","ProxyBypassList","NotificationFlags","WinHttpStatus","WinHttpStatusFlag","StatusName","KspSessionID","DefaultPath","LocationType","LocationTypeName","JoinTypeName","ResponseBody","ErrorSubcode","JoinUpn","InputUpn","InputUpnCount","ValuesList","UserModeName","ExtensionsCount","Extension","KerbEndpoint","KdcProxyServer","LocalGpoModified","ExpectedProxyEnabled","ExpectedNoRevocationCheck","ExpectedProxyServer","ActualProxyEnabled","ActualNoRevocationCheck","ActualProxyServer","ProxyEnabled","NoRevocationCheck","ProxyServer","Attestation","ClientRequestId","ServerRequestId","RecommendedClientResponse","TenantName","AppSid","AccountProvider","RequestStatusSymbolicName","ProviderErrorMessage","AzureADTenantName","EnterpriseDrsName","dwInternetStatus","dwResult","ProxyCount","fProxy","fBypass","INTERNET_SCHEME","ProxyPort","ServerErrorCode","AttLevel","AikStatus","UserEmail","Upn","SavedKeyId","SavedKeyName","SavedIdpDomain","SavedTenantId","SavedUserEmail","ErrorSubCode","RPID","KeyDisplayName","UserDisplayName","UserImageUrl","KeyAlgorithm","PinStatus","PinRetries","NumOfKeyIds","hWnd","KeyStatus","KeyStatusSymbolicName","RACertificateId","DeviceCeritifcateId","UserKeyName","ParameterValueLength","MagicValue","ImportDllName","ProcessImagePath","CurDirDllPath","FoundDllPath","ProcessFileNamePathLength","ProcessFileNamePath","SuspendProcessRequest","DLLName","ExportModule","DeviceInstanceID","InstallStatus","AddServiceStatus","FileSizeInKb","SourceLocation","DestinationLocation","CopyTimeInSec","SourceTimestamp","DestinationTimestamp","MachineKeys","UserKeys","InterferingImageName","InterferingPID","ProfsvcPID","MeasuredLatency","LatencyThreshold","MeasuredBandwidth","BandwidthThreshold","AgeLimitInDays","EnvIssue","DownloadTime","UploadTime","ObjPtr","ObjType","PropCode","RpcCode","OldCode","P1","Prop_Hex_UInt32","Prop_FUNC_AnsiString","Prop_LINE_UInt32","Prop_Hr_Int32","PROP_UInt32_1","PROP_UInt32_2","PROP_UInt32","PROP_FILE_uint","PROP_UInt32_3","PROP_UInt32_4","PROP_UInt32_5","PROP_ByteCount","PROP_Bytes","Prop_Prop","Prop_Process_UnicodeString","Prop_ErrorCode","Prop_HexInt1","Prop_HexInt2","Prop_HexInt3","P1_HexInt","Prop_CriticalSection_Name","Prop_TimeHeld","Prop_ReleaseFunction","Prop_INT","Prop_UInt64","Prop_FullKnowledgeSize","Prop_LoggedKnowledgeSize","Prop_Knowledge","Prop_Prop1","Prop_Prop2","Array","Arg5","Arg6","Arg7","Prop_Mode","Prop_ULong","Prop_Caller","AppOwnershipId","StoreAppOwnershipId","Prop_Boolean_1","maxnotify","returned","remaining","missed","readyCount","lost","starttime","Prop_Boolean_2","remoteId","operationId","requestAmnt","providedAmnt","qualifyingAmnt","deepLink","RcsCapabilityBits","NotificationActions","RcsChatId","isComposing","serviceType","AccessedString","Prop_UInt_5","AppDataCleanupReason","Prop_Trace_UnicodeString","Prop_Handle2","P2_HexInt32","LookupKey","NetworkErrorCode","WindowName","IsEventAsync","DIF_CODE","ChildDevice","ParentDevice","SetupClass","RebootOption","UpgradeDevice","IsDriverOEM","DriverDescription","DriverFileName","PrimaryService","UpdateService","RebootTime","VetoDevice","UserIdType","UserIdTypeText","OperationTag","OriginalErrorCode","IsWellKnown","userId","BackupUnitProcessorMode","ErrorCauseType","ErrorCauseLocation","HandlerResponse","DownloadUnitIdTypeName","DownloadUnitIdCollectionName","DownloadUnitIdIsPerDevice","DownloadRequestUri","DownloadAssetIdName","DownloadAssetUriName","UnitCount","database","CurrentCheckBit","HostProvider","VhdId","VhdIoType","VhdSrbType","ParentLastWriteGUID","ExpectedParentLastWriteGUID1","ExpectedParentLastWriteGUID2","VhdInstanceId","RefType","PendingRecoveryCount","VHDFileTime","LogFileTime","CtLogPerfOpts","CtMinMasterBufferSize","CtMaxDirtyMemThresholdPercent","CtMaxFlushBufferSize","PersistentReserveIn","VhdVirtualStorageType","VhdHandle","VhdStatus","DiagPrefixLength","DiagPrefix","ExitStatus","DiffAreaCount","PersistentDeleteReason","PersistentDeleteStatus","DiffVolumeNameLength","DiffVolumeName","OriginalErrorLogCode","OriginalErrorStatus","OriginalSourceFile","OriginalSourceLine","OriginalSourceTag","VpnConnectionName","PropertiesString","PropertiesNotUpdatedString","VIfGuid","WalletItemPropertyType","InternetConnectivityv4","InternetConnectivityv6","InternetProbeCompletev4","InternetProbeCompletev6","DomainConnectivity","DomainProbeComplete","WcmOpcode","Datalength","APNname","SubscriberID","Profilename","OnDemandType","OnDemandInfo","Interface GUID","Mediatype","manualConnectEnabled","autoConnectEnabled","AvgIn","AvgOut","SpikeIn","SpikeOut","ThresholdAvgIn","ThresholdAvgOut","ThresholdSpikeIn","ThresholdSpikeOut","ProfileUpdatedorDeleted","ConfigtoSyncWithTimeServer","TimeServerName","NumServerTimeRetries","ServerTimeRetrievalError","NdisRefError","Refcount","Activate","TotalNetworkRefCount","ProcessNetworkRefCount","TotalCmNdisRefCount","PerProcessCmNdisRefCount","PeerUuid","MessageGuid","MessageBlobLength","MessageBlob","TransportSubType","MissingPolicy","StartUrl","TerminateUrl","RedirectedUrl","OriginalUrl","Post","Clsid","ConvertedValue","TicketLength","Ticket","RpId","AccountId","ClientDataHashAlgId","ClientDataLength","ClientDataHashLength","ClientDataHash","CredentialCount","CredentialParameterCount","AttestationFormatType","RpIdHashLength","RpIdHash","SignCount","AAGuid","CredentialIdLength","CredentialId","U2fPublicKey","PublicKeyLength","PublicKey","CborError","CborErrorString","ErrorOffset","UserIdLength","RequireResidentKey","RequestLength","TimeoutMilliseconds","U2fProtocol","WnfState","DeviceErr","RequestCommand","ResponseCommand","PairedName","NumberOfTimesScardCancelCommandsSent","CallCancelled","ApduStatus","DeviceStatus","StorageID","PluginClsId","BackupId","EncryptionKeyType","ApiObject","ApiHandle","ApiVersion","SessionHandle","RequestHandle","VersionMajor","VersionMinor","InformationRoutine","InformationContext","InformationLength","ConnMgr","ServerEndpoint","ProxyEndpoint","ConnectionManager","DataChunks","DataChunkCount","CompletionContext","TotalChunkLength","IsEntity","RequestEntityComplete","PendingSendCount","LastSend","CompletionInformation","OldBuffer","OldBufferLength","BufferLengthData","NewBuffer","NewBufferLength","BufferLengthConsumed","BufferLengthRemaining","ChunkData","ChunkDataLength","HttpResponseCode","BytesToReceive","ResponseFlags","SocketHandle","RemainingAddressCount","Http3ClientConnectionId","Aborted","DnsQuery","AddressCount","SockaddrLength","CacheEntry","ResolveName","Http3ClientStreamId","IsEof","IsHeaderPairs","StreamConnection","SettingId","WindowIncrement","IsSession","LastStreamId","SecurityHandleHigh","SecurityHandleLow","CredHandleHigh","CredHandleLow","OutputFlags","DataChunkBufferLength","SslIOContext","RequestDisconnect","ContextHandleHigh","ContextHandleLow","IgnoredServerCertErrors","ServerCertErrors","PlainData","PlainDataLength","DummyWorkaroundVal","EnabledProtocols","SSLClientCert","EnableRevertToSelfClientCertificate","CipherConfig","ProtocolObject","ProtocolHandle","OldToken","traceString","CorruptedFilePath","CrashedAppName","ExceptionStatusCode","AppPath","Is64Bit","CallReturnAddress","CallReturnModName","CallReturnModOffset","CallReturnInstructionBytesLength","CallReturnInstructionBytes","CallReturnBaseAddress","CallReturnRegionSize","CallReturnState","CallReturnProtect","CallReturnType","TargetModName","TargetModOffset","TargetInstructionBytesLength","TargetInstructionBytes","TargetBaseAddress","TargetRegionSize","TargetProtect","GrantedPolicy","ThrottleCheckResult","LocalSpn","PeerSpn","LocalGroupSidCount","LocalGroupSidLength","LocalGroupSids","RemoteGroupSidCount","RemoteGroupSidLength","RemoteGroupSids","KeyingModuleType","MmState","SaRole","EndCertHash","MMId","MMFilterId","QMState","SaTrafficType","QMFilterId","MMSaLuid","MMProviderContextKey","EMState","LocalTunnelEndpointLength","RemoteTunnelEndpointLength","QMSaLuid","VirtualIFTunnelId","VirtualIFTrafficSelectorId","InboundSPI","OutboundSPI","AHAuthType","ESPAuthType","ESPCipherType","RekeySPI","AuthenticationMethodType","EncryptionAlgorithm","DiffieHellmanGroup","LifetimeMinutes","Impersonation","VirtualIfTunnelId","LocalCertDnSubject","LocalCertShaThumbprintLength","LocalCertShaThumbprint","LocalCertDnIssuer","LocalCertDnRoot","PeerCertDnSubject","PeerCertShaThumbprintLength","PeerCertShaThumbprint","PeerCertDnIssuer","PeerCertDnRoot","LocalUmCertDnSubject","LocalUmCertShaThumbprintLength","LocalUmCertShaThumbprint","LocalUmCertDnIssuer","LocalUmCertDnRoot","PeerUmCertDnSubject","PeerUmCertShaThumbprintLength","PeerUmCertShaThumbprint","PeerUmCertDnIssuer","PeerUmCertDnRoot","UMImpersonation","UMLocalSPN","UMPeerSPN","UMAuthenticationMethodType","LocalSPN","PeerSPN","AcquireContext","LocalUdpEncapPort","RemoteUdpEncapPort","MMTargetName","EMTargetName","NumTokens","Token1Type","Token1Principal","Token1Mode","Token1","Token2Type","Token2Principal","Token2Mode","Token2","Token3Type","Token3Principal","Token3Mode","Token3","Token4Type","Token4Principal","Token4Mode","Token4","OrigVirtualIfTunnelId","PacketLocalAddressLength","PacketLocalAddress","PacketRemoteAddressLength","PacketRemoteAddress","PacketIPProtocol","PacketInterfaceLuid","PacketProfileId","ExchangeType","NextPayload","LocalProtocol","RemoteProtocol","AppSID","ReauthReason","PacketDirection","vSwitchId","EnterpriseId","PolicyFlags","EffectiveName","InternetHostAddress","CorpnetHostAddress","FRUId","FRUText","ValidBits","SecondaryBus","SecondaryDevice","SecondaryFunction","ClassCode","BridgeControl","BridgeStatus","HeaderLog","PrimaryDeviceName","SecondaryDeviceName","ApicId","MCABank","MciStat","MciAddr","MciMisc","PhysicalAddressMask","Card","Bank","BitPosition","RequesterId","ResponderId","Extended","RankNumber","CardHandle","ModuleHandle","BusSegment","BusAddress","BusData","PCIXCommand","CompleterId","FunctionNumber","SegmentNumber","MPIDR_EL1","MIDR_EL1","RunningState","PSCIState","CacheLevel","AffinityLevel","TLBOperationType","AccessMode","PrecisePC","RestartablePC","VirtualFaultAddress","PhysicalFaultAddress","MciStatus","uString","Ptr1","Ptr2","uString1","uString2","Dword3","aString1","Dword4","Dword5","dwValue2","dwValue3","ssidLen","ssid","algo","cipher","secure","signal","szConnName","winerror","reasoncode","eaptype","trigger","active","delayed","timer","szString1","dwValue4","dwValue5","dwValue6","dwValue7","dwValue8","dwValue9","wsSource","wsConnName","szNotifType","szNotifState","dwState","Ssid","szNetwork","dwAuth","dwCipher","dwQuality","dwCPSize","dwCPOffset","dwCredSize","dwCredOffset","QuerySources","dwNetworkOut","dwNetworksIn","dwACEnabled","ConfScanTO","MinLinkQ","MinScore","dwScoreWt","dwSignalWt","OverlapP","dwRetries","AllNetworks","ConnNetworks","dwGblFlags","dwMngFlags","dwUserFlags","dwWPSFlags","dwIndex1","dwIndex2","LinkQ","szType","szState","dwCfgWt","dwCalcWt","dwCfgFlags","dwProfFlags","dwCPLength","dwCredLength","wsConnection","szString2","wszString","wszStatus","bUserNetwork","bACProfile","dwBackoffMin","dwBackoffRng","dwValue10","dwValue11","dwValue12","dwValue13","BSSID","flightId","networkId","DataNeeded","PCD","szReason","bQueryTM","bScmEnabled","bCredEnabled","bCPEnabled","dwTMFlags","bCloudEnabled","notif","bssid","SourceProcessName","FontSourcePath","SyscallName","AppContainerSid","FilterSetId","SPIAction","WatchdogType","PowerTaskState","NeedWaitForRit","NeedPowerOnGdi","Phase1CryptoSetId","Keyword","AutoResolve","Append","AddressesToUpdate","ActivityGUID","VMCreatorId","PartitionGUID","Constrained","VMConfig","RuleOperation","ProfileConfig","pwszTimeStamp","FallbackUsed","BCurves","Matrix","MCurves","CLut","ACurves","RMin","RMax","GMin","GMax","BMin","BMax","Min","Intent","CdmType","CdmFileName","CamType","CamFileName","GmmType","GmmFileName","Share","Creation","Pcs","Optimization","LutType","LcsCSType","LcsIntent","SourceProfileName","DestProfileType","DestProfileName","TargetProfileType","TargetProfileName","NumProfiles","NumIntents","HXform","NumColors","InColorType","OutColorType","NumInChannels","InDataType","NumInBytes","NumOutChannels","OutDataType","NumOutBytes","InBitmapFormat","InStride","OutBitmapFormat","OutStride","CalibrationManagementEnabled","ColorProfileExistsAndContainsCalibrationData","AdapterGammaAdjustments","MonitorAdjustments","WorkingSpace","FailingHresult","FailingInterfaceCLSID","SourceSize","InfterfaceSize","ErrorMsgSize","CantMsgSize","CantMsg","DismissReason","version1","version2","restartDate","restartTime","hRequest","AuthTargets","AuthScheme","_ConnectionNameLength","_InterfaceLength","_ConfigurationURLLength","ConfigurationURL","_MIMETypeLength","MIMEType","_URLLength","_ProxyStringLength","ProxyString","Functionname","Errortext","Exceptioncode","HttpProtVersion","HttpMethod","ParseBuffer","HINTERNET","_UserAgentLength","_AccessTypeLength","_ProxyListLength","ProxyList","_ProxyBypassListLength","ConnectionHandle","ParentHandle","_HeadersLength","_ServerNameLength","_ServiceLength","_VerbLength","_ObjectNameLength","_VersionLength","_ReferrerLength","_AcceptTypesLength","AcceptTypes","_ContentLengthStrLength","_ReasonLength","_HostNameLength","_AddressListLength","AddressList","URLLength","_DomainLength","_PathLength","_NameLength","_ValueLength","_SchemeLength","IsProxy","_CertHashLength","WarningFlags","AppPackageSid","Offline","RequestHeaders","ResponseHeaders","UsageLogRequestCache","NewLatchTimerNeeded","NewLatchTimerWaitingSystemUpdateCompletion","PreviousLatchTimerExistsButDisabled","PolicyFileExists","win32Error","ftStartTime","ullDelay","ftDueTime","PreviousTimerPresent","fAttemptedRecoveryIncrementCounterSucceeded","fPreviousLatchTimerInvalid","fPolicyFileExists","PendingLKeyPkgId","PendingPolicyVersion","CounterIncremented","NewTimerNeeded","NewTimerWaitingUpdateCompletion","PreviousTimerExistsButDisabled","FileStartTime","GracePeriod","PreviousTimerExists","PreviousTimerStartTime","AttemptedRecoveryEnforcementSucceeded","BootStlEnforced","LocalStatus","TimeLeft","InternalAddrLen","InternalSrcAddr","InternalDstAddr","ExternalAddrLen","ExternalSrcAddr","ExternalDstAddr","TcpSessionState","InternalCompartmentId","InternalAddr","ExternalAddr","Configured","IncomingAddrLen","IncomingSrcAddr","IncomingDstAddr","TranslatedAddrLen","TranslatedSrcAddr","TranslatedDstAddr","Identification","IcmpPayload","InternalPrefixAddrLength","InternalSrcPrefix","InternalSrcPrefixLength","InternaDstlPrefix","InternalDstPrefixLength","IPv4PrefixLength","Nat64","StartingPort","EndingPort","InternalRoutingDomainId","AddressPrefix","ExternalInterfaceIndex","UdpIdleSessionTimeout","TcpTransientConnectionTimeout","TcpEstablishedConnectionTimeout","IcmpQueryTimeout","TcpFilteringBehavior","UdpFilteringBehavior","UdpInboundRefresh","ExternalIPInterfaceAddressPrefixLength","ExternalIPInterfaceAddressPrefix","ExternalTransportAddress","InternalTransportAddress","RemoteAddressPrefix","RemoteAddressPrefixLength","ActionReason","ArrivalCompartmentId","ArrivalInterfaceIndex","ArrivalNetwork","ForwardCompartmentId","ForwardInterfaceIndex","ContinuousLength","CapturedIPHeaderLength","CapturedTransportHeaderLength","ICMPErrorTransportProtocol","ICMPErrorCapturedIPHeaderLength","ICMPErrorCapturedTransportHeaderLength","IPHeader","TransportHeader","ICMPErrorIPHeader","ICMPErrorTransportHeader","ErrorID","ErrorMisc","FallbackIPv4Address","SyntheticIPv4Address","SyntheticIPv6Address","PortChunkSize","RSCAware","UROAware","FragmentAware","ForceInternalRoute","UdpSessionTimeout","ClampMssEnabled","PktNum","DatapathBinding","inputErrorCode","languageCode","apiCall","maxAllowedConcurrentShells","maxAllowedConcurrentOperations","timeslotSize","maxAllowedOperationsPerTimeslot","provider","argument","proxyList","bypassList","resourceURI","totalChunks","SoapDocument","senderName","concurrentShells","concurrentOperations","requests","windowTime","delayHint","users","actionUri","httpStatus","extraErrorInfo1","extraErrorInfo2","subject","extraInformation1","extraInformation2","extraInformation3","extraInformation4","clientIP","authClient","authServer1","authServer2","authServer3","authServer4","authServer5","destinationMachine","authProxy1","authProxy2","authProxy3","authProxy4","authProxy5","error1","error2","error3","error4","error5","error6","error7","error8","UserModePid","ListenEndpoint","Backlog","SendBacklog","RegistrationDomain","Cq","UserAddress","SystemAddress","CqIndex","NotificationHandle","NotificationObject","NotificationContext1","NotificationContext2","Commit","OriginalEntryCount","OriginalStart","OriginalEnd","RequestedEntryCount","RioState","SendEntryCount","SendUserAddress","SendSystemAddress","SendBufferSize","ReceiveEntryCount","ReceiveUserAddress","ReceiveSystemAddress","ReceiveBufferSize","SendCqIndex","ReceiveCqIndex","ReceiveQueueStart","ReceiveQueueEnd","SendQueueStart","SendQueueEnd","OriginalSendEntryCount","OriginalSendQueueStart","OriginalSendQueueEnd","RequestedSendEntryCount","OriginalReceiveEntryCount","OriginalReceiveQueueStart","OriginalReceiveQueueEnd","RequestedReceiveEntryCount","SpecifiedLength","RequiredLength","NameResolutionHandle","RegDomain","PauseUnPause","TLBacklogCount","BufferSharingType","BinaryName","Stop","InterfaceContext","PacketContext","MACAddr","RequestedFields","ProfileContent","RestartReason","SwitchMAC","LocalMAC","BlockingTime","NdisPortControlState","NdisPortAuthState","AdapterState","SSIDs","BlockTime","Auth","IhvConnectivitySetting","MgmtFrameProtection","Dot11StatusCode","AuthVal","CipherVal","FIPSMode","SecurityHint","SecurityHintCode","IhvSecuritySetting","IhvReasonCode","IhvDataLength","IhvData","EapType","AuthorID","EAPRootCauseString","CostSource","CostValue","PeerMAC","Joined","PHY","PHYCount","PowerSetting","SoftwareState","HardwareState","ConnectionResetReason","Adhoc","OldProfileName","NewProfileName","FlushBSSList","Auto","Multiple","SSIDListSize","ActiveConsole","Network","BlockTimeMs","SingleSSID","WlanRpcCallType","IsOn","ExpeditedScanTrigger","DisconnectTrigger","IsReachable","IsAutoConnectEnabled","AutoConnectProfileCount","AutoConnectFilterControl","IsManualConnectEnabled","ManualConnectProfileCount","ManualConnectFilterControl","ConnectivityBlockReason","AdHocFormed","AssocStatus","CurrState","BssidCount","AuthAlgoId","Rssi","PKMIDs","FourWayOffloadSupported","SafeModeSupported","SafeModeCertified","OneXEnabled","UICancelled","PeerAddr","Authenticator","PageClsId","Cancelled","AdapterID","Healthy","HealthStatus","RapidRekey","FastRoam","AuthAlgo","CipherAlgo","IHVBitmap","WLANStatusCode","DetailedStatusCode","AssocDuration","AssocRestartCount","AuthDuration","AuthRestartCount","DriverService","SignalQualityPercentage","InterferingAPCount","TotalVisibleAPCount","APPhyType","APMaxChannelWidth","APDescription","APManufacturer","APModelName","APModelNum","DetailedStatusCodeOnRoam","RxRate","TxRate","OneXAuthMode","HotSpot20IEPresent","DeviceMfg","ProfileTypeUsed","SystemRandomizationStatus","ProfileRandomizationStatus","ConnectionFlags","DisconnectExtensions","RoamExtensions","SuspectDurationMs","BssidChanged","DetectionLinkQuality","CurrentLinkQuality","MacTxUnicastCount","MacRxUnicastCount","MacRxMulticastCount","MacRxUnicastDecryptSuccess","MacRxUnicastDecryptFailure","PhyTxFailedCount","PhyTxFrameCount","PhyTxRetryCount","PhyRxFrameCount","PhyRxFcsErrorCount","CurrentTxRate","CurrentRxRate","DiagnosticStatsDifferenceTrigger","IpFamily","ExtensibleModulePath","ShowDeniednetworks","Profilesapplied","Profilesappliedplaceholder","Profilesnotapplied","Profilesnotappliedplaceholder","CallerRequestId","DriverRequestId","ServiceId","InBufferSize","NetCfgId","RadioOff","MaxLinkSpeed","UplinkSpeed","DownlinkSpeed","AvailableDataClass","AvailableDataClassValid","AdapterSupportedCellularClass","AdapterCurrentCellularClass","GenXmitFramesOk","GenXmitFramesDiscard","GenReceiveFramesOk","GenReceiveFramesDiscard","MaxActivatedContexts","ActivePortCount","PendingRequestCount","OIDname","BytesUsed","BytesNeeded","SubClass","Configs","ECMFuncDescpresent","NCMFuncDescpresent","MBIMFuncDescpresent","bInterfaceNumber","bInterfaceClass","bInterfaceSubClass","bInterfaceProtocol","bAlternateSetting","bNumEndPoints","bmRequestType","bNotificationCode","wValue","wIndex","wLength","UsdbStatus","MessageTransactionId","TotalFragments","CurrentFragment","InfoLength","ToHost","HwRadioState","SwRadioState","InformationBufferLength","InformationBuffer","MOF","EventProvider","BackupRepository","BackupFile","QuotaName","QuotaValue","QuotaThreshold","HostProcessID","ProvidersInHost","MessageDetail","ErrorCategory","Commandline","CreatedProcessId","CreatedProcessCreationTime","IsDRM","ErrorCode2","ProximityTime","ErrorCode1","MDEID","UnicodeString1","UnicodeString2","UnicodeString3","UnicodeString4","NT_STATUS","DWordParam","Live Preview Type","LocalReplicaRoot","FullEnumerationOccurred","ServerPartnershipId","SyncId","HResultStr","SyncPartnershipId","SessionUri","SuccessFileCount","SuccessDataSize","FailedDataSize","TotalBatchTime","BodyLength","HttpResponse","ServerCodeStr","SyncGID","LocalFolder","ServerURI","SyncUrl","AutoProvision","GhostingPolicy","DiscoveryUrl","PartnershipId","PartnershipType","ConfiguredByPolicy","DiscoveryURL","SyncTargetType","SizeMB","StsUri","LocalEpoch","ServerEpoch","JWT","ServiceUri","ZoneUriIsAddedTo","ZoneUriExistsIn","SoapResponse","RegistrationServiceUri","ErrorCodeText","ErrorData","WpdAPICommandCategoryGUID","WpdAPICommandID","WpdSerializedData_Length","WpdSerializedData_Buffer","WPDAPIOPerationHR","TransportSymbolicLink","MTPBTPacketLength","MTPBTPacketData","MTPBTPacketType","MTPBTPacketSeqID","MTPBTEventLength","MTPBTEventData","TransactionID","MTP_Opcode","MTP_Command_Param_count","MTP_Command_Params","MTP_Response_Retrieval_HR_From_Transport","MTP_Response_Code","MTP_Response_Param_count","MTP_Response_Params","MTP_Data_Length","MTP_Data_Buffer","MTP_DatatypeOfPropValue","MTP_Event_Retrieval_HR_From_Transport","MTP_Event_Code","MTP_Event_Param_count","MTP_Event_Params","MTPBulkGetObjProps_size","MTPBulkGetObjProps_buffer","Seconds","HackModel","ExpectedValue","ActualValue","Prop","PKeyGuid","PKeyId","CurrentCode","OriginalCode","MTPIPPacketLength","MTPIPPacketData","MTPIPPacketType","MTPIPEventLength","MTPIPEventData","MTPUSLength","MTPUSData","WINUSB_SETUP_PACKET_LENGTH","WINUSB_SETUP_PACKET","ControlTransferBufferLength","ControlTransferBuffer","InstallFunctionCode","InstallFunctionName","MetadataLocaleName","MetadataContentId","BusTypeGuid","OIDorStatus","FunctionCall","wilFailureType","ModemCreationCount","dwMajorVersion","dwMinorVersion","dwDriverCaps","WwanCellularClass","WwanDataClass","WwanGSMBandClass","WwanCDMABandClass","ReadyState","InformationAvailability","NoOfProviders","RegisterMode","PacketAttachState","CurrentNetworkCaps","NwError","ActivationState","VoiceCallState","WwanApiName","ModemType","IsSysCapsSupport","CapsType","EventCode","IpType","ErrorRate","RssiInterval","RssiThreshold","HWRadio","SWRadio","ProfileUpdateType","oldProfileName","PinType","AttemptsRemaining","PinOperation","mbnInterface","propname","info","interfaceGuid","cbPayload","NdisStatusId","RegisteredType","PacketServiceState","IWLANAvailabilityState","IsExecutorAvailable","IsGPolicyDisableAc","IsClientDisableAc","IsPowerStatesAllowingAc","ModemIdx","execIdx","IccID","connMode","isAdditionalPdpContextProfile","profileSource","purposeGuids","apnName","ipType","authMethod","EnablementPolicy","RoamingPolicy","ProfileSource","cellularClass","DataCodingScheme","WwanStatus","CellularClass","VoiceClass","SimClass","DataClass","CustomDataClass","BandClass","CustomBandClass","SmsCaps","ControlCaps","FirmwareInfo","AuthAlgoCaps","EmergencyMode","SimIccId","SlotId","SwRadioAction","RoamingText","RegistrationFlags","PreferredDataClasses","RegisterAction","Wwan5GFrequencyRange","PacketServiceAction","IPType","ActivationCommand","AccessString","Compression","MediaPreference","ConnectionMediaSource","ProviderState","DeviceServiceGuid","WwanDeviceServiceCommands","WwanDeviceServiceEvents","WwanDeviceServiceResponse","ModemNumber","ExecutorID","MaxContextCount","Executors","ActiveExecutors","ActiveDataExecutors","ModemID","NumberOfExecutors","NumberOfSlots","Concurrency","TimeZoneOffsetMinutes","DaylightSavingTimeOffsetMinutes","DataClasses","ActiveAppIndex","AppListSize","StatusWord1","StatusWord2","FileAccessibility","FileType","FileStructure","ResponseDataSize","MaxFlushTime","LevelConfig","MicoMode","DRXParam","LADNInfo","CurrentMicoIndication","CurrentDRXParams","ReRegisterIfNeeded","DefaultPDUSessionHint","ListElementType","ListElementCount","TotalNumberOfProfiles","A10_errCode","A10_pAsyncState","A10_ctx","A11_pAsyncState","A11_evt","A12_errCode","A13_retCode","A11_errCode","A11_notificationSourceBits","A10_handle","A11_dwFlags","A11_pInterfaceGuid","A12_opCode","A13_errCode","A13_opCode","A14_errCode","A15_errCode","A10_hClientHandle","A12_dwScanType","A12_registerMode","A13_strProviderId","A14_wwanDataClass","A12_connMode","A13_connectionFlags","A14_str","A11_pPhysicalInterfaceGuid","A12_ulConnectionFlags","A13_strProfileName","A12_ctxtId","A12_flags","A13_overwrite","A14_strProfileXml","A12_strProfileName","A12_pPurposeGuid","A11_ProfileName","A12_passwordProtection","A13_dwFlags","A14_strMetaDataName","A10_pInterfaceGuid","A11_strProfileName","A11_pModemId","A12_strDMConfigProfileXml","A13_fOverwrite","A11_pParentInterfaceGuid","A11_pChildInterfaceGuid","A10_ctx->handle","A11__serviceStatus (errCode)","A11_(*ppInterfaceList)->dwNumberOfItems","A10_pConnectReserved->Type","A12_*pulConnectionId","A12_(*ppProfileList)->dwNumberOfItems","A11_*pdwProfileIndex","A12_(pdwRoamingProfileIndex ? *pdwRoamingProfileIndex : 0)","A12_(*ppDMConfigProfileList)->dwNumberOfItems","A12_*pReasonCode","A12_(*ppTrafficDescriptorList)->dwNumberOfItems","A11_result","A10_result","A10_version","A11_WWAN_CURRENT_VERSION","A10_dimStatus","A10_pContext","A10_TotalLen","A10_Oid","A11_Error","A11_Oid","A12_Error","A10_GetSetType","A11_dimStatus","A10_Error","A10_Statuscode","A11_DataLen","A10_DevName","A11_Statuscode","A10_bufferSize","A10_IndicationDropCount","A10_ndisStatus","A11_ndisStatus","A10_ndisOid","A11_ulTargetWwanDataSize","A10_ulTargetOidDataSize","A11_ndisOid","A10_cr","A10_requestLength","A12_Oid","A12_status","A11_OID_PM_PARAMETERS","A12_0","A14_status","A10_type","A10_p","A10_len","A11_rlen","A12_hr","A10_reqLen","A11_reqLen","A10_pCmd[cmdIndex]","A11_neighboringCellCount","A10_neighboringCellCount","A11_WwanStructMPDPChildInterface","A11_pGuid","A10_InterfaceName","A13_Error","A13_len","A14_Error","A10_dataSize","A10_ndisPhysicalMedium","A11_PhysicalMedium","A10_PhysicalMedium","A11_media","A12_result","A10_returnDataSize","A11_SIZEOF_NDIS_WWAN_MBIM_VERSION_1","A10_ulResult","A10_DimOpenCount","A10_ulSourceDataSize","A10_targetRevision","A10_ulTargetWwanDataSize","A12_ulWwanDataSize","A10__pDimContext->selfGuid","A11__pDimContext->parentGuid","A10_pDimContext->ndisVersion","A10_pDimContext->name","A10_OidToString(Oid)","A10__pContext->selfGuid","A11__pContext->parentGuid","A11_pDataNormalizationEntry->sourceRevision","A12_pNdisHeader->Revision","A11_pDataNormalizationEntry->ulSourceDataSize","A11_pDataNormalizationEntry->sourceVersion","A13_pDataNormalizationEntry->ulSourceDataSize","A14_ulWwanDataSize","A15_pDataNormalizationEntry->ulTargetDataSize","A10_pDataNormalizationEntry->ulTargetDataSize","A11_pDataSpecializationEntry->ulSourceDataSize","A13_pDataSpecializationEntry->targetVersion","A14_pDimContext->Version","A11_ulWwanDataSize","A12_pDataSpecializationEntry->ulTargetDataSize","A11_isSet","A12_pDataSpecializationEntry->targetVersion","A13_pDataSpecializationEntry->ulSourceDataSize","A15_pDataSpecializationEntry->ulTargetDataSize","A10__context->selfGuid","A10_GetLastError()","A11_OidToString(Oid)","A10_L'UNKNOWN'","A13_sizeof(params)","A10_pProvider->ProviderId","A10_pProvider->ProviderState","A10_pProvider->ProviderName","A10_DataClassToStringInBuff(pProvider->WwanDataClass, Buff, MAX_BUFFER_STRING)","A10_pProvider2->ErrorRate","A10_CellularClassToString(pProvider2->WwanCellularClass)","A10_SmsFormatToString(pNdisSmsRead->SmsRead.SmsFormat)","A11_pNdisSmsRead->SmsRead.SmsFormat","A10_SmsFlagToString(pNdisSmsRead->SmsRead.ReadFilter.Flag)","A11_pNdisSmsRead->SmsRead.ReadFilter.Flag","A12_pNdisSmsRead->SmsRead.ReadFilter.MessageIndex","A10_pNdisVisibleProvider->VisibleProviders.Action","A10_RadioStateToString(pRadioState->RadioAction)","A11_pRadioState->RadioAction","A10_PinTypeToString(pSetPin->PinAction.PinType)","A11_pSetPin->PinAction.PinType","A10_PinOperationToString(pSetPin->PinAction.PinOperation)","A11_pSetPin->PinAction.PinOperation","A10_pPreferredProviders->PreferredListHeader.ElementType","A10_pPreferredProviders->PreferredListHeader.ElementCount","A10_pRegisterState->SetRegisterState.ProviderId","A10_RegisterActionToString(pRegisterState->SetRegisterState.RegisterAction)","A11_pRegisterState->SetRegisterState.RegisterAction","A10_pRegisterState->SetRegisterState.WwanDataClass","A10_pSignalIndication->SignalIndication.RssiInterval","A10_pSignalIndication->SignalIndication.RssiThreshold","A10_PacketServiceActionToString(pSetPacketService->PacketServiceAction)","A11_pSetPacketService->PacketServiceAction","A10_pSetContextState->SetContextState.ConnectionId","A10_ActivationCommandToString(pSetContextState->SetContextState.ActivationCommand)","A11_pSetContextState->SetContextState.ActivationCommand","A10_pSetContextState->SetContextState.AccessString","A10_CompressionTypeToString(pSetContextState->SetContextState.Compression)","A11_pSetContextState->SetContextState.Compression","A10_AuthenticationProtocolTypeToString(pSetContextState->SetContextState.AuthType)","A11_pSetContextState->SetContextState.AuthType","A10_pSetProvisionedContext->ProvisionedContext.ContextId","A10_ContextTypeToString(pSetProvisionedContext->ProvisionedContext.ContextType)","A11_pSetProvisionedContext->ProvisionedContext.ContextType","A10_pSetProvisionedContext->ProvisionedContext.AccessString","A10_CompressionTypeToString(pSetProvisionedContext->ProvisionedContext.Compression)","A11_pSetProvisionedContext->ProvisionedContext.Compression","A10_AuthenticationProtocolTypeToString(pSetProvisionedContext->ProvisionedContext.AuthType)","A11_pSetProvisionedContext->ProvisionedContext.AuthType","A10_pSetProvisionedContext->ProvisionedContext.basicInfo.ContextId","A10_ContextTypeToString(pSetProvisionedContext->ProvisionedContext.basicInfo.ContextType)","A11_pSetProvisionedContext->ProvisionedContext.basicInfo.ContextType","A10_pSetProvisionedContext->ProvisionedContext.basicInfo.AccessString","A10_CompressionTypeToString(pSetProvisionedContext->ProvisionedContext.basicInfo.Compression)","A11_pSetProvisionedContext->ProvisionedContext.basicInfo.Compression","A10_AuthenticationProtocolTypeToString(pSetProvisionedContext->ProvisionedContext.basicInfo.AuthType)","A11_pSetProvisionedContext->ProvisionedContext.basicInfo.AuthType","A10_pSetProvisionedContext->ProvisionedContext.Operation","A10_IPTypeToString(pSetProvisionedContext->ProvisionedContext.IPType)","A11_pSetProvisionedContext->ProvisionedContext.IPType","A10_pSetProvisionedContext->ProvisionedContext.Enable","A10_pSetProvisionedContext->ProvisionedContext.Roaming","A10_pSetProvisionedContext->ProvisionedContext.MediaType","A10_ConfigurationSourceToString(pSetProvisionedContext->ProvisionedContext.Source)","A11_pSetProvisionedContext->ProvisionedContext.Source","A10_pNdisSetSmsConfiguration->SetSmsConfiguration.ScAddress","A10_SmsFormatToString(pNdisSetSmsConfiguration->SetSmsConfiguration.SmsFormat)","A11_pNdisSetSmsConfiguration->SetSmsConfiguration.SmsFormat","A10_SmsFormatToString(pNdisSmsSend->SmsSend.SmsFormat)","A11_pNdisSmsSend->SmsSend.SmsFormat","A10_pNdisSmsSend->SmsSend.u.Cdma.EncodingId","A10_pNdisSmsSend->SmsSend.u.Cdma.LanguageId","A10_pNdisSmsSend->SmsSend.u.Cdma.SizeInBytes","A10_pNdisSmsSend->SmsSend.u.Cdma.SizeInCharacters","A10_pNdisSmsSend->SmsSend.u.Pdu.Size","A10_SmsFlagToString(pNdisSmsDelete->SmsFilter.Flag)","A11_pNdisSmsDelete->SmsFilter.Flag","A12_pNdisSmsDelete->SmsFilter.MessageIndex","A10_AuthMethodToString(pNdisAuthChallenge->AuthChallenge.AuthMethod)","A11_pNdisAuthChallenge->AuthChallenge.AuthMethod","A10_pNdisAuthChallenge->AuthChallenge.u.AuthSim.n","A10_(unsigned)pNdisUssdRequest->UssdRequest.RequestType","A10_(unsigned)pNdisUssdRequest->UssdRequest.UssdString.DataCodingScheme","A10_(unsigned)pNdisUssdRequest->UssdRequest.UssdString.StringLength","A10__pNdisDSCommand->Command.DeviceServiceGuid","A10_pNdisDSCommand->Command.CommandID","A10_pNdisDSCommand->Command.uDataSize","A10_pNdisBaseStationRequest->BaseStationsInfoRequest.MaxGSMCount","A10_pNdisBaseStationRequest->BaseStationsInfoRequest.MaxUMTSCount","A10_pNdisBaseStationRequest->BaseStationsInfoRequest.MaxTDSCDMACount","A10_pNdisBaseStationRequest->BaseStationsInfoRequest.MaxLTECount","A10_pNdisBaseStationRequest->BaseStationsInfoRequest.MaxCDMACount","A10_pNdisGetSlotInfo->GetSlotInfo.SlotIndex","A10_pNdisDSSubscribe->DeviceServiceListHeader.ElementType","A10_pNdisDSSubscribe->DeviceServiceListHeader.ElementCount","A10_pNdisSlotMapping->SetDeviceSlotMappingInfo.SlotMapListHeader.ElementType","A10_pNdisSlotMapping->SetDeviceSlotMappingInfo.SlotMapListHeader.ElementCount","A11_*pMap","A10_basicInfo->ContextId","A10_ContextTypeToString(basicInfo->ContextType)","A11_basicInfo->ContextType","A10_basicInfo->AccessString","A10_CompressionTypeToString(basicInfo->Compression)","A11_basicInfo->Compression","A10_AuthenticationProtocolTypeToString(basicInfo->AuthType)","A11_basicInfo->AuthType","A10_basicInfo->ProviderId","A10_OperationsToString(lteAttachConfigContext->Operation)","A11_lteAttachConfigContext->Operation","A10_IPTypeToString(lteAttachConfigContext->IPType)","A11_lteAttachConfigContext->IPType","A10_LteAttachRoamingToString(lteAttachConfigContext->Roaming)","A11_lteAttachConfigContext->Roaming","A10_MediaToString(lteAttachConfigContext->MediaType)","A11_lteAttachConfigContext->MediaType","A10_ConfigurationSourceToString(lteAttachConfigContext->Source)","A11_lteAttachConfigContext->Source","A10_lteAttachContext->ElementCount","A10_LteAttachRoamingToString(lteAttachContext->LteContextArray[i].Roaming)","A11_lteAttachContext->LteContextArray[i].Roaming","A10_ConfigurationSourceToString(lteAttachContext->LteContextArray[i].Source)","A11_lteAttachContext->LteContextArray[i].Source","A10_MediaToString(lteAttachContext->LteContextArray[i].MediaType)","A11_lteAttachContext->LteContextArray[i].MediaType","A10_IPTypeToString(lteAttachContext->LteContextArray[i].IPType)","A11_lteAttachContext->LteContextArray[i].IPType","A10_lteAttachContext->LteContextArray[i].basicInfo.AccessString","A10_LteAttachStateToString(lteAttachStatus->LteAttachState)","A11_lteAttachStatus->LteAttachState","A10_lteAttachStatus->NetworkError","A10_IPTypeToString(lteAttachStatus->IPType)","A11_lteAttachStatus->IPType","A10_lteAttachStatus->basicInfo.AccessString","A10_pDeviceCaps->Header.Revision","A10_DeviceTypeToString(caps.WwanDeviceType)","A11_caps.WwanDeviceType","A10_CellularClassToString(caps.WwanCellularClass)","A11_caps.WwanCellularClass","A10_VoiceClassToString(caps.WwanVoiceClass)","A11_caps.WwanVoiceClass","A10_SimClassToString(caps.WwanSimClass)","A11_caps.WwanSimClass","A10_DataClassToStringInBuff(caps.WwanDataClass, Buff, MAX_BUFFER_STRING)","A11_caps.WwanDataClass","A10_(caps.WwanDataClass _ WWAN_DATA_CLASS_CUSTOM) ? caps.CustomDataClass : L'NOT USED FIELD'","A10_GsmBandClassToStringInBuff(caps.WwanGsmBandClass, Buff, MAX_BUFFER_STRING)","A11_caps.WwanGsmBandClass","A10_CdmaBandClassToStringInBuff(caps.WwanCdmaBandClass, Buff, MAX_BUFFER_STRING)","A11_caps.WwanCdmaBandClass","A10_SmsCapsToStringInBuff(caps.WwanSmsCaps, Buff, MAX_BUFFER_STRING)","A11_caps.WwanSmsCaps","A10_ControlCapsToStringInBuff(caps.WwanControlCaps, Buff, MAX_BUFFER_STRING)","A11_caps.WwanControlCaps","A10_AuthAlgoCapsToStringInBuff(caps.WwanAuthAlgoCaps, Buff, MAX_BUFFER_STRING)","A10_ElementTypeToString(caps.CellularClassListHeader.ElementType)","A11_caps.CellularClassListHeader.ElementType","A10_caps.CellularClassListHeader.ElementCount","A10_caps.Manufacturer","A10_caps.FirmwareInfo","A10_caps.MaxActivatedContexts","A10_pDimContext->Version","A10_pReadyInfo->Header.Revision","A10_ReadyStateToString(pInfoRev1->ReadyState)","A11_pInfoRev1->ReadyState","A10_EmergencyModeToString(pInfoRev1->EmergencyMode)","A11_pInfoRev1->EmergencyMode","A10_pInfoRev1->SubscriberId","A10_pInfoRev1->CdmaShortMsgSize","A10_pInfoLatest->StatusFlags","A10_ElementTypeToString(pInfoLatest->TNListHeader.ElementType)","A11_pInfoLatest->TNListHeader.ElementType","A10_pInfoLatest->TNListHeader.ElementCount","A10_pInfoPre2170->StatusFlags","A10_ElementTypeToString(pInfoPre2170->TNListHeader.ElementType)","A11_pInfoPre2170->TNListHeader.ElementType","A10_pInfoPre2170->TNListHeader.ElementCount","A10_ElementTypeToString(pInfoRev1->TNListHeader.ElementType)","A11_pInfoRev1->TNListHeader.ElementType","A10_pInfoRev1->TNListHeader.ElementCount","A10_RadioStateToString(pRadioState->RadioState.HwRadioState)","A11_pRadioState->RadioState.HwRadioState","A10_RadioStateToString(pRadioState->RadioState.SwRadioState)","A11_pRadioState->RadioState.SwRadioState","A10_PinTypeToString(pPinInfo->PinInfo.PinType)","A11_pPinInfo->PinInfo.PinType","A10_PinStateToString(pPinInfo->PinInfo.PinState)","A11_pPinInfo->PinInfo.PinState","A10_pPinInfo->PinInfo.AttemptsRemaining","A10_PinModeToString(pinDesc->PinMode)","A11_pinDesc->PinMode","A10_PinFormatToString(pinDesc->PinFormat)","A11_pinDesc->PinFormat","A10_pinDesc->PinLengthMin","A10_pinDesc->PinLengthMax","A10_pVisibleProviders->VisibleListHeader.ElementType","A10_pVisibleProviders->VisibleListHeader.ElementCount","A10_pRegisterState->RegistrationState.uNwError","A10_RegisterStateToString(pRegisterState->RegistrationState.RegisterState)","A11_pRegisterState->RegistrationState.RegisterState","A10_RegisterModeToString(pRegisterState->RegistrationState.RegisterMode)","A11_pRegisterState->RegistrationState.RegisterMode","A10_pRegisterState->RegistrationState.ProviderId","A10_pRegisterState->RegistrationState.ProviderName","A10_pRegisterState->RegistrationState.RoamingText","A10_RegFlagsToStringInBuff(pRegisterState->RegistrationState.WwanRegFlags, Buff, MAX_BUFFER_STRING)","A11_pRegisterState->RegistrationState.WwanRegFlags","A10_CellularClassToString(pRegisterState->RegistrationState.CurrentCellularClass)","A11_pRegisterState->RegistrationState.CurrentCellularClass","A10_pRegisterState->RegistrationState.PreferredDataClasses","A10_PacketServiceStateToString(pPacketServiceState->PacketService.PacketServiceState)","A11_pPacketServiceState->PacketService.PacketServiceState","A10_pPacketServiceState->PacketService.AvailableDataClass","A10_pPacketServiceState->PacketService.CurrentDataClass","A10_FrequencyRangeToString(pPacketServiceState->PacketService.FrequencyRange)","A10_pSignalState->SignalState.ErrorRate","A10_pSignalState->SignalState.RssiInterval","A10_pSignalState->SignalState.RssiThreshold","A10_pSignalState->SignalState.SignalStateListHeader.ElementType","A10_pSignalState->SignalState.SignalStateListHeader.ElementCount","A10_p->RSRPThreshold","A10_p->SNRThreshold","A10_DataClassToStringInBuff(p->DataClass, Buff, MAX_BUFFER_STRING)","A11_p->DataClass","A10_pProvisionedContexts->ContextListHeader.ElementType","A10_pProvisionedContexts->ContextListHeader.ElementCount","A10_p->ContextId","A10_ContextTypeToString(p->ContextType)","A11_p->ContextType","A10_p->AccessString","A10_CompressionTypeToString(p->Compression)","A11_p->Compression","A10_AuthenticationProtocolTypeToString(p->AuthType)","A11_p->AuthType","A10_pContextState->Header.Revision","A10_pContextState->ContextState.ConnectionId","A10_ActivationStateToString(pContextState->ContextState.ActivationState)","A11_pContextState->ContextState.ActivationState","A10_VoiceCallStateToString(pContextState->ContextState.VoiceCallState)","A11_pContextState->ContextState.VoiceCallState","A10_IPTypeToString(pContextState->ContextState.IPType)","A11_pContextState->ContextState.IPType","A10_ConnectionMediaToString(pContextState->ContextState.ConnectionMedia)","A11_pContextState->ContextState.ConnectionMedia","A10_pContextState->ContextState.AccessString","A10_pContextState->ContextState.FoundMatchingConnectionId","A10_pContextState->ContextState.TrafficParameters.Offset","A10_pContextState->ContextState.TrafficParameters.Size","A11_sizeof(NDIS_WWAN_SMS_CONFIGURATION)","A10_pNdisSmsConfiguration->SmsConfiguration.ScAddress","A10_SmsFormatToString(pNdisSmsConfiguration->SmsConfiguration.SmsFormat)","A11_pNdisSmsConfiguration->SmsConfiguration.SmsFormat","A10_pNdisSmsConfiguration->SmsConfiguration.ulMaxMessageIndex","A11_sizeof(NDIS_WWAN_SMS_RECEIVE)","A11_sizeof(NDIS_WWAN_SMS_SEND_STATUS)","A10_pNdisSmsSend->MessageReference","A11_sizeof(NDIS_WWAN_SMS_DELETE_STATUS)","A11_sizeof(NDIS_WWAN_SMS_STATUS)","A10_pNdisSmsStatus->SmsStatus.MessageIndex","A11_sizeof(NDIS_WWAN_AUTH_RESPONSE)","A11_sizeof(NDIS_WWAN_USSD_EVENT)","A10_pNdisUssdEvent->UssdEvent.EventType","A10_pNdisUssdEvent->UssdEvent.SessionState","A10_(unsigned)pNdisUssdEvent->UssdEvent.UssdString.DataCodingScheme","A10_(unsigned)pNdisUssdEvent->UssdEvent.UssdString.StringLength","A11_sizeof(NDIS_WWAN_SUPPORTED_DEVICE_SERVICES)","A10_pDeviceServices->DeviceServices.uMaxCommandDataSize","A10_pDeviceServices->DeviceServices.uMaxSessionDataSize","A10_pDeviceServices->DeviceServices.uMaxSessionCount","A10_pDeviceServices->DeviceServices.ListHeader.ElementType","A10_pDeviceServices->DeviceServices.ListHeader.ElementCount","A10__(pServiceEntry->DeviceServiceGuid)","A10_pServiceEntry->uMaxSessionInstances","A10_pServiceEntry->SessionCapability","A11_sizeof(NDIS_WWAN_DEVICE_SERVICE_RESPONSE)","A10__pDeviceService->Response.DeviceServiceGuid","A10_pDeviceService->Response.ResponseID","A10_pDeviceService->Response.uDataSize","A11_sizeof(NDIS_WWAN_DEVICE_SERVICE_EVENT)","A10__pDeviceService->Event.DeviceServiceGuid","A10_pDeviceService->Event.uDataSize","A11_sizeof(NDIS_WWAN_DEVICE_SERVICE_SUBSCRIPTION)","A11_sizeof(NDIS_WWAN_DEVICE_SERVICE_SUPPORTED_COMMANDS)","A10__pDsSupportedCmds->SupportedCommands.DeviceServiceGuid","A10_pDsSupportedCmds->SupportedCommands.ListHeader.ElementType","A10_pDsSupportedCmds->SupportedCommands.ListHeader.ElementCount","A11_sizeof(ULONG)","A10_(*pPowerState)","A10_*pReadyInfoFlags","A10_pPsMediaProfState->nNumItems","A10_pSarConfig->SarConfig.SarMode","A11_pSarConfig->SarConfig.SarBackoffStatus","A12_pSarConfig->SarConfig.SarWifiIntegration","A10_pSarConfig->SarConfig.SarConfigIndexListHeader.ElementCount","A11_pSarConfig->SarConfig.SarConfigIndexListHeader.ElementType","A10_pTransmissionStatus->TransmissionStatus.ChannelNotification","A11_pTransmissionStatus->TransmissionStatus.TransmissionStatus","A12_pTransmissionStatus->TransmissionStatus.HysteresisTimer","A10_pSysCap->SysCapsInfo.NumberOfExecutors","A10_pSysCap->SysCapsInfo.NumberOfSlots","A10_pSysCap->SysCapsInfo.Concurrency","A10_(ULONG)(pSysCap->SysCapsInfo.ModemID >> 32)","A11_(ULONG)(pSysCap->SysCapsInfo.ModemID)","A10_pSlotMapping->DeviceSlotMappingInfo.SlotMapListHeader.ElementType","A10_pSlotMapping->DeviceSlotMappingInfo.SlotMapListHeader.ElementCount","A10_pSlotInfo->SlotInfo.SlotIndex","A10_SlotStateToString(pSlotInfo->SlotInfo.State)","A11_pSlotInfo->SlotInfo.State","A10_DeviceTypeToString(pCaps->WwanDeviceType)","A11_pCaps->WwanDeviceType","A10_CellularClassToString(pCaps->WwanCellularClass)","A11_pCaps->WwanCellularClass","A10_VoiceClassToString(pCaps->WwanVoiceClass)","A11_pCaps->WwanVoiceClass","A10_SimClassToString(pCaps->WwanSimClass)","A11_pCaps->WwanSimClass","A10_DataClassToStringInBuff(pCaps->WwanDataClass, Buff, MAX_BUFFER_STRING)","A11_pCaps->WwanDataClass","A10_(pCaps->WwanDataClass _ WWAN_DATA_CLASS_CUSTOM) ? pCaps->CustomDataClass : L'NOT USED FIELD'","A10_DataSubClassToStringInBuff((ULONG)pDeviceCaps->DeviceCaps.WwanDataSubClass, Buff, MAX_BUFFER_STRING)","A11_(ULONG)pDeviceCaps->DeviceCaps.WwanDataSubClass","A10_GsmBandClassToStringInBuff(pCaps->WwanGsmBandClass, Buff, MAX_BUFFER_STRING)","A11_pCaps->WwanGsmBandClass","A10_CdmaBandClassToStringInBuff(pCaps->WwanCdmaBandClass, Buff, MAX_BUFFER_STRING)","A11_pCaps->WwanCdmaBandClass","A10_SmsCapsToStringInBuff(pCaps->WwanSmsCaps, Buff, MAX_BUFFER_STRING)","A11_pCaps->WwanSmsCaps","A10_ControlCapsToStringInBuff(pCaps->WwanControlCaps, Buff, MAX_BUFFER_STRING)","A11_pCaps->WwanControlCaps","A10_AuthAlgoCapsToStringInBuff(pCaps->WwanAuthAlgoCaps, Buff, MAX_BUFFER_STRING)","A10_ElementTypeToString(pCaps->CellularClassListHeader.ElementType)","A11_pCaps->CellularClassListHeader.ElementType","A10_pCaps->CellularClassListHeader.ElementCount","A10_pCaps->Manufacturer","A10_pCaps->FirmwareInfo","A10_pCaps->MaxActivatedContexts","A10_pCaps->ExecutorIndex","A10_L'Supported'","A10_L'Not Supported'","A10_ModemConfigModeToString(configInfo.ConfigMode)","A11_configInfo.ConfigMode","A10_ModemConfigStatusToString(configInfo.ConfigState)","A11_configInfo.ConfigState","A10_ModemConfigReasonToString(configInfo.ConfigReason)","A11_configInfo.ConfigReason","A10_configInfo.PreviousConfigID.ConfigIdLen","A10_ModemConfigIDToString(configInfo.PreviousConfigID.ConfigIdLen, configInfo.PreviousConfigID.ConfigId, asciiString)","A10_configInfo.CurrentConfigID.ConfigIdLen","A10_ModemConfigIDToString(configInfo.CurrentConfigID.ConfigIdLen, configInfo.CurrentConfigID.ConfigId, asciiString)","A10_configInfo.IsCurrentConfigDefault ? L'True' : L'False'","A10_configInfo.ConfigName","A10_ElementTypeToString(configInfo.NSSAIListHeader.ElementType)","A11_configInfo.NSSAIListHeader.ElementType","A10_configInfo.NSSAIListHeader.ElementCount","A10_DataClassToStringInBuff(pBaseStationsInfo->SystemType, Buff, MAX_BUFFER_STRING)","A10_pBaseStationsInfo->GSMServingCellSize ? 1 : 0","A10_pBaseStationsInfo->UMTSServingCellSize ? 1 : 0","A10_pBaseStationsInfo->TDSCDMAServingCellSize ? 1 : 0","A10_pBaseStationsInfo->LTEServingCellSize ? 1 : 0","A10_pMPDPState->uStatus","A11_pMPDPState->Info.Operation","A12__pMPDPState->Info.ChildInterfaceGUID","A10_pMPDPList->uStatus","A11_pMPDPList->ChildInterfaceList.ElementType","A12_pMPDPList->ChildInterfaceList.ElementCount","A10_pMPDPList->ChildInterfaceList.ElementType","A11_pMPDPList->ChildInterfaceList.ElementCount","A10_i + 1","A10_pNitzInfo->uStatus","A11_pNitzInfo->NitzInfo.Year","A12_pNitzInfo->NitzInfo.Month","A13_pNitzInfo->NitzInfo.Day","A14_pNitzInfo->NitzInfo.Hour","A15_pNitzInfo->NitzInfo.Minute","A16_pNitzInfo->NitzInfo.Second","A17_pNitzInfo->NitzInfo.TimeZoneOffsetMinutes","A18_pNitzInfo->NitzInfo.DaylightSavingTimeOffsetMinutes","A19_pNitzInfo->NitzInfo.DataClasses","A10_pAppList->uStatus","A11_pAppList->UiccAppList.Version","A12_pAppList->UiccAppList.AppCount","A13_pAppList->UiccAppList.ActiveAppIndex","A14_pAppList->UiccAppList.AppListSize","A10_appIndex + 1","A11_UiccAppTypeToString(pAppInfo->AppType)","A12_AppIDToString(pAppInfo->AppIdSize, pAppInfo->AppId, appIdString)","A13_pAppInfo->AppName","A14_pAppInfo->NumPins","A10_pFileStatus->uStatus","A11_pFileStatus->UiccFileStatus.Version","A12_pFileStatus->UiccFileStatus.StatusWord1","A13_pFileStatus->UiccFileStatus.StatusWord2","A14_UiccFileAccessibilityToString(pFileStatus->UiccFileStatus.FileAccessibility)","A15_UiccFileTypeToString(pFileStatus->UiccFileStatus.FileType)","A16_UiccFileStructureToString(pFileStatus->UiccFileStatus.FileStructure)","A17_pFileStatus->UiccFileStatus.ItemCount","A18_pFileStatus->UiccFileStatus.ItemSize","A11_PinTypeToString(pFileStatus->UiccFileStatus.FileLockStatus[i])","A10_pUiccResponse->uStatus","A11_pUiccResponse->UiccResponse.StatusWord1","A12_pUiccResponse->UiccResponse.StatusWord2","A13_pUiccResponse->UiccResponse.ResponseDataSize","A10_pModemLoggingConfig->uStatus","A11_pModemLoggingConfig->ModemLoggingConfig.Version","A12_pModemLoggingConfig->ModemLoggingConfig.MaxSegmentSize","A13_pModemLoggingConfig->ModemLoggingConfig.MaxFlushTime","A14_LevelConfigToString(pModemLoggingConfig->ModemLoggingConfig.LevelConfig)","A10_pRegParams->uStatus","A11_pRegParams->RegisterParamsInfo.MicoMode","A12_pRegParams->RegisterParamsInfo.DRXParam","A13_pRegParams->RegisterParamsInfo.LADNInfo","A12_pNwParams->NetworkParamsInfo.TaiList.Size","A13_pNwParams->NetworkParamsInfo.AllowedNssaiList.Size","A14_pNwParams->NetworkParamsInfo.ConfiguredNssaiList.Size","A15_pNwParams->NetworkParamsInfo.RejectedNssaiList.Size","A16_pNwParams->NetworkParamsInfo.DefaultConfiguredNssaiList.Size","A17_pNwParams->NetworkParamsInfo.LadnList.Size","A10_pUePolicy->uStatus","A11_pUePolicy->UePolicyInfo.RawTdOnlyData.Offset","A12_pUePolicy->UePolicyInfo.RawTdOnlyData.Size","A11_rlen + pUePolicy->UePolicyInfo.RawTdOnlyData.Size","A12_(ULONG)(ULONG_PTR)RequestId","A10_NdisStatusToString(data->Status)","A11_data->Status","A10_(ULONG)data->RequestId","A10_data->DataLength","A10_g_supportedOids[i].oid","A10_ndisWwanMbimVersion.Header.Revision","A10_pDimContext->Header.MbimVersionInfo.MbimVersion","A11_pDimContext->Header.MbimVersionInfo.MbimExtendedVersion","A10_ulSourceDataSize + sizeof(ULONG) + sizeof(ULONG)","A11_*pulTargetDataSize","A12_FIELD_OFFSET(WWAN_READY_INFO_REV1, TNListHeader)","A13_FIELD_OFFSET(WWAN_READY_INFO, TNListHeader)","A10_ulSourceDataSize + sizeof(ULONG)","A12_FIELD_OFFSET(WWAN_READY_INFO_REV2_PRE2170, TNListHeader)","A11_sourceVersion","A12_sourceRevision","A13_wwanDataSizeSource","A11_sourceDynamicDataSize","A12_(targetSizeInBytes - targetFixedDataSize)","A10_*pulTargetDataSize","A11_sizeof(WWAN_SET_SMS_CONFIGURATION)","A11_sizeof(WWAN_SET_UICC_TERMINAL_CAPABILITY)","A10_pDimContext->MbimVersionInfo.MbimExtendedVersion","A10_(DWORD)pDevCap->WwanDataSubClass","A11_pDimContext->MbimVersionInfo.MbimExtendedVersion","A10_(DWORD)pDevCap->WwanDataClass","A11_returnDataSize","A12_returnDataSize >= sizeof(NDIS_OBJECT_HEADER) ? pNdisWwanMbimVersion->Header.Revision : 0","A12_returnDataSize","A13_returnDataSize >= sizeof(NDIS_OBJECT_HEADER) ? pNdisWwanMbimVersion->Header.Revision : 0","Processors","SourceVoiceCount","SubmixVoiceCount","MasteringVoiceCount","ProcessingStage","Channels","SampleRate","OriginalHz","NewHz","Quantum","RendererId","ExceptionsUpdateType","ExceptionName","ServiceState","PermitType","PermitInfo","URICHILD","NodeOptions","URI1","URI2","StringOne","PropCount","ChildCount","CmdType","IsRecovery","TrackedURI","hr1","hr2","hr3","UriPath","IsAllowed","Ccmdtype","Resourceuri","hex","coreUIServiceType","pwsz","InternalPriority","unParam","InternalPriority2","unParam2","UserPriority","RunMode","ExternalPriority","hex2","unParam3","unParam4","RegisteredObjectType","RegistrarScope","hex3","ptr1","ptr2","ptr3","ptr4","ptr","fBool1","fBool2","pwsz2","navigationError","appLayer","ActivationPolicy","TaskCancellationType","taskDehydrationEligibility","animtype","taskProperty","TaskRunningOptions","TaskInstanceState","pwsz3","unParam1","SystemKey","SessionManagerType","dir","ActivationLevel","Importance","PriorityCloseInitiated","ServerTaskState","ServerTaskState2","bool1","bool2","reason1","reason2","animflags","ServerTaskState3","ServerTaskState1","NavigationTimeoutEventType","TimeoutModifierType","IsModernApplication","fBool3","fBool4","fBool5","unParam5","unParam6","unParam7","unParam8","hex4","hex5","PageState","PMS","PMS2","PMSS","PMSS2","PMES","PMES2","PageState2","EMCRET","newstate","oldstate","NewSipVisibilityValue","SipHeight","NavClientState","Occlusion","activationLevel1","activationLevel2","dir1","dir2","currentState","targetState","direction","firstActivation","ViewNavigationLevel","AnimationDirection","AnimationType","pwsz1","ViewActivationFlags","pwsz4","un64Param","un64Param2","un64Param3","un64Param4","AnimationType2","hex1","pwsz8","szCustomString","dwArg1","dwHint","wszString1","wszString2","hexCode1","dwCode1","AnsiStringName1","guidCode1","bCode1","dwCode2","DwordName","IccId","IccIdLength","dwCode3","Dword1Name","Dword2Name","apmState","apmState1","apmState2","apmStateDevices","apmPowerState","hexCode","hexCode2","hexCode3","rilUICCSlotState","hexCode4","modemPowerState","tDword","rilRegStat","rilSystemType","DwordName1","DwordName2","cbBytes3","Bytes4","dwordName","booleanName","ATR","ATRLength","dwSlotIndex","powerStateChangeReason","guidCode2","CellularDataRoamingSettingName","powerState","PowerStateChangeReason","rilCDMAAvoidReqType","wnfName1","wnfName2","dwCode4","AnsiStringName2","wszString3","rilSystemTypeName","ardTypeName","SlotAffinity","bCode","bCode2","bCode3","bCode4","bCode5","CmResultName","ActualIccId","ActualIccIdLength","ExpectedIccId","ExpectedIccIdLength","cmSelectionTypeName","dwCode","CmApiName","connectionName","StringName1","Int32Name","UInt16Name","RilErrorName","PointerName","GuidName","UiccSlotStateName","BooleanName","ModemResetState","DwordName3","DwordName4","DwordName5","Bytes3","cbBytes4","cbBytes","SmsType","Pointer3","DwordArray","DwordArray1","DwordArray2","UiccSlotStateName1","UiccSlotStateName2","Str","NewQueueSize","PhysicalEndpoint","BytesProgrammed","SgProgrammed","SgLength","TrbProgrammed","TrbLength","Word1","Word2","Word3","Word4","fSynopsysEndpoint","fSynopsysEndpointDescriptor","fChargerDetectionErrorInfo","fDeterminePortTypeFailed","EnabledEvents","ConnectedStandby","IdleResidency","UsbPortType","UsbDeviceState","ClientNonce","ReplayedNonce","WUGuid","InitialOrigin","NewOrigin","SubPackageCount","TLRLevel","SucceededCount","FailedCount","CanceledCount","RestartTime","Fragments","CurrentLcn","CurrentVcn","LcnBytes","VcnBytes","CorruptionState","Outcome","SampleLength","SampleData","CallStack","BadFrsCount","OrphanChildFRSCount","BadClustersCount","BadFreeClustersCount","CrossLinkCount","SDEntryCount","InvalidSidCount","IndexAttributeCount","IndexSubtreeCount","IndexOffsetCount","IndexEntryCount","IndexOrderCount","ConnectCount","BreakCycleCount","FRSAllocateCount","OthersCount","binaryData","CSPName","CSPType","KeyFlags","CertFlags","CredContext","pCertificateContext","CipherSuite","ExchangeStrength","LocalCertSubjectName","RemoteCertSubjectName","certificateContext","AlertDesc","Fqdn","WindowsVersion","AgentMode","RetrySeconds","DestinationFilePath","DesiredTimestamp","RegistryKeyPath","TrueContextID","MitigationAction","DetectionEngine","BITSJobTitle","BITSJobGUID","DownloadDestination","DownloadDestinationPath","UID","GroupUID","SizeBefore","SizeAfter","NewGUID","OldPath","NewPath","customerID","Pattern","UsbDeviceClass","SerialId","DeviceMinorClass","ManufacturerName","BluetoothAddress","BluetoothVersion","GATTService","DeviceInformation","ScanStartTime","ScanEndTime","ScannedPath","ScannedCount","MaliciousCount","ExcludedMaliciousCount","OldDiffAreaUsed","OldDiffAreaAllocated","NewDiffAreaMaximum","MaliciousDriverType","OldVersion","NewVersion","DumpPath","DumpFileLimit","ConsoleURL","driverFile","TpmCommandOrdinal","TpmResponseCode","statusEnabled","statusActive","TPM_PT_MANUFACTURER","TPM_PT_VENDOR_STRING_1","TPM_PT_VENDOR_STRING_2","TPM_PT_VENDOR_STRING_3","TPM_PT_VENDOR_STRING_4","TPM_PT_VENDOR_TPM_TYPE","TPM_PT_FIRMWARE_VERSION_1","TPM_PT_FIRMWARE_VERSION_2","GetTestResult_Data","SrkSymKeyPolicyValue","TpmAes256Capability","ActualSymBitsUsed","SrkAsymKeyPolicyValue","TpmRsa3kCapability","ActualAsymBitsUsed","resetCountBefore","restartCountBefore","resetCountAfter","restartCountAfter","DiffAreaVolumeName","BuildName","ProcessImageFileNameWin32","ShutdownDuration","DataString","Inserts","BindId","IndexChosen","Null3","Null4","Null5","Null6","Null7","Null8","Choice","ObjDN","RequiredAttributes","CommonArgs","ErrCode","EntriesVisited","EntriesReturned","Sam","CredSource","ExtError","klininfo","KdcOption","ExtErr","Klininfo","genericString","ModID","msgStr","Timestamp100ns","EventPid","EventTid","Error_value","Disk_type","MediumType","ConnID","ResolverType","ResolverResult","Roles","EventClassName","EventDetailCode","EventGroupName","TraceWarningMsg","TraceWriteMsg","SpinCount","OwningThread","CritSecAddr","SourceFileAlias","Indent","QueryTime","QueuingTime","pad1","pad2","pad3","Xid","QueryOpCode","ResponseOpCode","NumQuestions","NumAnswerRRs","NumAuthRRs","NumAdditionalRRs","QueryClass","Question","PacketContents","MinorOperation","IsPagingIO","IsFastIO","IsDirectory","CreateOnExisting","WindowStation","AccessToken","ParametersLength","ResultLength","PreviousValueLength","OperationalParameters","ResultData","PreviousValue","VolumeDosName","VolumeGuidName","HeapHandle","HeapFlags","ReservedSpace","CommittedSpace","AllocatedSpace","AllocSize","AllocAddress","NewAllocAddress","OldAllocAddress","NewAllocSize","OldAllocSize","FreeAddress","CommittedSize","CommitAddress","NoOfUCRs","LargeUCRSpace","FreeListLength","UCRLength","DeCommittedSize","DeCommitAddress","SubSegment","SubSegmentSize","BlockCount","AffinityIndex","BucketIndex","GlobalASAPath","AccessResult","CurrentStatement","SizeOfStatement","PreliminarySiteName","ServerIPAddress","VerificationStatus","MappedToken","PublicKeySize","HardwareAcceleratorPresent","SubStatus","CommandLineArgs","IIS5CompatMode","ProcessAffinityMask","InitStatus","INFO","IsolatedName","Forestname","SubCategoryGuid","Trusted","TotalTrusted","TotalUntrusted","ProcessFilterFlags","VmHardenType","ExemptVmHardenedTypes","IoStatusBlockForNewFile","ScanStatus","ScanAttributes","AVVersion","ASVersion","SignatureId","PPID","OldFileName","DetectionId","RecordType","TPID","TTID","Classification","FileUSN","CacheName","utilization","parentKey","vault","records","TargetPID","WasHardened","VName","SigSeq","SigSha","TaintReason","ReasonImagePath","FileHardLinkName","DeltaCPU","DeltaWall","SigName","SigTypeName","FileSha1","PartialCRC1","PartialCRC2","PartialCRC3","FileGuidsArray","FileSizeArray","CompressedFileSizeArray","FileNameArray","FileAttributesArray","EfiFileTypeArray","FileSha1Array","SmbiosAttributes","FileCRCsArray","ParentPID","flags2low","flags2high","oldFlags","oldFlags2low","oldFlags2high","Sha1","AllSigSeqs","AllSigShas","RealPath","EtwDataReportType","EngineReportGuid","ResourceData","ResourceSchema","Determination","ActionStatus","IsLatent","IsPassiveMode","RtpProcessID","RtpProcessCreationTime","ExtraDataJson","DeviceInfo","TCGEventsArray","PCRsArray","EffectiveLevel","TriggerSigSeq","ImageFilePath","ScanReason","ScanResult","FirstOffsetWritten","LastOffsetWritten","SmallestOffsetWritten","BiggestOffsetWritten","TotalSizeOfWrites","TotalSizeOfAppends","NumberOfWrites","OnboardedInfo","FirstParam","SecondParam","FeatureType","LiveContextCount","TotalContextCount","TargetResource","ParentResource","DetectionName","ProcessContextId","AttrId","AttrSeq","AttrSubset","MatchedThreatsNumber","IsMultiProcMatch","IsMultiProcDetection","CloudResponse","DwordData","IntendedValueOrHResult","LatestValue","AccessCheck","MediaName","DomainAuthenticatedNetworkPresent","ActiveVPNConnections","PolicyId","AccessChainRuleIds","AccessChainRuleEntryIds","PrinterPortName","DuplicatedOperation","DeviceFilePath","EvidenceFileSize","EvidenceFileLocation","RtpScanResult","RtpScanAction","DoNotCache","CurrentGrantedAccess","MaximumPossibleGrantedAccess","CurrentDeniedAccess","MinimumGuaranteedDeniedAccess","ActiveNetworks","DevicePolicyGroupMembership","OsIsFreshInstall","TrustedUSN","TrustedState","SFCState","WasExecutingWhileDetected","RemediationErrorCode","DetectionGuid","SchemaParamAndDataDelimiter","SchemaParamList","SchemaParamDataList","isCritical","ThreatTrackingId","PlatformVersion","PlatformUpdateTime","EngineUpdateTime","ASSignatureVersion","ASSignatureUpdateTime","AVSignatureVersion","AVSignatureUpdateTime","BlockThreatExecSubCategory","PropertyBag","AllowThreatExpirationUTC","isAudit","ProcessIntegrityLevel","TargetIdentified","InheritanceFlags","RuleState","IsAudit","ResponseCategory","IsWarn","IocId","LocalIpAddressLength","LocalIpAddress","RemoteIpAddressLength","TotalSourceFiles","CurrentIndexOfSourceFile","IsActionBypass","StatusDetails","UserOverrideKey","Parent","DnsServerAddressLength","ClassType","AnswerName","Ttl","ResourceRecord","SourceIpLength","DestinationIpLength","DestinationDNSName","IsBehindProxy","TS_State","TS_PreviousState","TS_StartUTC","TS_ExpirationUTC","TS_ExpirationMinutesLeft","TS_StateChangeSource","TS_StateChangeReason","TS_QuotaMinutesLeft","TlsServerAddressLength","TlsServerIpAddress","TlsAlertLevel","TlsAlertDescription","RollbackVersion","TP_State","TP_Scenario","TP_ResourceType","TP_ResourceName","TP_ResourceOldState","TP_ResourceNewState","TP_IsBlocked","TP_IsUserMode","FrameworkType","JsonModelMetadata","CommandArgs","UrlEndpoint","RegValueName","DisruptionMode","requestorProcessId","uacRequestType","uacTrustState","autoElevateRequest","exeApplicationName","exeCommandLine","exeDllParam","comServerBinary","comRequestor","comClsid","CurrentImpersonationLevel","ThisPtr","DwordParam","PresenterWidth","PresenterHeight","ScaleFactor","DisableDComp","DCompState","CDoc","BaseOpticalZoom","BaseOpticalZoomDefault","HostDpiAware","StaticViewportSizeApplied","AtViewportHasDeviceWidthOrHeight","CView","VisualViewportWidth","VisualViewportHeight","LayoutViewportWidth","LayoutViewportHeight","IsClamping","HasAtViewportRule","HasDeviceWidthOrHeight","ViewportControllerEnabled","HasHorizontalScrollbar","HasVerticalScrollbar","UpdateUnitInfoZoomOnly","FixedLayoutWidthOld","FixedLayoutWidthNew","TouchTargetPtr","ManualGestureConfiguration","IsIHTThread","CDMScrollableTouchTarget","mat_11","mat_12","mat_21","mat_22","mat_31","mat_32","CDMTouchTarget","HwndWorker","ClientX","ClientY","ViewportOffsetWidth","ViewportOffsetHeight","LayoutViewportOffsetWidth","LayoutViewportOffsetHeight","ZoomLevel","CDMScrollableTouchTargetHandler","MsgID","FromStatus","ToStatus","CDMTouchTargetHandler","GenericInfo","IDispLayer","CDMCrossSlideDraggableTouchTarget","fIsDraggingRequested","CDMCrossSlideDraggableTouchTargetHandler","DManipInteractionType","CDMHoldDraggableTouchTarget","DManipDragDropConfiguration","CDMDraggableTouchTarget","fIsPreviewCurrentlyDisplayed","rcWidth","rcHeight","fTouchStarting","CElement","CDMDraggableTouchTargetHandler","SharedMemoryHandle","TotalBufferSizeInBytes","FailureHresult","TargetURL","EmulationMode","pNodeFirstTap","pointX","pointY","DesiredOffsetX","DesiredOffsetY","DesiredZoomFactor","pNodeHit","fAllowed","fPotentialDoubleTap","fDoubleTapTimerPending","pMessageTime","MaxTimeForSecondTap","FirstTapPointX","FirstTapPointY","SecondTapPointX","SecondTapPointY","fIsDoubleClick","AnimationClientObject","AnimationInstanceObject","DispNode","IndAnimationInstanceObject","FrameId","PointerType","ScreenX","ScreenY","ButtonChanged","ButtonState","PointerFlags","DropEffect","ScreenLocationX","ScreenLocationY","DragPreview","TouchDragDropHelper","FlipAhead_Target_URL","Target_Source_Method","CMarkup","RefreshLevel","hrReason","RedirectURL","CMemoryProtector","StackSize","Blocks","MarkedBlocks","MarkedBytes","CContentSecurityPolicy","ResourceDirectiveType","PermissionType","PermissionState","IsPrimaryResponse","DownloadedURL","BindInfo","CHtmPre","CPre","CWindow","WindowURL","Speculative","LookAhead","PreParserRestarted","LookAheadCount","SourceUrl","TargetUrl","ICEState","DTLSState","SampleQueueType","DroppedSampleCount","CurrentTimeMSec","SelectorType","IsQueryAll","Budget","VideoElement","RemoteMediaStreamTrack","DriftedTimeMSec","LastSampleEndTimeMSec","CurrentPresentationClockTimeMSec","AudioDriftDroppedSampleCount","SampleRequstedCount","SampleDeliveredCount","SampleReceivedCount","SampleDroppedCount","TrackKind","OutstandingStatsRequestCount","HrTask","CurrentRound","CallsToProcess","CurrentTimeMs","DeltaMs","PeriodMs","TimerRound","JsVarInstance","ThisPointer","SSN","RefAfterChange","ScriptExecutionTime","IsIgnoredInTelemetry","WindowObject","NestingLevel","TaskQueueIndex","TaskConsideredReadyTimeInUs","IsPerformingMicrotaskCheckpoint","PendingTaskCount","Candidate","Mid","SdpMLineIndex","DocumentObject","RelativeToLayoutViewport","SameMarkup","ClipToViewport","CPowerStateController","AllowExecution","CancelledLowPri","Zero","NumCommands","FlushReason","InUse","StorageCategory","DOC","Markup","EventContextId","grfLAYOUT","PCL","dwPos","dwMax","HtmlTag","SRC","dw","cPts","HTMPOST","OneExec2PT3ST4Run","Script","IsInline","SourceIndex","NumElemsAdded","Zero2","Zero1","fSynchronousRedraw","fInvalChildWindows","fPostRender","HRGN","NoUpdSink","fParseNow","window","FlagsOrResult","zero","zero1","CHtmPrePtr","fDataPend","fSuspended","CImgTaskPtr","CDwnTaskPtr","Nesting","PtrIn","dwTimeout","PtrOut","Storage","StorageHelper","StorageListHelper","Thunk","GrfDex","DispID","Versioned","Derived","VTable","MethodType","OptionalArgs","Parser","ParserType","ParseType","TreeNode","Cache","Exit","COleSite","CXmlPrePtr","RenderTarget","TargetSurfaceBaseType","TargetSurfaceSubType","ImgInfo","ImgTask","ImgCacheEntry","BitCount","ChromaSubsampling","ImgBits","ImgBitsSize","IsSolidColor","IsTransparent","DwnInfo","HitDwnInfo","IsHitDwnInfoActive","DestLeft","DestTop","DestRight","DestBottom","ScaledSizeWidth","ScaledSizeHeight","TranslateX","TranslateY","Opacity","Tiled","UnscaledSizeWidth","UnscaledSizeHeight","DecodeFlags","CurrentX","CurrentY","TimeSinceStartUs","ExpectedFrameTimeUs","LastScrollTimeUs","Allocator","Allocation","BeatPeriodMs","RefreshMultipleUs","StartMark","EndMark","MediaEngineID","majortype","frameratenum","framerateden","numchannels","samplespersec","bitspersample","sampletime","processtime","lag","dataPresented","TimerMan","Presenter","Doc","TotalStoryboardCount","IndependentStoryboardCount","NumberOfUpdates","NumberOfUpdateSkips","MediaElementId","PositionInPercentage","TimeDurationInSecs","TimeInSecs","Tooltip","DispLayer","ElementDDTId","MediaElementIdAttribute","UniqueDeviceName","FriendlyDeviceName","StoryboardObject","DelayInSeconds","NumberOfProperties","AnimationName","DDTObject","TransitionClientObject","IsReversal","AnimationGroupId","VisualizationId","StartTimeDurationInSecs","EndTimeDurationInSecs","ProgressStartLevelInPercentage","ProgressEndLevelInPercentage","GripperID","ScrollbarLayerId","AnimationPropertyId","IsTransition","QPCScheduleTime","PreviousAnimationState","CIndependentAnimation","Scroller","RectType","CActiveScriptHolder","CScriptCollection","ScriptContext","Undefer","ContextElement","HTC","UniqueSubtrees","UpdatedSubtrees","CDispNode","ElementTag","PrimaryTouchHandler","IndpendentlyComposed","TouchConfiguration","DependentRegion","SuspendTimer","IntersectingLayerNode","NewImplicitLayerNode","ImplicitLayerCount","SBLayer","GlobalLayerLeft","GlobalLayerTop","GlobalLayerRight","GlobalLayerBottom","TransformM11","TransformM12","TransformM21","TransformM22","TransformDx","TransformDy","DCompSurface","AlphaMode","RectsLength","Rects","MatchType","TextContent","ElementsInvalidated","InvalidationFlags","NodeDescription","ReasonDescription","DispNode2","NodeDescription2","CandidacyCode","HasDependentCompositionEffect","HasRoundedBorders","AnimationStoryboardObject","CHTMLCanvasElement","canvasWidth","canvasHeight","EventTarget","PropagationStatus","EventPhase","ListenerUsesCapture","ScriptContextId","CallbackCookie","ACount","objectInstance","StringValue","A","TouchTarget","_fBusy","fBusy","Current_URL","Prefetch_or_Prerender_URL","Termination_Reason","ContentTypes","Prerender_URL","Deferred_Item","WPGeneralTracingStr","RenderTask","OnUIThread","Async","Skipped","RenderThread","EndIndex","FailureFlags","XHR","MediaQuery","WorkerObject","WorkerScope","MessagePort","OwnerType","IsDocVisible","NotifyFrame","SuspendLevel","IsDocInvisible","StyleProperty","CGarbageTracker","RequestedGCType","GCType","PrimaryCMarkup","SourceContext","TargetElementDdtId","ChangedAttributeName","AddedChildCount","RemovedChildCount","HrErrorDescription","WinErrorDescription","TabID","DominantImageUrl1","DominantImageUrl2","DominantImageUrl3","DominantImageUrl4","ImageUrl","ImageType","DIType","DIConfidence","SelectTabAsyncTabID","SelectTabAsyncFlags","NewVisibleState","CurrentVisibleState","IsTabSwitch","IsHung","Bind Context","BindContext","hwndAlternateOwner","fDestroyingHangUI","hwndNext","hwndPrev","TabState","Show","MessageCount","QueryID","PopulateOptions","LinkCount","OnCloseButton","StateString","LayerValue","Disconnect","UserInitiated","Attach","AttachTID","AttachToTID","SelfRecovered","PerformWhenBrowserResponds","BarText","ButtonText","SyncTimeout","SetHung","ImageKey","ImageUniqueID","ImageDimX","ImageDimY","ImageCleaningScheme","ImageLastUpdatedTime","ImageLastRetrievedTime","TotalNumber","Suspending","Dependent","DependentPID","TabId","Uint32Val","PrerenderURL","ISO_HANDLE","IDLEMANAGER_TASKTYPE","MaxWaitingTime","MaxBlockingTime","IDLETASK_PRIORITY","WaitingTaskCount","RunningTaskCount","AllowRecovery","UseWER","HangUIShowing","HungWindowText","TabVisibleIndex","FoundSuspendable","tabID","HiddenTabCookie","ScriptContextID","MethodAddressRangeID","SourceFlags","IsBoxed","ASTSize","IsDeferred","BytecodeCount","BytecodeSize","SweptBytes","BackgroundMarkRescanCount","IsSaveOnClose","CallerMethodID","InlineeMethodID","Inlinee","InterpretedCount","SourceCodeSize","ByteCodeSize","ByteCodeInLoopSize","JitLevel","MemoryAddress","jsVar","IsArray","HasTimedout","AsyncOperationId","NameBufferCount","NameBuffer","Jscript9EngineSize","MshtmlEngineSize","Jscript9ContextSize","MshtmlContextSize","Jscript9LibrarySize","MshtmlLibrarySize","Jscript9CEOSize","MshtmlCEOSize","Jscript9ScriptEngineOffset","MshtmlScriptEngineOffset","Jscript9ScriptContextOffset","MshtmlScriptContextOffset","Jscript9LibraryOffset","MshtmlLibraryOffset","Jscript9TypeOffset","MshtmlTypeOffset","Jscript9TypeIdOffset","MshtmlTypeIdOffset","Jscript9TaggedIntSize","MshtmlTaggIntSize","Jscript9NumberSize","MshtmlNumberSize","Jscript9TypeIdLimit","MshtmlTypeIdLimit","JScript9NumberUtilitiesSize","MsHtmlNumberUtilitiesSize","JScript9NumberUtilitiesOffset","MsHtmlNumberUtilitiesOffset","FrameNameBufferCount","FrameNameBuffer","ModuleSize","SerializationIndex","FunctionOffset","FunctionSize","ReservedBytes","CommittedBytes","NumberOfSegments","FromGC","eventData","SizeCat","FunctionMethodID","FunctionSourceID","FunctionDisplayName","BailoutKind","BailoutCount","CallCount","RejitReason","Rethunk","LoopNumber","ThreadContextID","ScriptContextCount","AllocatedSize","PreClearFreeSize","PolyInlineCacheSize","ClearedCount","RegionScannedCount","RegionClearedCount","CollectionTrigger","CollectionStartFlags","cComments","cReplies","cArtObjs","cFieldChars","cParents","cInkComments","cCommentsWithTables","cSmartArt","cVideos","cPictures","cCharts","cOtherE2Os","cFields","cOLEObjects","ammPrev","ammNew","vfProfileStartup","fReply","fComment","fCommentPopout","fAllComments","fBtnCe","fSettingToDone","flTagReplaced","fPartFound","numberOfEntities","entityId","cWhiteSpaces","cSymbols","fCommentsInPane","findReplaceMode","fSearchInComment","cHits","lTagBkmk","fHasAtMention","fCommentSelChangeFG","LinkedInResumeClassification","JobTitleMatch","JobCityMatch","JobStateMatch","JobZipCodeMatch","AuthorMatch","LinkedInUserEnabled","FlyoutType","fAppend","cpInsertFirst","cpInsertLim","fRegionContainsE2O","NewTID","TimespanInMs","dwTabScenarioFlags","totalTabCount","halfTabCount","TriggerProtectionHResult","OpType","ObjectMSHTML","ObjectXSSFilter","MitigationInfo","SessionInfo","Ulong","P1AnsiString","_String1","OperationCode","User_sid","Group_sids","fsUrl","configurationParameter","configuredValue","desiredType","proxyCertificateThumbprint","applicationUrl","resourcePartnerUri","expectedLength","actualLength","WebExceptionStatus","policyGuid","policyVersion","fsIssuerUri","fsEndpointUrl","fsDomainAccount","trustPolicyField","referencingType","orgClaimUuid","orgGroupClaim","claimType","claimValue","collectionType","customClaimName","customClaimValue","interfaceName","trustPolicyPath","servicePrincipalName","maximumValue","adamStoreDisplayName","resourcePartnerDisplayName","accountPartnerDisplayName","applicationDisplayName","minimumValue","retryPeriod","domainLastProcessed","numberOfFilesUsed","maximumNumber","fileForDeletion","maximumSize","fileSize","fileForCreation","webMethod","oldPolicyGuid","oldPolicyVersion","newPolicyGuid","newPolicyVersion","duplicationPeriod","targetUri","configuredCookiePath","requestUri","soapExceptionMessage","remotingUrl","remotingConfigFile","signingCertificateThumbprint","subjectKeyIdentifier","expectedTarget","receivedTarget","responseIndex","expectedIndex","expectedSize","cookieName","formatExceptionMessage","requestedIndex","invalidOperationExceptionMessage","tokenIssuer","claimNamespace","ldapServer","attributeType","issuer","thumbprint","FinalUrl","transactionId","summaryMessageId","outTokenMessageId","outTokenTokenId","outTokenIdClaim","outCookieMessageId","tokenId","idClaim","audience","keyIdentifier","validationTime1","validationTime2","effectiveTime1","effectiveTime2","expirationTime1","expirationTime2","claimSource","userPrincipalName","email","commonName","sensitiveGroupsOmitted","groups","customClaims","sidPresence","FeatureGuid","ApplicationImageHeaderHash","cchParentImagePathIncludingNull","ParentProcessImageHeaderHash","ParentImagePath","cchAppPathIncludingNull","cchIdStringIncludingNull","cchDllPathIncludingNull","ManifestVersion","DllHeaderHash","IdString","CallerIdType","cchImagePath","SystemManifestId","BinaryManifestId","DocumentFile","SourceColumn","ObjectWWA","NavigationInfo","IsReactivation","JSHeapSizeMB","TotalWorkingSetMBandPrivateCommitMB","PackageAgeS","ToggleCount","ToggleDetail","WindowType","WerReportDuringSuspend","suspendSubdownloadsCount","NewTimeout","CurrentTimeout","WebPlatformVersion","ScriptProjectionVersion","ProgramType","QuirkId","QuirkName","RoutingMode","HostDll","InExMode","InExIncludes","InExExcludes","ModuleToHook","HookModule","HookApi","Hooked","Patched","ApiIndex","ShimName","DriverPath","NumNewPrograms","NumRemovedPrograms","NumUpdatedPrograms","NumInstalledPrograms","NumNewOrphans","NumNewAddOns","SourceInstanceId","SourceTypeName","ChildActivityName","ChildActivityId","ChildActivityInstanceId","ChildActivityTypeName","FaultSourceActivityName","FaultSourceActivityId","FaultSourceActivityInstanceId","FaultSourceActivityTypeName","FaultHandlerActivityName","FaultHandlerActivityId","FaultHandlerActivityInstanceId","FaultHandlerActivityTypeName","IsFaultSource","SubInstanceID","OwnerActivityName","OwnerActivityId","OwnerActivityInstanceId","OwnerActivityTypeName","OriginalDefinitionIdentity","UpdatedDefinitionIdentity","InfoMessage","Matches","CheckerName","AttributeExpectedValue","OperationalMessage","AeLookupServieTrigger","SwitchBranchGuid","SwitchBranchNameLength","SwitchBranchName","SwitchBranchDescriptionLength","SwitchBranchDescription","SwitchBranchImplGuid","SwitchBranchImplNameLength","SwitchBranchImplName","SwitchBranchImplDescriptionLength","SwitchBranchImplDescription","TargetContextGuid","TargetContextType","ContextUpdateCounter","CommitTotal","CommitLimit","PhysicalTotal","PhysicalAvailable","SystemCache","KernelTotal","KernelPaged","KernelNonpaged","PageSize","IsForeground","PageFaultCount","PeakWorkingSetSize","QuotaPeakPagedPoolUsage","QuotaPagedPoolUsage","QuotaPeakNonPagedPoolUsage","QuotaNonPagedPoolUsage","PagefileUsage","PeakPagefileUsage","Prop_Data_DWORD","Prop_Data_UInt64","FgCycles","BgCycles","FgClockTime","FgCtxSwitches","BgCtxSwitches","FgBytesRead","FgBytesWritten","FgNumReadOps","FgNumWriteOps","FgNumFlushOps","BgBytesRead","BgBytesWritten","BgNumReadOps","BgNumWriteOps","BgNumFlushOps","AppxPoliciesKeyOpened","EnableMsixAllowedZonesExists","EnableMsixAllowedZones","MsixAllowedZonesKeyOpened","UriSecurityZone","DefaultPolicyApplied","DefaultSmartScreenCheckPolicyApplied","SizeKB","HardLinkedCount","HardLinkedSizeKB","DurationMS","UncompressedSizeKB","CompressedSizeKB","returnCode","RequestedVersionMajor","RequestedVersionMinor","RequestedVersionAppModel","OSVersionMajor","OSVersionMinor","OSVersionAppModel","PackageOrigin","FrameworkList","QueueLength","LazyFlushQueueLength","IdleTaskInProgress","forceUpdateDeferredByPackage","PackageNameOne","PackageNameTwo","deviceFamilyName","RequestedVersionBuild","RequestedVersionRevision","OSVersionBuild","OSVersionRevision","PackageFamilyNameOne","PackageFamilyNameTwo","NavigationDomainRule","InterfaceIdentifier","currentFileName","conflictingFileName","conflictingPackageFullName","currentManifestLineNumber","currentManifestColumnNumber","referenceFileName","referencePackageFullName","referenceManifestLineNumber","referenceManifestColumnNumber","xPathToMismatchLocation","GlitchFrameCount","u64ByteCount","ProcessTime","LoopPosition","OutStandingCount","FrameExtent","FormatTag","BitsPerSample","InterpolatedPlayPosition","InterpolatedWritePosition","RealPlayPosition","RealWritePosition","FilteredError","Padding","QPCPos","DevPos","StrmPos","Custom1","Custom2","u64Param1","u64Param2","u64Param3","u64Param4","f64Param1","f64Param2","f64Param3","f64Param4","AEPositionFlag","PaddingFrames","Qpc","ApoBufferFlags","EventHandle","APO_CLSID","Sampling_rate","Offloaded","SamplingRate","bAudioSrvStreamResourceType","BackupSourceNumUnreadableBytes","BackupUserName","BackupStartTime","BatteryPresent","BatteryPercent","ChargeRate","InstantaneousPeakPower","InstantaneousPeakPeriod","SustainablePeakPower","SustainablePeakPeriod","AdapterPeakPower","AdapterMaxOutputPower","AdapterMaxInputPower","PowerUnit","DesignCapacity","LastFullChargeCapacity","BatteryTechnology","DesignVoltage","WarningDesignCapacity","LowDesignCapacity","CapacityGranularity1","CapacityGranularity2","CycleCount","MeasurementAccuracy","MaxSamplingTime","MinSamplingTIme","MaxAveragingInterval","MinAveragingInterval","ModelNumber","BatteryType","PresentRate","PresentVoltage","TripPoint","PercentageChange","AcDc","BatteryState","WatchdogState","WatchdogTimeout","MaxOutputPower","MaxInputPower","RecSupportedFunctions","RecSupported","RecEngaged","RecStartTime","RecEndTime","RecOverriden","RecOverride","OverrideValue","AdapterType","MinimumPower","MaximumPower","AdapterType1","MinimumPower1","NominalPower1","MaximumPower1","AdapterType2","MinimumPower2","NominalPower2","MaximumPower2","FirewallPortStatusChangeGuid","DevObjPtr","IrpPtr","SubIrpPtr","PdoPtr","PrevOffset","NextOffset","BufferPtr","proxyBypassList","entityName","currentSize","currentLimit","SubKeyOrValueName","NegotiateAuthSchemeEnabled","NtlmAuthSchemeEnabled","CertificateAuthSchemeEnabled","UsingUSB","resultCode","programCounter","exceptionType","TransitionId","Transition","ConditionCount","ConditinalEvent","ActivitySummary","ActivityFilter","HangDetected","NetTokens","TaskThrottleCount","EventTypeAndBitfield","AlwaysAllowed","VoipApp","CommandPacketsAllowed","AclWriteCredits","BIP_DataLen","BIP_Data","WDFFILEOBJECT","NumberTimes","RequestFileName","SKIRequested","SKIGenerated","log","TargetInterfaceAsyncUuid","ActivatableClassId","InboxAppsRegistrationScope","CustomPropertyKey","IID","IsFastRundown","ImplementedInterface1","ImplementedInterface2","ImplementedInterface3","WhereDetected","WhereIssued","DisconnectionType","FamiliesAdded","ApartmentType","TotalTimeMs","CallTimeMs","CallResult","ExpandoPropertiesObjectId","ParentParserObjectId","ElementValue","PoolNo","D3D10Level9Resource","m_hDX9Resource","pSwapchain","BackbufferFormat","BackbufferCount","SwapEffect","Windowed","PresentationInterval","AdditionalSwapchain","LogicalSurfaceHandle","BackBufferCount","SharedHandles","BackBufferNumber","BackBufferHandle","AdjustValue","ShouldSwitch","DecisionFactor","TimeZoneDisplay","TimeZoneMUIDisplay","SubProvider","SuspendFlag","ActiveFlag","ImageFileNameLength","ExemptGroup","RegisterAtLaunch","PolicyRecords","WorkItemQueued","DeviceBucket","FastIoCount","SlowIoCount","SlowIo","PercentLessThan4","PercentLessThan8","PercentLessThan16","PercentLessThan32","PercentLessThan50","PercentLessThan100","PercentLessThan500","PercentLessThan1000","PercentLessThan2000","PercentLessThan5000","PercentLessThan10000","PercentGreater10000","PercentMissedFlips","FrameRateReductions","DiagEventsFired","PeakPercentSysMemUsed","PeakWindowCount","DiagFrames","DiagStatsDuration","VirtualizationBasedSecurity","SecureBoot","DmaProtection","HVCI","LSA","MachineIdentityIsolation","KernelShadowStacks","HexInt8","HexInt9","TPMVersion","ReadyForStorage","NotReadyReason","ReadyForAttestation","NotREadyReason","IsUnsatifactory","HasVulnerability","IsLocked","IsSupportedAlg","AlgorithmOid","queryType","objectIds","queryFlags","preferredLanguages","requestedPropertiesCount","filterLength","extendedParametersLength","Prop_PackagePath","Error_DUID","Error_Partnership","Error_Type","Error_HResult","Error_Time","nameLen","dataName","descLen","dataDesc","detailLen","dataDetail","Error_Link","Event_DUID","Event_Partnership","Event_Code","Event_Time","DFSLink","DFSNamespace","DFSLink1","DFSLink2","DFSFolderPath","DFSLinkDN1","DFSLinkDN2","LocalServer","DwordVal3","ProcessOrPackageName","OrigAddress","ProcessorCoreCount","LogicalProcessorCount","NumaNodeCount","MaxCPUSpeed","CurrentCPUSpeed","Virtualization","MemorySpeed","SlotsUsed","AvailableMemory","CachedMemory","CommittedMemory","AdapterCount","PhysicalNetworkType","SignalQuality","ServiceProvider","Snap","CurrentView","ChartsOn","OldCount","QueryByteReturned","ChartId","FromScaleIndex","FromScaleString","ToScaleIndex","ToScaleString","LengthInByte","NewItems","UpdatedItems","MenuId","WindowHandle","FromTab","ToTab","CountOfItemsInStartupXML","SrumProvider","ProfileIndex","PackageInstallPath","LongDisplayName","SrumRecordSetCount","BuildType","ReportFileName","OSMajorVersion","OSMinorVersion","ServicePackMajor","ServicePackMinor","Culture","OEM","IsMobilePc","IsInternal","OEMSKU","BaseBoardOEM","BaseBoardModel","BaseBoardVersion","BIOSVendor","BIOSVersion","BIOSReleaseDate","BIOSMajorRelease","BIOSMinorRelease","ECFirmwareMajorRelease","ECFirmwareMinorRelease","RequestCookie","ColumnId","LoggingChannelName","StringMessage","IntegerValue","InternalState","ScenarioGUID","StartTimeStamp","StartProviderId","StartEventId","StartEventVersion","StopTimeStamp","StopProviderId","StopEventId","StopEventVersion","TriggerTimeStamp","TriggerProviderId","TriggerEventVersion","CanAddToScenarioStream","ScenarioDuration","ScenarioPackedContext","MoshTimeValue","ScenarioMetadata","SqmValue","MostRecentPreviousBuild","WhenUpgradedFrom","SliceDuration_msec","RequiredIdleDuration_msec","NumOverlaps","MaximumUsagePerSlice_Percent","NormalizeTime","BusyPercentage","LastIdleTime","LastTotalTime","CurrentIdleTime","CurrentTotalTime","CombinedBusyPercentage","IdleTimeFound","AccumulatedIdleTime","MainPathHybridbootTimeMs","PostTimeMs","ResumeTimeMs","AdditionalMetadata","ReadyBootTrainingCountSinceLastServicing","MatchKey","PRAID","ActivationKind","ViewId","ResizeFlags","WindowSize","pObject","CchOldDebugObjectName","OldDebugObjectName","CchNewDebugObjectName","NewDebugObjectName","CchDebugObjectName","DebugObjectName","pID3D10Device","pIDXGIDevice","pIDXGIAdapter","CreationFlags","hKMAdapter","hUMAdapter","UMAdapterVersion","hKMDevice","hUMDevice","UMDeviceVersion","UMDeviceFlags","pID3D10Resource","pID3D10_1Device","FeatureLevel","SemaphoreHandle","pID3D11DeviceContext","ContextType","APISequenceNumber","CPUFrequency","FirstAPISequenceNumber","CPUTimeHigh","ThreadIDs","hContext","BroadcastContexts","hBroadcastContexts","MarkerLogType","RenderCBSequenceNumber","FirstAPISequenceNumberHigh","CompletedAPISequenceNumberLow0Size","CompletedAPISequenceNumberLow1Size","BegunAPISequenceNumberLow0Size","BegunAPISequenceNumberLow1Size","CompletedAPISequenceNumberLow0","CompletedAPISequenceNumberLow1","BegunAPISequenceNumberLow0","BegunAPISequenceNumberLow1","pID3D11CommandList","InsertionAPISequenceNumber","StringIndex","MarkerDescription","pDXGIDevice","pThis","m_Ret","ppvObject","ppResources","NumDiscardedResources","pDiscarded","pEnum","ppVideoProcessor","ppDecoder","pVideoDescTID_D3D11_VIDEO_DECODER_DESC","pConfigTID_D3D11_VIDEO_DECODER_CONFIG","pVideoProcessor","pView","OutputFrame","pStreamsTID_D3D11_VIDEO_PROCESSOR_STREAM","pDecoder","pBufferSize","ppBuffer","ContentKeySize","pContentKey","NumBuffers","pBufferDescTID_D3D11_VIDEO_DECODER_BUFFER_DESC","CryptoType","KeyExhangeType","ppCryptoSession","pCryptoSession","OutputWidth","OutputHeight","OutputFormat","BehaviorHints","TeardownCount","Recover","SourceWidth","SourceHeight","SourceColorspace","DestWidth","DestHeight","DestColorspace","pBufferDescTID_D3D11_VIDEO_DECODER_BUFFER_DESC1","hUMSharedResource","beginIndex","endIndex","gpuDuration","DesiredPresentDuration","ClosestSmallerDuration","ClosestLargerDuration","pID3D12Device","SingleAdapterHybridMode","pID3D12CommandQueue","pID3D12CommandList","ThreadIDCount","pID3D12DeviceContext","ContextCount","Contexts","LoopIteration","SubmitCommandCBSequence","CompletedAPISequenceNumberSize","CompletedAPISequenceNumber","pCommandQueue","UMDContexts","NodeMask","HwQueueCount","HwQueues","pID3D12Fence","pDXGKFence","pID3D12CommandAllocator","pID3D12GraphicsPipelineState","pID3D12DescriptorHeap","NumDescriptors","pID3D12RootSignature","pID3D12Heap","CPUPageProperty","MemoryPoolPreference","CreationNodeMask","VisibleNodeMask","pID3D12ConjoinedResource","hKMAllocation","pID3D12QueryHeap","pID3D12CommandSignature","ByteStride","NumArgumentDescs","pID3D12PipelineLibrary","pID3D12VideoDecoder","DecodeProfile","BitstreamEncryption","InterlaceFormat","pID3D12VideoProcessor","pID3D12Resource","PlaneCount","pHeap","ImmutableHeapOffset","PlacedAlignment","PlacedSize","NumTilesForResource","NumPackedMips","NumTilesForPackedMips","pImmutableBuffer","ImmutableBufferOffset","NumVirtualAddressInfos","NumKMTInfos","pVirtualAddressInfos","pKMTInfos","m_hr","pID3D12VideoDecoderHeap","DecodeWidth","DecodeHeight","MaxDecodePictureBufferCount","BitRate","NumExtendedFeatures","pExtendedFeatures","pID3D12CommandPool","pID3D12CommandRecorder","supportFlags","pID3D12StateObject","pID3D12MetaCommand","pID3D12ProtectedResourceSession","pID3D12LifetimeTracker","pID3D12SchedulingGroup","pID3D12VideoMotionEstimator","InputFormat","MaxWidthInBlocks","MaxHeightInBlocks","MinWidthInBlocks","MinHeightInBlocks","pID3D12VideoMotionVectorHeap","pID3D12Decoder","NumRefPicListEntries","pID3D12OutputTexture2D","OutputSubresource","pReferenceTexture2D","ReferenceSubresource","NumReferences","CurrPic","RefPicList","ReferenceTexture2Ds","SubresourceIndicies","ReferenceDecoderHeaps","pID3D12VideoExtensionCommand","hHwQueue","RenderCbSequence","HwQueueProgressFenceId","HistoryBufferSize","HistoryBuffer","CommandListCount","MaximumInMemoryCacheSizeBytes","MaximumInMemoryCacheEntries","MaximumValueFileSizeBytes","pCommandList","BreadcrumbCount","LastBreadcrumbValue","Breadcrumbs","BreadcrumbContextsCount","BreadcrumbIndex","pID3D12TrackedWorkload","hKMTrackedWorkload","pID3D12VideoEncoder","EncoderFlags","EncoderCodec","MotionEstimationPrecision","pID3D12VideoEncoderHeap","EncoderHeapFlags","NumRequiredLookups","NumRequiredHitsInPSDB","NumRequiredHitsInDynamicCache","NumIgnoredHits","NumOptionalLookups","NumOptionalHitsInPSDB","NumOptionalHitsInDynamicCache","NumDynamicCacheStores","FileCreateDisposition","MaximumWriteQueueBytes","MaximumWriteQueueNumEntries","Return","DeleteFiles","NumKeyParts","PrecomputedHash","KeyParts","FoundValue","FoundValueSize","DeltaSize","CurrentWriteQueueSize","MaximimFileSize","NewValueSize","MaximimWriteQueueSize","NumMappedValues","MappedMemoryUsage","UTCReplace_AppSessionGuid","NumLookups","NumCacheHits","NumL1Hits","NumL1HitsInCacheFromAdd","NumAddRequests","NumFailedAdds","FailedAddTotalSize","MaxInMemoryEntries","MaxInMemorySize","NumDiskEntries","IndexFileSize","ValueFileSize","CompressedValueFileSize","HadCRCFailure","NumHashCollisions","TotalKeySize","TotalValueSize","AverageKeySize","AverageValueSize","MaxKeySize","MaxValueSize","TotalFindTime","TotalAddTime","AverageFindTime","AverageAddTime","MaxFindTime","MaxAddTime","DesiredOpen","SuccessfulOpen","channelHandle","resourceHandle","externalHandleAndChannel","resourceType","createShared","openShared","resourcePointer","BitDepth","IsTexturingAtlas","PixelFormat","AtlasId","EntryId","PercentUsed","LastCommittedBatchId","LastConfirmedBatchId","UseType","XData","YData","clumpPointer","virtualSurfacePointer","surfacePointer","percentValidTiles","pixelsPerClump","largeSurfacesTotalAllocated","largeSurfacesInUseAllocated","largeSurfacesInUseActual","largeSurfacesPeakInUseActual","largeSurfacesAllowed","poolsTotalAllocated","poolsInUseAllocated","poolsInUseActual","poolsPeakInUseActual","poolsAllowed","largeSurfacesPendingRelease","poolsPendingRelease","largeSurfacesMaxStructuralWaste","poolsMaxStructuralWaste","PixelsDiscarded","SurfaceInvalid","section","allocationSize","sectionSize","heap","deviceId","scenarioPriority","qpcInitiate","qpcInput","msIntendedDuration","scenarioGuid","scenarioName","scenarioDetails","uniqueKey","batchCount","totalPrimitiveCount","boundsLeft","boundsTop","boundsRight","boundsBottom","singlePrimitiveInfoLength","surfaceInfoLength","surfaceInfo","primitivesLength","primitives","TargetX","TargetY","MinX","MinY","MaxX","MaxY","RequestX","RequestY","ShrinkX","ShrinkY","GrowX","GrowY","AtlasX","AtlasY","visualHandle","interactionHandle","visualAndChannelHandle","interactionAndChannelHandle","inputSinkHandle","windowHandle","mouseConfigMask","mouseConfigValues","propertyId","captureType","pointerTimeStamp","callbackId","objectHandle","propertyHandle","animatorResourceHandle","animatorCallbackId","expressionAnimatorInstance","nodesBuffer","cacheBuffer","cacheBufferParam","CookieTracker","CookieValue","InkTrail","GenerationId","LookupId","PrevGenerationId","Color_R","Color_G","Color_B","Color_A","Graph","RegionPointer","MotionPointer","LayerPointer","ViewportPointer","DManipLatency","ContentPointer","xPosition","yPosition","zPosition","PredictedTimeGap","CompositorPointer","ManagerPointer","FrameInfo","primaryContentPointer","MessagesQueuedOrProcessed","dimension","inertiaStartValue","originalRestPoint","outputRestPoint","outputRestPointPriority","outputRestPointCurveId","motionType","bIsNewSnapValues","newSnapPointValue","restPointX","restPointY","restPointZ","curveIdX","curveIdY","curveIdZ","compositionTime","predictedTimeGap","predictionX","predictionY","inertiaStartTime","timerElapsedTime","timerOffset","animationTime","targetMotionType","sourceMotionType","curveCount","inputScaleX","inputScaleY","inputTranslateX","inputTranslateY","outputScaleX","outputScaleY","outputTranslateX","outputTranslateY","computedMotionTypes","pNewValue","pOldValue","timeDeltaInMS","viewport","animate","storyboard","InertiaType","KernelInputReadTime","HostInputSendTime","ContainerInputReceiveTime","InteractionLibraryStartTime","CoalescedFrameCount","PointerCount","ManipulationFrameId","ZoomToRectCount","InertiaZoom","AppUserModeId","InteractionLibraryType","NumTouchPoints","InteractionType","KernelInputStartTime","QpcInteractionLibraryStart","QpcInteractionLibraryStop","HostPerformanceFrequency","ZoomToRectCalls","CoalescedFrames","Viewport","Interaction","MinimumDomainRID","MaximumDomainRID","RIDPoolSize","MinimumAvailableRID","MaximumAvailableRID","MinimumAllocatedRID","MaximumAllocatedRID","CurrentRIDValue","ComputedRIDValue","CeilingTriggerRid","OID Name","Group Name","OIDName","NotificationPackage:","Registry key:","Registry value:","NotificationPackage","Registrykey","Registryvalue","DuplicatedAccountNames","RetainedAccountName","Attempted_sAMAccountName","DiskFriendlyName","ActivationAuthenticationLevel","IsBrowseDirectChildren","SortCriteria","NumItemsToRetrieve","NumItemsReturned","NumItemsMatched","SearchCriteria","RemoteIPSEC","RemoteEncryption","RecursionDepth","QueriesAttached","DataTag","EDNSCorrelationTag","EDNSScopeName","ServerScope","AliasFailureReason","EDNSExtendedRCodeBits","EDNSFlags","EDNSUdpPayloadSize","EDNSVirtualizationInstance","EDNSDataTag","DenialOfExistence","DistributeTrustAnchor","DnsKeyRecordSetTtl","DSRecordGenerationAlgorithm","DSRecordSetTtl","EnableRfc5011KeyRollover","IsKeyMasterServer","KeyMasterServer","NSec3HashAlgorithm","NSec3Iterations","NSec3OptOut","NSec3RandomSaltLength","NSec3UserSalt","ParentHasSecureDelegation","PropagationTime","SecureDelegationPollingPeriod","SignatureInceptionOffset","KeyStorageProvider","StoreKeysInAD","DnsKeySignatureValidityPeriod","DSSignatureValidityPeriod","ZoneSignatureValidityPeriod","InitialRolloverOffset","RolloverPeriod","RolloverType","NextRolloverAction","LastRolloverTime","NextRolloverTime","CurrentRolloverStatus","ResponsePerSecond","ErrorsPerSecond","LeakRate","TCRate","TotalResponsesInWindow","IPv6PrefixLength","Document","Handler","CountScannedFiles","DocumentNumber","Notifier","idGuid","ScanRepository","InfNameOrPath","ModelOrDriverName","ModelName","IsCached","IsFirstCall","DomainMembershipChangeGuid","ClientSequenceNumber","AllocationAmount","AllocationKind","AllocationAmount64","HeapNum","WorkID","NativeOverlapped","Overlapped","MultiDequeues","ExceptionEIP","ExceptionHRESULT","JoinTime","JoinID","DrvPtr","DevPtr","ErrorNumber","ImageVersion","UMDFVersion","ConflictingParameter","ActualFuntionTableCount","ExpectedFuntionTableCount","LastServiceStatus","LastServiceFinalPhase","LastServiceLockAcquisitionTimeTotalInMicroSeconds","LastServiceLockAcquisitionTimePreProcessPhaseInMicroSeconds","LastServiceLockAcquisitionTimeAcquireRundownPhaseInMicroSeconds","LastServiceLockAcquisitionTimeStalledPhaseInMicroSeconds","LastServiceLockAcquisitionTimePostProcessPhaseInMicroSeconds","WMIMessageChannel","paramNumber","activity","currentOperation","percentComplete","secondsRemaining","PromptMessage","partialConfigName","exclusiveResource","header","SourceInfo","OperationCmd","DownloadManagerName","Modules","Compliant","RemainingSize","MIResult","Error_Category","ConfigurationMode","ConfigurationModeFrequencyMins","RefreshMode","RefreshFrequencyMins","RebootNodeIfNeeded","DebugMode","configurationMode","configurationModeFrequencyMins","refreshmode","refreshFrequencyMins","rebootNodeIfNeeded","debugMode","ReportManagerName","PartialConfigurationName","PSModulePath","Resource_execution_sequence","ResourceSequence","AssignedConfigurationName","clientChecksum","checkSumFromServer","put","CertId","zipFile","loops","cGC","cGCLP","cPC","atomname","hGadChange","hGadClone","flDelay","flDuration","zOrder","nProperty","nFlags","flInitScalar","flInitX","flInitY","flInitZ","flInitOriginX","flInitOriginY","flInitOriginZ","dwCookie","nCode","FrameTime","DotsPainted","percent","flRadius","ForegroundColor","flEndScalar","flEndX","flEndY","flEndZ","flEndOriginX","flEndOriginY","flEndOriginZ","flCurveX1","flCurveY1","flCurveX2","flCurveY2","fTransitionCancelled","fNew","cUses","szModule","szResource","szSheet","uiTileID","nRectTop","nRectBottom","nRectLeft","nRectRight","szResId","cAdaptors","hGadget","pVisual","fRoot","nWidth","nHeight","fIsCopy","nNumberOfPendingDeletions","fNewLayered","nVisualsCount","cTrans","dwTicket","pDCompVisual","pChildVisual","fDescendantVisualOfNewVisual","pNewChild","nAnimType","psbUIA","nVar","nSize","m_pVisual","nVisuals","fCopy","fRemainLayered","surfaceId","surfaceX","surfaceY","surfaceWidth","surfaceHeight","containerWidth","containerHeight","pRegionSurface","pSurface","flProcessingDelay","nNumberOfStoryboards","nNumberOfVisuals","uTransIndex","pTransitionVisual","nHResult","pEffectGroup","nTransformType","pTransform","fAnimation","pStoryboard","nAnimationId","nStoryboardId","hAncestorGadget","nAncestorWidth","nAncestorHeight","PointerHitTestID","luidAdapter","hmonAssociation","hDxSurface","uiUpdateId","cTries","fEnable","hwndDst","hwndSrc","hwndExclude","storyid","waitReturn","Batches","CompositionTimer","AdaptersChanged","OcclusionEvent","targetId","updatedAnimationCount","presentedPlaneCount","desktopPlanePresented","surfaceLuid","bindId","realizationIndex","presentCount","presentFlags","PlaneIndex","Blend","srcRect","dstRect","clipRect","occlusion","ready","outstandingPresents","targetError","nextFrameTargetError","expressionCalculatedCount","tracedExpressionsCalculatedCount","activeExpressionCount","suspendedAnimationsCount","dirtyTreeCount","treeLockWaitTimeUs","desktopDirtyRectCount","desktopDirtyRects","batchSubmissionDeadline","compositorClockDuration","primaryMonitor","targetCount","targetIdAndStats","snapshotsToPerform","desktopLuid","backdropVisualsRendered","cachedVisualsRendered","renderStartTime","renderEndTime","endDrawStartTime","endDrawEndTime","targetArea","drawVisualTreeCount","internalLayerCount","internalLayerArea","externalLayerCount","externalLayerArea","cviCount","cviArea","bviCount","bviArea","targetType","totalRenderTimeUs","totalEndDrawTimeUs","totalTargetArea","totalDrawVisualTreeCount","totalInternalLayerCount","totalInternalLayerArea","totalExternalLayerCount","totalExternalLayerArea","totalCviCount","totalCviArea","totalBviCount","totalBviArea","parallelMode","targetMonitorTime","firstAvailableMonitorTime","lastMonitorTime","clockBoost","displayAdapterLuid","vidPnSourceId","vidPnTargetId","vBlankMultiplier","iFlipApprovedDuration","ConnectedStandbyState","MonitorPowerState","resourceCount","alreadyPinned","completedPresentCount","IndexFrame","cFrame","cDXPresent","tFrame","qpcFrame","cSyncRefreshFrame","cRefreshesPerFrame","cRefreshFrame","cRefreshPresent","tPresentAfter","cRefresh","cDXRefresh;","tRefresh","qpcRefresh","cRefreshDelta","tBegin","qpcBegin","tEnd","tElapsed","tAvailable","tDelta","tVBlankLatency","fRendered","fPresented","fParallelMode","qpcPresented","fConfirmed","qpcConfirmed","tEarly","tBudget","tGlitch","cDXRefresh","m_tCurrent","m_tElapsed","m_qpcCurrent","m_qpcLast","m_cFramesRendered","fUseSleep","dwSleep","returnedWorkType","Work","SurfaceManager","DelayedComposition","fRenderTime","dwOutstandingPresents","dwMaxOutstandingFrames","fPresentNeeded","tCurrent","tPresent","cRefreshCurrent","fForce","tVSyncLatency","Induced","tPresentLatency","qpcFrequency","qpcPeriod","cMonitors","rgcDXRefresh","dxgiFormat","pixelSize","invalidRegions","pixelsCopied","Z","rectType","FullRender","dirtyRegionCount","composition","qpcCurrentTime","cTokenCount","cTotalTokenCount","cIterationCount","GdiSpritePointer","logicalSurfaceHandle","spriteHandle","FrameToWaitFor","hLogicalSurface","hDxSharedSurface","NumRects","DirtyRegions","hlsurf","uiCookie","dwDirtyFlags","hwndLensContext","UpdateId","S_11","S_22","DX","DY","logicalSurfaceImagePointer","windowNodePointer","windowNodeParentPointer","logicalSurfaceImageLHandle","Previous","Confirmed","Presented","resourceInternalHandleAndChannel","animationPointer","initialValue","expectedFramePresentTime","DisplayID","SyncRefreshCountDelta","SyncRefreshCountDeltaExpected","SyncTimeDeltaMS","SyncPeriodMS","OldEffectivePeriod","NewEffectivePeriod","hmon","fDirectFlip","hCompSurf","fSupported","fDirectFlipEnabledSurface","rotation","alphaMode","fStereoContent","fMonitorSpecificContent","cBuffers","pResource","pSrcResource","pDstResource","SrcLeft","SrcTop","SrcRight","SrcBottom","DstX","DstY","dxSharedHandle","AnimationScenario","VSyncs","GlitchesRecorded","ScenarioIndex","pFrame","cFramesOutstanding","cMaxFramesOutstanding","DwmFrame","MonitorCount","PrimaryAdapterIsWarp","InParallelMode","PrimaryAdapterLuid","ScenarioPointer","InteractionContext","ScenarioDurationMs","cFrames","StartFrame","EndFrame","DrawingContext","RTLeft","RTTop","RTRight","RTBottom","DeviceTransformLength","DeviceTransform","Visual","ClipLeft","ClipTop","ClipRight","ClipBottom","TransformMatrixLength","TransformMatrix","AttributedProcessId","VisualLeft","VisualTop","VisualRight","VisualBottom","CVI","SourceVisual","ViewboxLeft","ViewboxTop","ViewboxWidth","ViewboxHeight","IsBackdrop","IsVisualSurface","nodeType","nodeContentType","nodeBoundsLeft","nodeBoundsTop","nodeBoundsRight","nodeBoundsBottom","qpcDelta","PreviousWaitTimeoutMS","fAllCachesReachMinimum","fenceValue","bDirectFlip","DXGI_ALPHA_MODE","bStereoPreferRight","bTemporaryMono","bSwapPool","BufferContentType","bIndependentFlip","uPesentDuration","BufferRealizationType","uRealizationIndex","bEnableScanout","luidSurface","FirstRectLeft","FirstRectTop","FirstRectRight","FirstRectBottom","fSucceeded","nrOfAttempts","driverUpdateStatus","nrOutput","cSyncRefreshRetired","fTimedOut","cDisplays","rgDXPresentStats","InputSpaceId","WorkspaceId","inputSinkLuid","_11","_12","_13","_14","_21","_22","_23","_24","_31","_32","_33","_34","_41","_42","_43","_44","RootVisual","HitTestedVisual","InteractionPointer","pCollector","nMetaDataCount","MaxPlanes","OverlayCaps","SrcRectLeft","SrcRectTop","SrcRectRight","SrcRectBottom","DstRectLeft","DstRectTop","DstRectRight","DstRectBottom","ClipRectLeft","ClipRectTop","ClipRectRight","ClipRectBottom","fOccluded","fHardwareCheck","NumPlanes","hResource","fOverlayEnabled","fHardwareCursorEnabled","fNeedFullRender","cPlanes","bIsFullScreenRemoting","bIsModeHiDef","IsModeDesktopBitmapRemoting","PrimitiveGroup","layerCreateBitFlags","cFrameStart","cFrameStop","PercentVsyncsMissed","metrics1","metrics2","cFramesSinceCreate","ScenarioDetailsHash","ScenarioDetails","VsyncCount","VsyncCadenceInHz","FrameRateInFps","MaxFramePeriodInMS","MaxVsyncsMissed","TimeToFirstFrameInMS","TimeFromInputToFirstFrameInMS","IntendedDurationInMS","FrameGlitchesCount","TotalVsyncsMissed","TotalHits","metrics3","FPS","FramePerSecond","CPUTimePerFrame","uPlaneIndex","bIndependentFlipEnabled","bNotifySurfaceUpdates","uPresentDuration","confirmedIndependentFlipEntry","OccluderCommandIndex","TimeToFirstFrameInMs","memoryHandle","contactCount","HitTestHandle","updateType","configurationCount","configurations","manipulationContextPointer","OverdrawRectangleCount","OverdrawBoundsLeft","OverdrawBoundsTop","OverdrawBoundsRight","OverdrawBoundsBottom","RestoreRectangleCount","RestoreBoundsLeft","RestoreBoundsTop","RestoreBoundsRight","RestoreBoundsBottom","CancelReason","IsDirectFlipCompatible","IsAdvancedDirectFlipCompatible","IsOverlayCompatible","IsOverlayRequired","BoundsRight","BoundsBottom","fNoOverlappingContent","HDR","vSyncTarget","bIsFollowUpPresent","OldPeriodMS","NewPeriodMS","fTemporaryDisable","NoAAFixupVertices","AAFixup2DVertices","AAFixup3DVertices","HWDrawCallsProcessed","WarpDrawCallsProcessed","HwMegaRectsAdded","DrawListBatchesProcessed","DrawListEntriesProcessed","DrawListEntryGroupsProcessed","GroupedDrawListEntriesProcessed","RenderingDrawListEntriesProcessed","StateSettingDrawListEntriesCreated","StateSettingDrawListEntriesOptimizedAway","PrimitiveGroupToDrawListGeneratorCreated","PrimitiveGroupToDrawListGeneratorCacheUpdated","TessellatedRect_UnClipped","TessellatedRect_AxisAlignedRectClip","TessellatedRect_GeneralClip","HwDrawListCachesInvalidated","HwDrawListCachesUpdated","WarpDrawListCachesInvalidated","WarpDrawListCachesUpdated","numberOfDCompAnimationsActive","numberOfWinRTAnimationsActive","numberOfBatchesProcessed","VisualType","TotalUpdateCount","SuccessfulUpdateCount","SuccessfulTotalGap","WaitResult","TotalRenderCount","TotalPostCount","WaitIndex","TotalPosts","RenderPostGap","PendingImageCount","pCompilationTask","SubmitterID","GraphNodes","NodeCount","SubgraphCount","FoundInCache","FrameID","Framebuffer","TimeBeforeVBlank","Commands","FlipCount","LastPresentCount","FrameStatsPresentCount","CurrentSyncRefreshCount","TargetSyncCount","LastWakeupSyncCount","Reasons","DirtyPropagatedCount","DirtyPropagated","DirtyGeneratedCount","DirtyGenerated","CompositorRenderedCount","CompositorRendered","BatchesProcessedCount","BatchesProcessed","KeyframeAnimationsCalculatedCount","KeyframeAnimationsCalculated","CpuStartTime","GpuEndTime","FirstFrameID","LastFrameID","BeginQPC","EndQPC","FirstPointerFrameID","LastPointerFrameID","RenderStartQPC","RenderStopQPC","targetChannelHandle","targetResourceHandle","targetInternalHandleAndChannel","visualInternalHandleAndChannel","interactionInternalHandleAndChannel","interactionPointer","CD3DDeviceLevel1","AdapterDescription","BackBufferIndex","NewBackBufferIndex","StrokeId","PresentCallCount","StartTipPointId","TranslatePointsToRenderTargetOrigin","SerializedStrokeSize","CompositionSurfaceBitmapId","IsCurrentOrIncomming","IsBeginStroke","SingleMonitor","OverlayPlaneCount","planeClipLeft","planeClipTop","planeClipRight","planeClipBottom","requestedDuration","durationTolerance","approvedDuration","TargetRefreshSyncCount","BackbufferIndex","DispatchedBuffer","ScheduledBuffer","FrontbufferOffset","FrontbufferWakeupTime","NewSource","OldSource","SourceDropped","SuperWetSource","DirtyRectLeft","DirtyRectTop","DirtyRectRight","DirtyRectBottom","refreshCount","reportedTimeHns","smoothedTimeHns","differenceTimeHns","averageTimeHns","numDataPoints","qpcTime","VidPnSourceId","ForceUnpin","BindingType","homogeneous","flipIndex","applied","IterationDuration","AcceptableError","flipConsumer","contentId","NumComposedInstances","NumOverlayInstances","NumOffscreenInstances","renderAdapterLuid","bltRect","flipRect","NumberOfPointsPulled","KeyframeAnimation","DurationMs","sourceChannel","sourceResource","destChannel","sourceResourcePointer","DirectFlipMode","syncInterval","fenceId","planeIndex","signalValue","UpdateLeft","UpdateTop","UpdateRight","UpdateBottom","sourceAdapterLuid","destAdapterLuid","Verified","AllowDwmcoreInSession","RemoteAppEnabled","AllowDwmcoreInClient","AllowThemesInCLient","MilRemote","CGhostOrHwndToGhost","StateBegin","StateEnd","FlipChain","BuffersEmpty","IndexUnconfirmed","hSurface","AsyncFlushType","xSizeOld","ySizeOld","formatOld","xSizeNew","ySizeNew","formatNew","fExcludedFromLivePreview","RgnType","RectStartIndex","RectEndIndex","TotalRectCount","Schedules","alignment","BeginLeft","BeginTop","BeginRight","BeginBottom","EndLeft","EndTop","EndRight","EndBottom","BeginOpacity","EndOpacity","BeginDepth","EndDepth","StaggerOrder","AnimationId","Cloaked","oldValue","PerfTrackId","pIDXGIFactory","BlockedAdapters","PnPID","EffectsPreference","KMTAdapterHandle","ThunkDLLHandle","SharedResources","pIDXGIOutput","VidPnSourceID","GDIDeviceName","pIDXGISwapChain","UserBackbufferCount","ppBackBuffers","pPrimary","pProxyPrimary","RefreshNumerator","RefreshDenominator","ScanlineOrdering","Scaling","OutputWindow","BackbufferHandles","BackbufferEventHandles","FenceHandle","ActualBufferCount","ActualSwapEffect","WinFlipProxyBufferCount","HybridPresentMode","ScanoutEligible","CrossAdapterTierSupport","CASOFallbackReason","ProxyWidth","ProxyHeight","ProxyFormat","EffectsEnabledMask","WinSwapEffectUpgradeReason","DirtyRects","ScrollRects","pIDXGISwapchain","OldUserBackbufferCount","OldBackbufferCount","ppOldBackBuffers","pOldPrimary","pOldProxyPrimary","OldFormat","OldFlags","OldRedirected","OldLogicalSurfaceHandle","OldBackbufferHandles","OldFenceHandle","OldFenceValue","OldActualbufferCount","OldWinFlipProxyBufferCount","OldProxyWidth","OldProxyHeight","OldProxyFormat","NewUserBackbufferCount","NewBackbufferCount","ppNewBackBuffers","pNewPrimary","pNewProxyPrimary","NewFormat","NewFlags","NewRedirected","NewLogicalSurfaceHandle","NewBackbufferHandles","NewFenceHandle","NewFenceValue","NewActualbufferCount","NewWinFlipProxyBufferCount","NewProxyWidth","NewProxyHeight","NewProxyFormat","pDXGISwapChain","OldWindowed","pOldOutput","OldSwapEffect","NewWindowed","pNewOutput","NewSwapEffect","WidthToMatch","HeightToMatch","RefreshNumeratorToMatch","RefreshDenominatorToMatch","FormatToMatch","ScanlineOrderingToMatch","ScalingToMatch","WidthResult","HeightResult","RefreshNumeratorResult","RefreshDenominatorResult","FormatResult","ScanlineOrderingResult","ScalingResult","BackBufferEventHandle","LayerMask","OverlayMaxRGBPlanes","OverlayMaxYUVPlanes","PanelFitterMaxRGBPlanes","PanelFitterCaps","LayerIndex","KernelSupport","DriverFailed","InvalidParam","SubResourceIndex","SrcRect.left","SrcRect.right","SrcRect.top","SrcRect.bottom","DstRect.left","DstRect.right","DstRect.top","DstRect.bottom","ClipRect.left","ClipRect.right","ClipRect.top","ClipRect.bottom","StretchQuality","SrcRectleft","SrcRectright","SrcRecttop","SrcRectbottom","DstRectleft","DstRectright","DstRecttop","DstRectbottom","ClipRectleft","ClipRectright","ClipRecttop","ClipRectbottom","DXGIFormat","KeepExistingContent","ReparentingOccurred","DecidingFactor","GpuPreference","m_pPreferredOutput","NewSyncInterval","EffectsModuleName","NumLoadedEffects","EffectType","EffectId","ppFactory","uiDataSize","pData","pInterface","pDataSize","iOutput","ppOutput","pDesc","pUMDVersion","EnumFormat","pNumModes","pModeToMatch","pClosestMatch","pConcernedDevice","bExclusive","pGammaCaps","pArray","pScanoutSurface","pStats","iBuffer","ppSurface","bFullscreen","pbFullscreen","ppTarget","SwapChainFalgs","pNewTargetParameters","pLastPresentCount","iAdapter","ppAdapterInterface","phWnd","ppSwapChain","hModule","ppAdapter","pWidth","pHeight","BufferToPresent","pMaxLatency","pRect","Rect","YCbCrFlags","pMatrix","PartnerFlags","pClosestSmallerPresentDuration","pClosestLargerPresentDuration","iOutputType","DxgAdapter","Acquired","ProcessHandle","PagingLevel","FlipEntryVsyncMultiplier","VidPnSourceVsyncMultiplier","OldFlipInterval","NewFlipInterval","OldBaseDesktopDuration","CurrentHwDuration","NewBaseDesktopDuration","OldDurationPlane","NewDurationPlane","OldDuration","OldRefreshRateMultiplier","NewRefreshRateMultiplier","CompSurfaceLuid","CancelFromPresentId","FlipQueueWaitingOrderIndex","AbortedSoftwarePresentPackets","CancelFromFlipEntryIndex","CancelToFlipEntryIndex","DpcFrameNumber","OriginalDpcFrameTime","SmoothenedDpcFrameTime","SmoothenedDpcFrameTime100ns","FrameTimeDeltaIn100ns","VsyncState","VSyncOnTotalTimeMs","VSyncOffKeepPhaseTotalTimeMs","VSyncOffNoPhaseTotalTimeMs","ScreenOnVSyncOnTimeMs","ScreenOnVSyncOffKeepPhaseTimeMs","ScreenOnVSyncOffNoPhaseTimeMs","ScreenOffVSyncOnTimeMs","ScreenOffVSyncOffKeepPhaseTimeMs","ScreenOffVSyncOffNoPhaseTimeMs","PlaneId","FlipsCompletedCount","CompletionTimeStamp","CurrentSmoothenedVSyncPeriodQpc","NewDefaultVSyncPeriodQpc","SmoothenedPeriodQpc","CurrentModeRefreshPeriodQpc","HwPresentDurationQpc","FlipManagerId","VSyncEnable","ReprogramResult","DdiNtStatus","CancelRequestedPresentId","CancelledFromPresentId","CancelledToPresentId","RequeueFromeSubmitSequence","RequeueToSubmitSequence","FlipMmIoPendingMask","VidMmAlloc","Requeued","EngineOrdinal","LastHwCompletedFenceId","LastHwSubmittedFenceId","NumberOfPendingSuspendRequests","NumberOfReadyInteractiveHwQueues","FrameQPCTime","OldVsyncWaiters","NewVsyncWaiters","VSyncIdleCount","MonitorDescriptorLength","MonitorDescriptor","MiniportContext","MonitorDescriptorBuffer","MiniportDeviceContext","I2CInterfaceVersion","InputDataLength","OutputDataLength","InputBufferPtr","OutputBufferPtr","ScannedPhysicalAddress","hFlipDevice","FlipType","FlipFenceId","PublicPriority","SchedulingPriority","KnownProcessBoostEnabled","HighPriorityRunsToCompletion","IgnoreGpuPriorityChange","SmallQuantumEnabled","AttemptResult","ReadyContextPriorityMapBits","ReadyNodeSwMapBits","ReadyNodeHwMapBits","NbVidPnSources","HighestAcceptableAddress","MaxSlotId","ApertureSegmentCommitLimit","MaxPointerWidth","MaxPointerHeight","NumberOfSwizzlingRanges","MaxOverlays","MaxQueuedFlipOnVSync","PointerCaps","GammaRampCaps","PresentationCaps","AlignmentShift","MaxTextureWidthShift","MaxTextureHeightShift","FlipCaps","SchedulingCaps","ReservedMemoryManagementCaps","PagingNode","NbAsymetricProcessingNodes","ReservedTopology","NumPowerComponents","pMiniportContext","VirtualGpuLuid","hDevice","RequestVSync","DisableGpuTimeout","hThunkHandle","DxgProcess","HostDeviceHandle","VirtualGpu","EngineAffinity","DmaBufferSize","DmaBufferSegmentSet","DmaBufferPrivateDataSize","AllocationListSize","PatchLocationListSize","ParentDxgContext","allocSize","ulAlignment","dwReadSegment","dwWriteSegment","PreferredSegment","HintedBank","dwEvictionSegment","hVidMmGlobalAlloc","hDxgGlobalAlloc","hDxgSharedResource","UsageVersion","UsageFlags","SwizzledFormat","Pitch","SlicePitch","BackingStoreWasPinned","pSectionObject","PageTableOrDirectory","hVidMmAlloc","hDxgResource","hThunkAllocation","hThunkResource","PrivateRuntimeResourceHandle","pVirtualAddress","hProcessAllocDetails","hOtherPartitionHandle","hAllocationHandle","uiLockStatus","pDmaBuffer","uiNbAllocations","Allocations","Write","PatchLocationCount","PatchLocationAllocationIndex","PatchLocationSlotId","PatchLocationReserved","PatchLocationDriverId","PatchLocationAllocationOffset","PatchLocationPatchOffset","PatchLocationSplitOffset","hAllocationGlobalHandle","uiType","bTemporary","hDmaBuffer","ContinueNextBuffer","TransferOffset","SourceSegmentId","SourceSegmentOffset","DestinationSegmentId","DestinationSegmentOffset","FillSize","FillPattern","OffsetInPages","NumberOfPages","EvictionResource","SwizzlingRangeId","SwizzlingRangeData","uiAllocationListLength","uiPass","uiStatus","ProcessCommittedState","MinAddress","MaxAddress","NoEvict","TrimmingPriorityLimit","Restriction","PlacementRestriction","SegmentGroup","pVidMmGlobalAlloc","hGlobalAllocationHandle","cReads","cPages","DmaSize","ulSegmentId","CpuTranslatedAddress","NbOfBanks","SystemMemoryEndAddress","MemorySegmentGroup","Pinned","AllocationPriorityClass","ulHysteresisCount","ulHysteresisNext","UseDefault","MinimumWorkingSetPercentile","MaximumWorkingSetPercentile","hAdapter","hSyncObject","SharedHandle","InitialValue","ObjectArray","RefreshRate.Numerator","RefreshRate.Denominator","ScanLineOrdering","DisplayFixedOutput","NumSamples","NumQualityLevels","RefreshRateNumerator","RefreshRateDenominator","Src","Dst","SrcWidth","SrcHeight","DstWidth","DstHeight","Accelerated","SolidColor","ConfigSpaceSize","ConfigSpace","ChainUid","NumberOfLinksInChain","LeadLink","SubVendorID","SubSystemID","RevisionID","VidPnSourceIdNotToInvalidate","VidPnChange","ReclaimClonedTarget","CleanupAfterFailedCommitVidPn","ForceAllActiveVidPnModeListInvalidation","ModeChangeRequestId","RunningTime","RemainingQuantum","RemainingYieldBudget","QuantumStatus","FlipSubmitSequence","FlipToDriverAllocation","FlipToPhysicalAddress","FlipToSegmentId","FlipPresentId","FlipPhysicalAdapterMask","ullValue","StackLocationSize","StackLocation","NumVidPnSources","StatusBlock","ProtectedCallbackContext","ProtectionStatus","ChildRelationSize","ChildDescriptors","ChildUid","NonDestructiveOnly","DeviceDescriptorOffset","DeviceDescriptorLength","DeviceDescriptor","DeviceDescriptorBuffer","DeviceUid","AcpiFlags","PresentHistoryToken","hSourceAllocation","hDestAllocation","bSubmit","bRedirectedPresent","Source.Left","Source.Right","Source.Top","Source.Bottom","Dest.Left","Dest.Right","Dest.Top","Dest.Bottom","SubRectCount","SourceLeft","SourceRight","SourceTop","SourceBottom","RectCount","FlipToAllocation","FlipInterval","FlipWithNoWait","MMIOFlip","TokenSize","CustomDuration","VmBusChannel","hQueuePacketContext","uliSubmissionId","ulQueueSubmitSequence","uliCompletionId","bPreempted","InterruptType","FaultedVirtualAddress","PageFaultFlags","FaultedProcessHandle","SubmitSequence","bPresent","pQueuePacket","ProgressFenceValue","bTimeouted","SyncGPUTime","IsDWMStats","hWindow","hSrcAllocHandle","hDstAllocHandle","FenceId","ProcessorFrequencyInMHz","NumberOfTimestamps","PacketIndex","WdLogIndex","ContextIndex","DestroyReason","PresentRgnDirtyRectCount","PresentRgnMoveRectCount","DirtyRectIntCount","MoveRectIntCount","MoveRects","HotSpot.x","HotSpot.y","HotSpotx","HotSpoty","AcquiredMutex","AccumulatedFrames","AccumulatedFrameUpdated","StatusBits","LastPresentTime","LastMouseUpdateTime","RectsCoalesced","ProtectedContentMaskedOut","PointerPosition.Position.x","PointerPosition.Position.y","PointerPosition.Visible","TotalMetadataBufferSize","PointerShapeBufferSize","PointerPositionPositionx","PointerPositionPositiony","PointerPositionVisible","MetaDataType","BufferSizeSupplied","BufferSizeRequired","DirtyCount","MoveCount","ColorFormat","ScrollRect.left","ScrollRect.right","ScrollRect.top","ScrollRect.bottom","ScrollOffset.X","ScrollOffset.Y","DirtyRectCount","SourceRect.left","SourceRect.right","SourceRect.top","SourceRect.bottom","TargetRect.left","TargetRect.right","TargetRect.top","TargetRect.bottom","ScrollRectleft","ScrollRectright","ScrollRecttop","ScrollRectbottom","ScrollOffsetX","ScrollOffsetY","SourceRectleft","SourceRectright","SourceRecttop","SourceRectbottom","TargetRectleft","TargetRectright","TargetRecttop","TargetRectbottom","AdapterOrdinal","PreemptionTime","SchedulingDelay","Mapping","IsHeapBlock","InternalFlags","QueuePacket","RemovalType","RemoveFromWorkingSet","DxgSyncObject","DxgSyncObjectArray","RecordCount","RecordTime","PresentPlaneCount","hAllocation","NumFilters","HDRMetaDataType","SDRWhiteLevel","FlipEntryStatusAfterFlip","FunctionalDeviceObject","Engaged","GpuFrequency","GpuClock","CpuClock","DmaSubmissionSequence","HighestPriorityLevelOfThresholdExceeded","HighestPriorityLevel","ThresholdExceededPriorityMapBits","TickFrequency","PriorityLevelToSchedule","ReadyContextMapBits","bInYieldState","bYieldStateStartTimeInitialized","bYieldingDone","YieldStartTime","SwapChainIndex","CompositionSurfaceLuid","FlipTrueImmediate","PresentAtQpc","SuppressVSync","Entering","compositionSurfaceLuid","Plane","ApprovedPresentDuration","PendingIndependentFlip","RequestedByDwm","confirmationCookie","Optimized","MiracastMonitorType","PresentIdOrPhysicalAddress","FlipEntryCount","FlipQueues","FlipQueueIntervalTarget","NonBoostedVsyncFrame","InterruptTargetPresentId","TotalBytesResident","OldBrightness","NewBrightness","OldOptimizationLevel","NewOptimizationLevel","pDxgAdapterAllocation","GdiSurfaceType","GdiSurfaceFlags","hProcessAlloc","MonitoredFenceValue","InternalFlagsFlags","hAsyncEvent","SyncPointId","ContextArray","SubmissionIdArray","WaitConditionCount","FenceValues","SyncObjects","DxgSyncObjects","uiNbWrittenPrimaries","WrittenPrimaries","AllocationOffset","SourceVirtualAddress","DestinationVirtualAddress","SourcePageTable","DestinationPageTable","SegmentAddress","GpuVirtualAddress","PageTableLevel","PageTableAddress","NumPageTableUpdateEntries","PageTableEntries","PageTableEntries64KB","DriverProtection","AllocationOffsetInBytes","hProcess","UpdateMode","FirstPteVirtualAddress","PageTableObject","RootPageTableSegmentId","RootPageTableSegmentOffset","StartVirtualAddress","EndVirtualAddress","ContextAllocation","ContextAllocationSize","pDriverPrivateData","DriverPrivateDataSize","SourceDimension","DestDimension","YUV","ColorSpaces","DWMCount","VsyncFlag","VsyncWaiters","VsyncType","pVidMmAlloc","ResidencyCount","DxgDevice","PagingQueue","PagingQueuePacket","SequenceId","VidMmOpType","Alloc","PagingQueueType","ExecutionTime100ns","VaRangeStart","VaRangeSize","ProcessStatus","OwnerOffset","Protection","MappedAllocationBase","MappedAllocationSize","pPagingQueue","pSyncObject","NumAllocations","NumBytesToTrim","PagingFenceValue","pAlloc","bFallbackToSystemMemory","VidMmDevice","PageInPass","OverBudget","PriorityBandRestriction","PageInPreferredOnly","Recoverable","FailedVidMmAlloc","pDxgDevice","TargetBand","pYieldedTo","YieldingPriority","YieldBudget","YieldExpirationInterval","YieldTimerExpirationInterval","YieldCondition","FlushSchedulerReason","YieldPriorityBand","NewBudget","OldBudget","NewPriorityBand","OldPriorityBand","OldVisibilityState","NewUsage","OldUsage","Commitment","OldCommitment","PriorityClass","hVidmmGlobalAlloc","OldOwnerPid","NewOwnerPid","hNotificationAdapter","TimeOffset","pVidSchSyncObject","RefreshPeriod","hNotification","pHighResolutionTimer","IsrFrameTimeValue","DueValue","DefaultQuantum","LastRunningTimeCalculatedAt","LastRunningTime","YieldPriorityLevel","PostCompositionSrcRect.left","PostCompositionSrcRect.right","PostCompositionSrcRect.top","PostCompositionSrcRect.bottom","PostCompositionDstRect.left","PostCompositionDstRect.right","PostCompositionDstRect.top","PostCompositionDstRect.bottom","HDRMetaDataSpecified","FlipDoNotFlip","FlipIntervalTarget","ThisFlipEarliestIdealTimeQpc","TargetFlipTimeQpc","TargetFlipTimeDeltaMs","VidPnSourceVisibilty","PacketCompleted","GrowRatio","CurrentRatio","CapacityRatio","DpcFrameTimeValue","ParentDxgHwQueue","QueriedSize","SourceMaskFlushHwAndAbortSwQueue","SourceMaskFlushHwAndKeepSwQueue","SourceMaskDisableAllPlanes","SourceMaskSuspendScheduler","SourceMaskResumeScheduler","CurrentUsingSource","NewUsingSource","ChangedSource","RemovedSource","NeedToActivateSource","ActivityChangedSource","TopologyChangeSource","UpdatedSource","RotatedSource","PriorityChangeSource","ReclaimSource","RenewModeListSource","MonitorChangedSource","PowerOffSource","HMDUsingSource","HiddenSource","VirtualRefreshRateChangeSources","CpuTimestamp0","GpuTimestamp0","CpuTimestamp1","GpuTimestamp1","SchedulingLogSize","SchedulingLogData","pDxgObject","pSchObject","hKmdHandle","hOsHandle","MonitoredFenceGpuVa","NumberOfULongPtrsInNodeMask","hTrackedWorkload","SubmissionTime","RequestedDeadline","CompletionDeadline","DeadlineOffsetInMs","TotalMissedDeadlines","DeadlineType","hContextArray","TargetPowerLevel","EffectivePowerLevel","NumberOfQueuedPendingFlip","NewContextState","LastFrameTime","DxgContext","DmaBufferVirtualAddress","AllocationCount","DxgAllocation","DriverHandle","WriteOperation","FromUserMode","HostProcessHandle","ProcessFlags","ProcessIdInVm","DxgProcessInVm","DxgVirtualMachine","ProcessNameInVm","VmwpProcess","VmmemProcess","DxgVirtualGpu","VirtualGpuType","SegmentDriverSegmentId","m_desiredCapRatio","m_minPowerLevel","m_maxPowerLevel","m_curEntry","m_info0_state","m_info0_meanCapacityRatio","m_info0_varianceCapacityRatio","m_info0_powerLevel","m_info0_effectivePowerLevel","m_info0_remainingIterations","m_info0_valid","m_info0_saturated","m_info1_state","m_info1_meanCapacityRatio","m_info1_varianceCapacityRatio","m_info1_powerLevel","m_info1_effectivePowerLevel","m_info1_remainingIterations","m_info1_valid","m_info1_saturated","m_info2_state","m_info2_meanCapacityRatio","m_info2_varianceCapacityRatio","m_info2_powerLevel","m_info2_effectivePowerLevel","m_info2_remainingIterations","m_info2_valid","m_info2_saturated","m_info3_state","m_info3_meanCapacityRatio","m_info3_varianceCapacityRatio","m_info3_powerLevel","m_info3_effectivePowerLevel","m_info3_remainingIterations","m_info3_valid","m_info3_saturated","m_info4_state","m_info4_meanCapacityRatio","m_info4_varianceCapacityRatio","m_info4_powerLevel","m_info4_effectivePowerLevel","m_info4_remainingIterations","m_info4_valid","m_info4_saturated","m_durationStatsInMS_index","m_durationStatsInMS_count","m_durationStatsInMS_windowSize","m_durationStatsInMS_mean","m_durationStatsInMS_variance","m_durationStatsInMS_min","m_durationStatsInMS_max","m_durationStatsInMS_needsUpdate","m_capRatioStats_index","m_capRatioStats_count","m_capRatioStats_windowSize","m_capRatioStats_mean","m_capRatioStats_variance","m_capRatioStats_min","m_capRatioStats_max","m_capRatioStats_needsUpdate","m_deadlineOffsetStatsInMS_count","m_deadlineOffsetStatsInMS_min","m_deadlineOffsetStatsInMS_max","m_deadlineOffsetStatsInMS_sum","m_deadlineOffsetStatsInMS_sum2","DeviceHandle","AgentID","EventData1","EventData2","EventData3","EventData4","EventData5","BoostedVSyncFreqEligible","IsNonBoostedVsyncFrame","GpuMemoryFrequency","GpuPower","GpuTemperature","GpuFanRPM","EngineFrequency","EngineVoltage","EngineMaxTransitionLatency","DdiQueryElapsedTimeInMs","NumOperations","VidSchSyncObject","VidSchContext","NewVSyncWaiterCount","AbsolutePriority","PriorityBand","PriorityLevel","FlipQueuePlaneIndex","ThisFlipSubmitSequence","StallEntryFlipSubmitSequence","FlipPassivePendingMask","HwQueuePendingFlips","HwQueuePendingFlipsPlaneIndex","HwFlipQueueDrainNeeded","CandidateFlipPresentCount","CandidateFlipPresentAtQpc","MaxAcceptablePresentTimeQpc","TimeDelta100Ns","CandidateFlipReady","DriverSupportState","PlaneTotalPendingFlip","pVidMmDevice","SchClassType","TaskRuntime","VidSchSyncObjectArray","AlwaysSignaled","pCpuEvent","pGuestCpuEvent","FlipCompletedFrameTime","HwFlippedAtQpc","HwPresentDuration","ReportedCompletedTime","ReportedDuration","MaxChunkPrivateDriverDataSize","MiracastCaps","MiracastContext","InputBufferSize","OutputBufferSize","MiracastLuid","SqmStringEntry","MiracastStopSessionReason","StatusForStopReason","MiracastStartSessionStage","MiracastStopSessionStage","MiracastDeviceState","MiracastDeviceStatus","ChunkType","PartNumber","EncodeRate","PrivateDataDriverSize","hMiracastDeviceHandle","pMiracastCallbacks","CurrentBitRate","LocalMaxBitRate","RemoteMaxBitRate","MiracastSessionInfo","MiracastSessionStatus","HardwareAccess","TimeoutInMilliseconds","AdditionalWaitEventCount","PrivateDriverDataSize","OutstandingChunksToProcess","pfnDataRateNotify","ProtocolEvent","EncoderBitRate","CurrentMaxTxDataRate","FailedFrameCount","MultipleRetryFrameCount","RetriedFrameCount","TransmittedFrameCount","MaxLocalRate","MaxRemoteRate","MiracastStartSessionFailPoint","StartSessionFailureCode","GraphicsDeviceId","SinkDeviceInformation","Step","StopSessionReason","StopSessionErrorCode","AssociationId","DroppedFrames","TotalFrames","GraphicsDriverVersion","AverageFrameLatency","IFrameRequests","GraphicsDeviceDescription","TotalProcessedFrames","TotalDroppedFrames","TotalDriverProcessTime","TotalIFrameRequests","TotalDroppedFrameReports","MaxDroppedFramesInOneBucket","TotalIFrameRequestReports","MaxIFrameRequestsInOneBucket","TotalGraphicsLatencyReport","MaxIAverageGraphicsLatencyInOneBucket","pSwapChain","bProducer","SurfaceCount","hBufferAvailableEvent","hNtSwapChain","SurfaceIdx","hVidMmAllocation","ProducerEventSignaled","ClientEventSignaled","bReleaseBeforeAcquire","AcquiredBufferIdx","AcquireMetadataSize","EventSignaled","bGlobal","pMetaDataBuf","DataCopied","MetaDataDword1","MetaDataDword2","MetaDataDword3","MetaDataDword4","NewIndirectFrame","DisplayTime","SubmissionToDisplayTimeDelta","UpdateLocation","CurRefreshCount","LastVSyncTime","LastVSyncTimeSnapped","FramePeriod_QPC_x100","Corrections","FrameQpcDisplayTime","OriginalFrameQpcDisplayTime","FrameSubmissionTime","OriginalFrameQpcDisplayTimeDelta","CalculationMethod","PresentOnVSyncCount","KMTHandle","pDxgSyncObject","FrontOfQueue","AddReason","ContextPtr","KeyedMutexCount","KeyedMutexIdx","PresentUpdateStatusCurrent","bAccumulatedFrameUpdated","bKeyMutexTriggered","PresentUpdateStatusAccumulated","bAcquiredMutex","bConsumerAcquired","bConsumerDeviceStillProcessingFrame","bNewUpdateReady","bMovedCurrentPresentsToAccumulated","bKeyedMutexReleasedToConsumer","bUsedGdiRgn","hSrc","hDst","BltRectCounts","RedirectedForIndirectDisplay","CertificateSize","DriverProtectedOutputHandle","ExternalProtectedOutputHandle","InformationGuid","SettingGuid","AdditionalParametersSize","ProtectionType","ProtectionLevel","SupportedProtectionTypes","ConnectionChangeId","ConnectionStatus","NewTargetId","hSyncObj","hCompSurface","VidMmSegment","VidMmGlobalAlloc","Activation","DAM","TimeInMS","GuestEvent","VsyncEvent","VsyncTypeAtStart","VsyncTypeAtEnd","OutAdapterRuntimeSupport","SystemHasMux","OutDriverSupport","OutSwitchPrivateDataSize","SwitchPrivateDataSize","OutPrivateDataGuid","MuxSwitchedToTarget","PrivateDataGuid","OutWasPanelInPSR","NextVsycQpcTime","CurrTime","CurrFreq","VSyncPeriod","BltQueueWakeReason","VSyncWork","UpdateModeWork","FlushWork","TargetDWMVSync","TimeoutOccurred","FrameIsDone","LastFrameNumber","NewPresentCount","IndirectPresentTargetVSync","Brightness3Supported","HostSyncQPCTime","pGlobalAlloc","AllocationSizeInBytes","NumberOfContiguousPages","NumLargePagesRequested","NumLargePagesCreated","TotalSizeInBytes","NonContiguousBytes","NumBytesUpgraded","PerfTrack_Uniqueness_Id","Misc_ActiveVidPnBasedDisplayModeListSizeSum","Misc_UniqueModesFromUnionListSizeSum","CallCount_GetUniqueModesFromUnionList","CallCount_DXGADAPTER_DdiEnumVidPnCofuncModality","CallCount_DXGK_VIDPNSOURCEMODESET_INTERFACE_V1_IMPL_AcquirePinnedModeInfo","CallCount_DXGK_VIDPNSOURCEMODESET_INTERFACE_V1_IMPL_CreateNewModeInfo","CallCount_DXGK_VIDPNTARGETMODESET_INTERFACE_V1_IMPL_AcquirePinnedModeInfo","CallCount_DXGK_VIDPNTARGETMODESET_INTERFACE_V1_IMPL_CreateNewModeInfo","CallCount_DXGK_VIDPNTOPOLOGY_INTERFACE_V1_IMPL_AcquireFirstPathInfo","CallCount_DXGK_VIDPNTOPOLOGY_INTERFACE_V1_IMPL_AcquireNextPathInfo","TickCount_GetUniqueModesFromUnionList","AdapterFdoContext","DisableD3Requests","GetMiniportStatus","Server Offered Method","Client Requested Method","ServerOfferedMethod","ClientRequestedMethod","DestinationLeft","DestinationTop","DestinationRight","DestinationBottom","InitialX","InitialY","DestinationX","DestinationY","IsTracking","FullscreenTrackingMode","CpuEnergy","SocEnergy","DisplayEnergy","DiskEnergy","NetworkEnergy","MbbEnergy","OtherEnergy","RecordFlags","CpuId","CurrentFrequency","LastBusyFrequency","Energy","UniqueProcessId","NumberOfThreads","NetworkTailEnergy","MBBTailEnergy","NetworkTxRxBytes","MBBTxRxBytes","BucketCount","WindowInformation","ForegroundReportTimestamp","ForegroundTime","BucketedCycles","UniqueApplicationId","ForegroundCycleTime","BackgroundCycleTime","ForegroundActiveTime","ForegroundBytesRead","ForegroundBytesWritten","BackgroundBytesRead","BackgroundBytesWritten","ForegroundDiskEnergy","ForegroundNetworkTailEnergy","ForegroundMBBTailEnergy","ForegroundNetworkTxRxBytes","ForegroundMBBTxRxBytes","BackgroundDiskEnergy","BackgroundNetworkTailEnergy","BackgroundMBBTailEnergy","BackgroundNetworkTxRxBytes","BackgroundMBBTxRxBytes","ForegroundCycles","BackgroundCycles","EnergyDelta","CurrentValue","BatteryDrain","EstimatedEnergy","ResidualEnergy","AgeInSec","AdjustedEnergy","MaxCapacity","EstimatedTime","ForegroundTimeDelta","InteractivityState","FcousTime","VisibleTime","MinimizedTime","BackgroundScreenOffmJ","BackgroundScreenOnmJ","ForegroundScreenOffmJ","ForegroundScreenOnmJ","SruWorkItemType","PdcClientId","LastSnapValue","CurrSnapValue","LastStandbyTotal","CurrStandbyTotal","DeltaStandbyTotal","LastDripsTotal","CurrDripsTotal","DeltaDripsTotal","LastActivationTotal","CurrActivationTotal","DeltaActivationTotal","StandbyDuration","NonDripsDuration","PdcDuration","BIDuration","TargetedBIEnergy","ActualBIEnergy","UnknownEnergy","DripsPowerFloorMilliWatts","NonDripsPenaltyMilliWatts","GpuEnergy","LossEnergy","EmiEnergy","ForInternalUse","TimeInMSec","RecordMeasured","Committed","WorkOnBehalfCPUEnergy","AttributedCPUEnergy","NpuEnergy","DisplayTechnology","RegistryValue","MinimumValue","MaximumValue","MinimumPointCount","FirstBrightnessPercent","LastBrightnessPercent","BacklightPower","MaximumBacklightPower","CurrentBrightnessPercent","PreviousBrightnessPercent","CurrentBacklightPower","PreviousBacklightPower","KernelFlags","Authentication","RetryIntervalMs","FaultMessage","SqmType","SqmSessionGuid","SqmSid","SqmWindowsSessionId","SqmSessionFlags","SqmID","SqmDWORDDatapointValue","SqmStringDatapointValue","SqmStreamRowLength","SqmStreamRow","SqmProcessHashValue","SqmDWORD64DatapointValue","SqmStreamEntriesSize","SqmStreamEntries","SqmStreamFlags","DiskSignature","NetInterfaceName","PTRRecord","ARecord","ComputerAccount","ResourceControl","MissingPrivilegeList","ServiceSIDType","Preemptor","Preemptee","ResourceTypeName","NetftDisplayName","AddressProperty","DependantName","SafeCopy","LocalNodeName","RemoteNodeName","ArbitrationDelay","LocalSecurityLevel","RemoteSecurityLevel","NewFileName","NetworkNameResourceName","NumberOfSharesChecked","LastShareError","BadDatabaseFilePath","DatabaseFilePath","ComputerObject","OU1","OU2","VSID","RDID","UngracefulShutdownThreshold","RegValue1","RegValue2","DriverNames","MaximumTimeMinutes","CcDirtyPageThreshold","CcTotalDirtyPages","SnapshotVolume","DiffVolume","NodeNames","SMBInstance","SnapshotAgeLimit","SnapshotOriginNode","SnapshotDateTime","RequestsBeingProcessed","RequestsWaitingToBeProcessed","ReceivedRequests","ProcessedRequests","RequestInterval","ProcessingRate","ThresholdTimeInSec","SlowOperations","TimeFrameInSec","RequiredVotes","RunningVotes","NodesWithWeight","ScbState","ScbCondition","ScbConditionStatus","ScbDownlevelOplockLevel","CcbFlags","RealFileObject","BindingAttributes","DirtySlots","CacheDeviceId","CatalogPath","CatalogPath2","InitialPosition","FileRecordId","Sort","LibraryName","IteratorName","OverwriteIfExists","DestPath","OldQuota","NewQuota","CatalogPath1","BackupType","StopSync","CommandLineParameters","SearchFlags","Prop_TotalDiskSpaceBytes","Prop_FreeDiskSpaceBytes","Prop_StorageSpaceInCloudBytes","Prop_StorageSpaceOnDiskBytes","Prop_LowDiskSpaceLimitBytes","A12_CallbackNodeInstance","A13__CallbackNodeInstanceAltitude","A14_CallbackNodeInstanceFilter","A15__CallbackNodeInstanceFilterName","A16_IrpCtrlInitiatingInstance","A17_eventFileObject","A18_eventFsContext","A19_status","A20_IrpCtrlTraceStatus","FMS_ETW","LocalNetworkInterface","FTPDataPort","LowPort","HighPort","ConfigFile","SitesSectionLineNumber","Occurence","LogFileTruncateBytes","RangeLow","RangeHigh","Site","ConfigSection","ConfigNode","ValidValues","ComPlusApplication","ControllerBiosName","PinNumber","PinMask","EnableRegister","MaskRegister","StatusRegister","NonEnabledActiveInterrupts","ReplayRegister","ConvertibleState","DockState","GPOCNName","DSObjectName","GPO_File_System_Path","Script_Name","GPODisplayName","GPOFileSystemPath","GPOScriptCommandString","GPTriggerEventGuid","MaximumPositiveDeltaProcessor","MaximumPositiveDelta","MaximumNegativeDelta","Microseconds","UserGroup","EndpointID","EndpointLocation","EndpointIPv4Address","EntityUniqueId","ParentEntityType","ParentEntityKey","ParentEntityDescription","ParentEntityLocation","ParentEntityUniqueKey","GroupKey","RelationshipType","HeapSnapshotInstance","HeapSnapshotSequence","HeapSnapshotBufferLen","HeapSnapshotBuffer","TotalData","IsTpmSecure","IsInsecureTpmBlockedByWHfBPolicy","IsInsecureTpmBlockedByTpmPolicy","IsTpmSatisfactory","sessionid","ReceiveStart","ReceiveHeadersEnd","ResponseStart","ResponseEnd","BufferedSend","PerfCounterPeriod","StatsType","StatsLength","StatsData","HighestHotAddPage","MinPageCount","IsHighestPageDetermined","SupportsHotAdd","SupportsHotRemove","SupportsContiguousAllocations","SupportsFastContiguousAllocations","SupportsHugePageAllocations","FailurePhase","AuxData","AuxiliaryData","TotalSystemPages","TotalPagesRequested","ProximityDomainCount","AllocationPass","ProximityDomainIndex","ProximityDomainId","TotalDomainPages","PagesRequested","PagesAllocated","HsrInUse","BaseLocation","FeaturesRequired","FeaturesPresent","Leaf1Eax","VmCrMsrValue","SvmFeatureEax","HasWorkingSmm","LeafNumber","BSPCpuidData","APCpuidData","CustomerIpv4Addr","CustomerIpv6AddrLength","CustomerIpv6Addr","ProviderIpv6AddrLength","ProviderIpv6Addr","CustomerMacAddr","PermanentFlag","NonUniquePAFlag","MacMappingFlag","L4LoadBalanced","L3LoadBalanced","OriginalDestMacAddr","NewDestMacAddr","SrcCustomerIpv4Addr","SrcCustomerIpv6AddrLength","SrcCustomerIpv6Addr","DestCustomerIpv4Addr","DestCustomerIpv6AddrLength","DestCustomerIpv6Addr","SrcProviderIpv4Addr","SrcProviderIpv6AddrLength","SrcProviderIpv6Addr","DestProviderIpv4Addr","DestProviderIpv6AddrLength","DestProviderIpv6Addr","MacLookupFlag","CaRouteFlag","UseMappingIsolationIdFlag","TransmitQueueDepth","TransmitBurstSize","ReceiveBurstSize","UnderUtilizedPct","OverUtilizedPct","HeadroomPct","RampupTimeMs","MinRateMbps","NicLinkSpeed","NicLinkSpeedGuarantee","NumQueues","DefaultQueueDepth","DefaultQueueBurstSize","DefaultQueueUnderUtilizedPct","DefaultQueueOverUtilizedPct","DefaultQueueHeadroomPct","DefaultQueueRampupTimeMs","DefaultQueueMinRateMbps","QueueReservation","IsBroadcast","InnerForwarding","OutSrcMacAddr","OutDstMacAddr","InnerDstMacAddr","EncapsulationTypes","MaxHeaderSizeSupported","NvgreTransmitChecksumOffloadSupported","NvgreReceiveChecksumOffloadSupported","NvgreLsoV2Supported","NvgreRssSupported","NvgreVmqSupported","VxlanTransmitChecksumOffloadSupported","VxlanReceiveChecksumOffloadSupported","VxlanLsoV2Supported","VxlanRssSupported","VxlanVmqSupported","VxlanUDPPortNumber","VxlanUDPPortNumberConfigurable","ClientIp","ClientMac","AssignedIp","ServerIp","RequestedIp","RelayIp","DnsIp","SrcIp","DstIp","IsPending","NumEncaps","EncapType0","EncapSrcMacAddr0","EncapDestMacAddr0","EncapSrcIpv4Addr0","EncapDstIpv4Addr0","TenantId0","EncryptVxlanId0","EncapType1","EncapSrcMacAddr1","EncapDestMacAddr1","EncapSrcIpv4Addr1","EncapDstIpv4Addr1","TenantId1","EncryptVxlanId1","DestMacAddr","EncapTransposition0","EncapTransposition1","Transposition","IsSecondary","IsMirror","IsHairpin","HairpinChecked","OriginalInbound","EncapDstIpv6Addr0","EncapDstIpv6Addr1","CounterCapabilities","SupportedTableTypes","SupportedEncapsulationTypes","SupportedIngressExactMatchTableActions","SupportedEgressExactMatchTableActions","SoftwareSupportedIngressExactMatchTableActions","SoftwareSupportedEgressExactMatchTableActions","SupportedIngressWildcardMatchTableActions","SupportedEgressWildcardMatchTableActions","SoftwareSupportedIngressWildcardMatchTableActions","SoftwareSupportedEgressWildcardMatchTableActions","NumPacketCounterObjects","NumByteCounterObjects","NumPacketByteCounterObjects","NumPacketByteCounterAndStateObjects","NumCounterObjectsPerIngressExactMatchFlowEntry","NumCounterObjectsPerEgressExactMatchFlowEntry","NumCounterObjectsPerIngressWildcardMatchFlowEntry","NumCounterObjectsPerEgressWildcardMatchFlowEntry","GftProviderFlowEntryId","CurrSysTime","GftTimeStamp","GftUpdateElapsedInTtlUnits","MaxTtl","PrevNumPackets","PrevNumBytes","TargetPortId","TargetPortName","TargetPortFriendlyName","OriginalPacket","VpCount","PinBackingPages","DeferredCommit","PrivateCompressionStore","HotHints","ColdHints","ColdDiscardHints","EnlightenedPageFaults","BackingPageSizeType","FaultClusterSizeInPages","DirectMapFaultClusterSizeInPages","MbpArraySize","PageCountToBack","KsrBlockId","KsrMemoryRunCount","KsrPersisted","StartGpaPage","StartMbp","MbpCount","InterceptOverrideFlags","TotalPageCount","TotalRemotePageCount","RangeList","MissingFeatures","GuestProcessorFeature","HostProcessorFeature","OffloadHandle","IPSecOffloadLimit","VMQOffloadWeight","IovOffloadWeight","QueuePairs","InterruptModeration","SecurityConflict","LocalIPAddrLen","LocalIPAddr","RemoteIPAddrLen","RemoteIPAddr","LocalPortLen","RemotePortLen","Stateful","IdleSessionTimeout","DefaultQueueVrssEnabled","DefaultQueueVmmqEnabled","DefaultQueueVrssMaxQueuePairs","DefaultQueueVrssMinQueuePairs","DefaultQueueVrssQueueSchedulingMode","DefaultQueueVrssExcludePrimaryProcessor","DefaultQueueVrssIndependentHostSpreading","NewNumTotalMacAddresses","OldNumTotalMacAddresses","NicObjectHeaderState","QueueSizeMBytes","QueueLimitMBytes","VmErrorCode0","VmErrorCode1","VmErrorCode2","VmErrorCode3","VmErrorCode4","VmErrorMessage","VmPreOSId","VmHvOSId","VmVtl","IdleStatusGuid","TraceDescription","ReqType","CacheExist","DatExist","numElements","DefaultLangId","lastOverrideToken","newOverrideToken","RawURL","UrlType","HC","PC","DV","FV","OSV","BrowserLang","TopURL","RawTopURL","TopReferURL","RawTopReferURL","Threats","FramesCount","WhyString","FrameURL","RawFrameURL","FramePCL","FrameTricks","Framekeywords","FrameUrlType","FrameIP","THREAT","HasAnyInputFields","HasPasswordField","LinksCount","TopTargetCount","CanonURL","XML","FinalHRESULT","UrsStatus","AllUrlsFoundInDat","BlockedUrl","IsBlockedUrlTopFrame","BlockedUrlCategories","UrlFetchState","ScriptSource","RedirectUri","FinalResult","ApplicationPoolName","EnabledFieldsFlags","cip","csusername","ssitename","scomputername","sip","csmethod","csuristem","csuriquery","scstatus","scwin32status","scbytes","csbytes","timetaken","csUserAgent","csCookie","csReferer","csversion","cshost","scsubstatus","CustomFields","HttpSysControlChannelProperty","CmdValue","LogEnabled","LogFileDirectory","LogPeriod","LogTruncateSize","LogExtFileFlags","LocalTimeRollover","BindingString","timePeriod","HostAddress","IsapiFilter","IsapiExtension","UrlList","UnhealthyReason","InvalidConfig","ConfigException","XslFile","PreCondition","CLRConfigFileName","CLRLoaderDllPath","DeviceHardwareID","PrimaryCategory","SystemModeFrom","SystemSubModeFrom","SystemModeTo","SystemSubModeTo","ZbandFrom","ZbandTo","ListenerIndex","OuterWorkArea_left","OuterWorkArea_top","OuterWorkArea_right","OuterWorkArea_bottom","InnerWorkArea_left","InnerWorkArea_top","InnerWorkArea_right","InnerWorkArea_bottom","FocusedHWND","IHMPosition_left","IHMPosition_top","IHMPosition_right","IHMPosition_bottom","UIName","Unprocessed Resource String","Processed Resource String","UnprocessedResourceString","ProcessedResourceString","NotificationTargetId","HashValue","HashInput","AHE_TYPE","TargetAppID","RefAppID","ModifyFlags","ViewOrSize","ItemsToProcess","StartTask","PickerType","ClientAllowsUX","FileIsUpdated","AppItemCount","TotalItemCount","ShowMethod","ViewFromGuid","ViewToGuid","RenderedTileCount","RealizedTileCount","NumOfVisibleTiles","HowDismiss","HowDismissed","Packed_Hi_RequestedTimeoutExtensionMs16_Flags11_Crashed1_Throttled1_EnforceTimeout1_IsChild1_TimedOut1_Lo","Packed_Hi_ModeSwitchesToUnthrottledCount2_IoOpportunityTime100Ms10_CpuReadyTime100Ms10_CpuRunningTime100Ms10_Lo","PackedResumeDurationsMs_HiWordAppLoWordPackage","HiFlags_LoAppCount","HiThreshold_LoCurrentMetric","SumOfPrivateWsOrSumOfSwapUsageOrPrivateModifiedSize","UserRequest","ExecutionRequest","PendingTaskCompletions","DeferredTerminate","TaskCompletionType","PresentNonBlockingTaskCompletions","Wakes","ActivationParameters","EdgeUiComponent","HMonitor","SqmableContractID","ExeName","PreviousExecutionState","Opportunistic","ActivationOptions","AppClosed","PackageActivationSettings","DialogId","DismissMethod","TimeOutPeriod","WaitSignal","aamActivationId","ApiType","NumApp","SetDefault","NumOrphanFiles","Validation","ApplicationWindow","PriorityForeground","SystemWindow","CallerModule","ObjectModule","SxSModule","TerminateReason","ExecutionReason","ProviderDisplayName","AppArguments","DeadlineHigh","DeadlineLow","AppAlreadyRunning","NewHWND","NewHWNDIsSplashScreen","CrossFaded","FramePresentQpcTime","DriverProcessingTimeInMicroseconds","DriverProcessingTimeStartQpc","DriverProcessingTimeStopQpc","QPCFrequency","KernelEventId","TargetCaps","KmdAdapterHandle","AffectedSourceId","TransmitSevenBitI2CAddress","TransmitDataSizeInBytes","ReceiveSevenBitI2CAddress","ReceiveDataSizeInBytes","ReceiveFlags","param","PassedValue","OperationGroup","DASTMGR","ISATAP","6to4","COMMON","FSM","_DebugString","MTU","TriggerSource","RemotePrefixLengthBytes","RemotePrefixLengthBits","LocalPrefixLengthBytes","LocalPrefixLengthBits","RemotePrefixLifetimeSeconds","RemotePrefixOrigin","SyntheticIPv6AddressLengthBytes","FirstVirtualDisk","SecondVirtualDisk","SecondVirtualDiskIndex","OriginalDiskId","ResourceGuid","AddOrRemove","NumTraces","ReturnAddresses","FileAndFunction","pEntity","OriginalVirtualDiskIndex","ExportedVirtualDiskIndex","SnapshotSetId","TSIH","ISID","InitiatorTaskTag","InitiatorIQN","TargetIQN","Pdu","PduPayload","PhysicalDiskResGuid","MRKIDGUID","AttrName","Principal","LookupType","RequestedEtypes","AvailableEtypes","AccountToReset","AvailableETypes","RequestedKeyVersion","AvailableKeyVersion","EncryptedTicketSize","TicketSizeThreshold","ActiveDirectorySID","TicketSID","IssuancePolicies","IssuanceTime","AccountCreationTime","CertificateSid","ThermalZoneBiosNameLength","ThermalZoneBiosName","_NTT","_PSLCount","_PSLEntries","_TZDCount","_TZDEntries","_AL0Count","_AL0Entries","_AL1Count","_AL1Entries","_AL2Count","_AL2Entries","_AL3Count","_AL3Entries","_AL4Count","_AL4Entries","_AL5Count","_AL5Entries","_AL6Count","_AL6Entries","_AL7Count","_AL7Entries","_AL8Count","_AL8Entries","_AL9Count","_AL9Entries","_TFP","FanBiosNameLength","FanBiosName","FstSupported","ThrottleLimit","Type34SupportEnabled","SubspaceId","InterruptSupported","InterruptFlags","GSIV","NominalLatency","AdvertisedNominalLatency","MaxPeriodicAccessRate","MinRequestTurnaroundTime","InitFailure","EjectFailure","WDTimeoutCount","WDTimerAttributes","SharedRegionPhysicalAddress","SharedRegionLength","RegisterCount","Registers","PrevState","SyncAcquire","DelayTimeInUs","CommandInProgress","AccumulatedFailureCount","Promoted","NotifyRoutineAddress","TargetProcessStartKey","TargetProcessCreationTime","LinkSourceName","LinkTargetName","TargetThreatId","PmrLowBase","PmrLowSize","PmrHighBase","PmrHighSize","FirmwareProvidedAcm","BiosDataSize","AcmMinMleHeaderVer","MleHeaderVersion","RangeMinimum","RangeMaximum","RangeFlags","GetCapabilityTime","GetResourcesTime","ResourcesValidationTime","TpmSrkProvisioningStatus","DebuggerStatus","RangeAltitude","RangeEndpoint","AlignedAddress","OverlappedMemoryType","ReserveDescriptors","RunCount","RunsClaimed","MemoryDescriptor","ProximityId","PartitoinName","MemoryRangeCount","MemorPageCount","IoSpaceRangeCount","IoSpacePageCount","AllocatedMemoryBlockCount","AllocatedMemoryRunCount","AllocatedMemoryPageCount","AllocatedIoSpaceBlockCount","AllocatedIoSpaceRunCount","AllocatedIoSpacePageCount","IoSpaceRunCount","IoSpaceMemory","BasePage","VendorGuid","DisableReason","TcgLogStatus","Tries","RemainingNodesCount","RemainingNodes","AllocatedRegions","MarkedAsBadRegularPages","MarkedAsBadIoSpacePages","MarkErrorsCount","AllocatedBlockCount","AllocatedRunCount","AllocatedPageCount","InformationClass","LoggerSlotsUsed","FilterFlags","LastEnableLoggerId","EnableMask","GroupEnableMask","HookId","ObjectCreatorProcessName","LowBoxNumber","TokenGroupsCount","TokenGroups","TokenPackageCount","TokenPackage","TokenCapabilityCount","TokenCapabilities","TokenTrustLevelCount","TokenTrustLevel","SecurityDescriptorRevision","SecurityDescriptorControl","SecurityDescriptorOwner","SecurityDescriptorGroup","DaclRevision","DaclAceCount","DaclAce","SaclRevision","SaclAceCount","SaclAce","TokenId","AuthenticationId","TokenFlags","SidValuesReferenceCount","SidValuesCount","SidValues","SharedSidValuesReferenceCount","SharedSidValuesCount","SharedSidValues","MmPhase0Start","MmPhase0Stop","Phase1Start","KsrExtensionStart","KsrExtensionStop","StartProcessorsStart","StartProcessorsStop","AutoLoggerInitStart","AutoLoggerInitStop","MmPhase1Start","MmPhase1Stop","HalPhase0StartCycleTime","HalPhase0StopCycleTime","MmMark","VsmCleanupTime","Mark0","Mark1","Mark2","Mark3","Mark4","Mark5","Mark6","Mark7","VsmCleanupTimeFrequency","HivePath","Sizing_workflow","Dump_file_size_limit","bytes_Dump_file_size_limit_reached","Aborted_while_buffer_allocation","EstimatedPageCount","VMMemoryPartitionIOSpaceAllocatedPages","VMMemoryPartitionAllocatedPages","SystemPartitionIOSpaceAllocatedPages","SystemPartitionAllocatedPages","LimitDumpFileSize","DumpFileSizeLimitInBytes","DumpFileSizeLimitReached","AbortWhileBufferAllocation","MemoryCaptureDuration_ms","HvlCollectLivedumpDuration_ms","DumpDataBufferingDuration_ms","PriorityLevels","ZeroPageCount","FreePageCount","ModifiedPageCount","ModifiedNoWritePageCount","BadPageCount","StandbyPageCounts","RepurposedPageCounts","ModifiedPageCountPageFile","PagedPoolPageCount","NonPagedPoolPageCount","MdlPageCount","CommitPageCount","WSCommitInfo","SessionWSCommitInfo","PagesProcessed","WriteCombinePagesProcessed","UncachedPagesProcessed","CleanPagesProcessed","AcgFlag","DurationInMicroseconds","MemoryDescriptorList","IdealNode","Boundary","MappedAddress","ProtectionMask","PreferredNode","AllocatedFromPool","AllocatedFromExtension","MemoryNodeInfo","VoltageRailId","VoltageRailName","CurrentVoltageMv","MaxVoltageMv","PlatformStateDependencyCount","PlatformStateDependency","CurrentFrequencyKHz","MaxFrequencyKHz","ComponentDescriptionLength","ComponentDescription","OldRailVoltageMv","NewRailVoltageMv","OldComponentFrequencyKHz","NewComponentFrequencyKHz","PlatformStateCount","PlatformIdleStateResidency","OldPlatformState","NewPlatformState","ElamDriverNameLength","ElamDriverName","ElamStatus","BlockedDriverEntry","QueryAddress","QueryFlags","PreferredLanguages","RequestedProperties","FilterExpression","FilterBy","OnlyPresent","QueryRemoveType","RemovedFromBus","HasPrimaryDeviceObject","OldLifetime","NewLifetime","DeviceClosed","KeepActive","SwDeviceFlags","DeviceExtensionFlags","PdoReported","NewPdo","SkipCount","OldAttributes","NewAttributes","ResourceConsumerPdo","ResourceConsumerInstancePathLength","ResourceConsumerInstancePath","Pdo","ParentPdo","DevNode","ParentDevNode","InstancePathLength","InterruptResourceConsumerInstancePathLength","InterruptResourceConsumerInstancePath","WakeSourceTypeLength","WakeSourceSubTypeLength","WakeSourceLength","WakeSourceContextLength","WakeSourceType","WakeSourceSubType","WakeSource","WakeSourceContext","TargetDevice","FailedDriver","SleepTime","ResumeTime","DriverWakeTime","HiberWriteTime","HiberReadTime","HiberPagesWritten","BiosInitTime","CheckpointTime","LowestIdleness","AverageIdleness","AccruedIdleTime","NonIdleIgnored","IdleToSleep","NonIdleReferences","StateHandle","ConservativeTimeout","PerformanceTimeout","BusyCount","TotalBusyCount","IdlePowerState","IgnoreThreshold","NonIdleTime","Legacy","SystemAllowed","DisplayAllowed","AwayModeAllowed","SystemCount","DisplayCount","AwayModeCount","CallerLength","ContextLength","ExecutionRequiredAllowed","PerformanceBoostAllowed","FullScreenVideoAllowed","ExecutionRequiredCount","PerformanceBoostCount","FullScreenVideoCount","AffectedState","PowerReasonCode","PowerReasonLength","PowerReasonInfo","CopyBytes","CopyTime","PagesWritten","FileRuns","ReadTime","ResumeAppTime","CompressTime","Override","TotalResumeTime","POSTTime","ResumeBootMgrTime","ResumeAppStartTime","ResumeLibraryInitTime","ResumeInitTime","ResumeHiberFileTime","ResumeRestoreImageStartTimestamp","ResumeIoTime","ResumeDecompressTime","ResumeMapTime","ResumeUnmapTime","ResumeUserInOutTime","ResumeAllocateTime","ResumeKernelSwitchTimestamp","KernelReturnFromHandlerTimestamp","SleeperThreadEndTimestamp","TimeStampCounterAtSwitchTime","KernelReturnSystemPowerStateTimestamp","HiberHiberFileTime","HiberSharedBufferTime","TotalHibernateTime","KernelResumeHiberFileTime","KernelResumeInitTime","KernelResumeSharedBufferTime","DeviceResumeTime","KernelAnimationTime","KernelPagesProcessed","KernelPagesWritten","BootPagesProcessed","BootPagesWritten","HiberWriteRate","HiberCompressRate","ResumeReadRate","ResumeDecompressRate","NoMultiStageResumeReason","MaxHuffRatio","SecurePagesProcessed","HiberChecksumTime","HiberChecksumIoTime","ResumeChecksumTime","ResumeChecksumIoTime","KernelChecksumTime","KernelChecksumIoTime","WinresumeExitTimestamp","TcbLoaderStartTimestamp","TcbLoaderEndTimestamp","RemappedPageLookupCycles","TcbLaunchPrepareCycles","TcbLaunchPrepareDataCycles","DecryptVsmPagesPhase0Cycles","DecryptVsmPagesPhase1Cycles","DecryptVsmPagesPhase2Cycles","TcbLoaderAuthenticateCycles","TcbLoaderDecryptCycles","TcbLoaderValidateCycles","HiberfileSizeKB","ResumeAppsTime","ResumeServicesTime","PhasePagesWrittenMB","ResumeAppAndKernelResumeHiberFileTime","POSTAndDeviceResumeTime","RatesAndResumeAppsServicesTime","PhasePagesProcessedMB","HiberfileSize","TotalHybridShutdownTime","HiberfileCreateTime","SystemShutdownTime","PlatformRole","DisplayState","ZoneLength","ThrottleDuration","FanDuration","ActivationDelay","ResiliencyPhaseNonActivatedNoDripsMs","NonActivatedCpuTimeMs","DurationThisPeriodMs","ActionsTakenAndOnAc","OnAc","EnergyDrainMw","DeviceConstraint","ActionsTaken","DeviceServiceNameLength","ChildServiceNameLength","ChildServiceName","PepPreVeto","InvocationCount","IdleInformationUpdated","TimeoutSource","MinState","DozeS4Timeout","PredictedUserReturnTime","S0LowPowerDozeTimerCancelled","CancelledDueToUserInput","ResiliencyPhaseNonActivatedNoDeepSleepMs","PowerSettingPending","Constraint","ConstraintCount","Constraints","ExpiryCount","RelativeId","WokeSystem","Uncertain","Spurious","FixedWakeSourceMask","AcAlarmSignaled","DcAlarmSignaled","RtcSignaled","AcProgrammedTime","DcProgrammedTime","UsingAcTime","WakeTime","AdjustedWakeTime","FullWake","SystemLatency","PolicyAliasLength","PolicyAlias","ScenarioGuid","DefaultSettingsScenarioGuid","PolicyCount","PolicySettings","HwDripsTotalTimeValid","DripsTotalTimeThisPeriodUs","HwDripsTotalTimeThisPeriodUs","PopDripsSwHwDivergenceThreshold","RequestQueueId","AudioActivity","DisconnectedStandbyMode","DsEnabled","CsSessionId","CsSessionIdV2","WorkFlags","EnableResult","InitializationResult","RequestIndex","NumberOfRequests","QueueSize","OldMask","NewMask","SetFlags","ClearedFlags","BroadcastTreeId","IsRootDevice","VisitType","NotIdleEvents","IsSystemIdle","TimeSinceEvent","WasIgnored","BusyReason","ScanInterval","PreviousTimeoutSource","PreviousTimeout","NewTimeoutSource","HardwareIdLength","DeviceClassNameLength","DeviceClassName","DeviceClassGuidLength","DeviceClassGuid","DfxTransitionCount","Ps4TransitionCount","TriggerFlags","UserNotify","PowerAction","PowerActionFlags","PowerActionEventCode","SubstitutionPolicy","LocalPowerAction","LocalPowerActionFlags","LocalPowerActionEventCode","RequesterNameLength","RootDeviceNode","ErrorDeviceNode","CurrentTargetState","NextTargetState","PartA_PrivTags","TriageContextLength","TriageContext","CurrentInternalState","NextInternalState","IsSleepEnter","ReasonDescriptionLength","LastInputTimestamp","LastDisplayOffTimestamp","SessionDisplayState","NotifyOnNextUserInput","DisplayTimeoutSource","DimTimeout","DimTimeoutSource","ThreadToken","VirtualConsole","MonitorOnReason","ParamToken","AttachMode","IsSingleSession","IsSync","PsStatus","ParameterToken","PowerStateTask","DeviceInstancePathLength","IdLength","Prepared","ComponentCount","VetoMasks","PowerRequired","IdleStates","ArmedForWake","MinimumDStates","MinimumFStates","DeviceIdLength","PlatformStateDependents","ParentDeviceNode","DripsRequiredState","SetCount","Unit","StateValues","PerformanceStateSetCount","PerformanceStateSets","DeviceTransition","TransitionRequired","StartDevice","EndDevice","NumberExtraDevices","Entered","InitiatorLength","TripPointTemperature","ActivePoint","ThermalStandby","OverThrottled","PassiveSupported","ActiveSupported","ActiveEngaged","PolicyLength","ReasonLength","LimitCount","ScenarioHashId","ScenarioType","PrefetchPhaseMask","PrefetchType","IsTricklePhase","NumPagesPrefetched","NumReadLists","EndReason","ActionFlags","TraceReason","PrefetchReason","NumLaunches","TimeSinceLastLaunchInS","WorkItemsCount","NumPhases","DiskIoAttribution","IoRateControl","MaxIops","MaxBandwidth","MaxTimePercent","ReservationIops","ReservationBandwidth","ReservationTimePercent","CriticalReservationIops","CriticalReservationBandwidth","CriticalReservationTimePercent","SoftMaxIops","SoftMaxBandwidth","SoftMaxTimePercent","Performance","MinPercent","MaxPercent","TolerancePercent","Autonomous","EppPercent","ActivityWindow","QosClass","ResourcePriority","ResourcePriorityPercent","PpmCheckTime","AdjustedCheckTime","StartPhase","BusyTime","DeliveredPerformance","Utility","AffinitizedUtility","FrequencySensitivity","BufferingPercent","StallTime","ImportantPercent","IdealPercent","IdleTimeInMs","BusyTimeInMs","ExcessBusyTimeInMs","SoftParked","TotalTransitions","AbortCount","SelectionCount","SelectionAccounting","FeaturesAccessed","FeaturesValidated","MembersEnumerated","Cap","PBlockAddress","PBlockLength","Ppc","PctControl","PctStatus","PssStates","FadtC2Latency","FadtC3Latency","CStateVersionInUse","CstStates","FadtDutyWidth","FadtDutyOffset","Tpc","TStateVersionInUse","PtcControl","PtcStatus","TssStates","IsApplied","HintType","ConcurrentCores","HistogramSize","ConcurrencyHistogram","DistributeCores","ConcurrencyHistogramDelta","MaximumCoordinatedProcessors","FeedbackCounterCount","PerformanceStatesSupported","ParkingSupported","DiscretePerformanceStateCount","GuaranteedPerformance","LimitReasons","FeedbackCount","Feedback","HighestPerformance","NominalPerformance","LowestNonlinearPerformance","LowestPerformance","DomainMembers","PerfStates","EppSupported","AutonomousCapability","Parked","BiosCap","ThermalCap","DesiredPerformance","EfficiencyClass","SchedulingClass","RelativePerformance","EfficiencySchedulingClass","TargetFrequency","DeliveredFrequencyMhz","LpiCap","ParkHint","LatencyLimitIn100ns","AcpiId","InterruptControllerId","HvLpIndex","PlatformIdleStateCount","DripsWakeSkipCount","UnparkCount","OSPreferencePark","OSPreferenceUnpark","PlatformPreferencePark","PlatformPreferenceUnpark","PreviousActiveScenarioId","NewActiveScenarioId","CurrentActiveScenarioId","PlatformIdleStateIndex","StateIndex","InitiatingProcessor","OneInitiator","BreakEvenDuration","DependencyCount","Dependencies","DripsBucketsCount","TotalTimes","IntervalLimitsCount","IntervalLimits","VetoCount","PerfBoostAtGuaranteed","PerfIdealAggressiveIncreasePolicyThreshold","PerfSingleStepSize","PerfCalculateActualUtilization","PerfArtificialDomain","LowLatencyScalingPercentage","ParkWithCoreGranularity","MultiparkGranularity","QosManagesIdleProcessors","QosHysteresis","CoreParkingRotationSeedTimeInMs","EffectiveParkingGranularity","IsUnparkCoresPolicyEnabled","MultiCoreScheduling","MultiCoreParking","ResolvedUtilization","ResolvedTarget","CoordinatedStates","DependencyIndex","ProcessorDependency","OptionCount","EnergyInMicroJoules","ProcCount","ActualUtility","EstimatedUtility","CheckCount","IdealClass1Count","ActualClass1Count","Class0FloorPerf","Class1MinimumPerf","ActiveCount","MaxActiveDurationInUs","MinActiveDurationInUs","TotalActiveDurationInUs","PreviousProfileId","NextProfileId","DeliveredFrequency","OldPark","NewPark","OverUtilizedSet","IsolatedCores","IdealUnparked","ParkReason","VetoCodeCount","Accounting","HeterogeneousPolicy","HeterogeneousSystemType","DefaultPolicy","DefaultDynamicPolicy","DynamicCpuPolicyMask","DynamicCpuPolicyImportant","DynamicCpuPolicyImportantShort","DynamicCpuPolicyImportantPriority","DynamicCpuPolicyExpectedRuntime","WPSCapabilities","LevelId","NamespacePath","VirtualHeterogeneitySupported","VirtualHeterogeneityOn","DisableReasons","SchedulerDirectedPerfStatesSupported","PpmQosEnabled","PpmQosDisableReasons","CoordinationType","IdleProcessorsDiscounted","SchedulerDirectedTransitionsSupported","WorstCaseTransitionLatency","WorstCaseTransitionOverhead","AffinitizePerfSet","NthCoreUtilization","DomainMasterGroup","DomainMasterNumber","NewSoftPark","UnparkCap","UnparkFloor","ForcePark","ForceUnpark","Overutilized","IdealUnparkCount","PerformanceCoresUnparkedCount","TargetUnparkCount","LpIndex","LpIndexCount","RegisterId","ParameterId","BitWidth","BitOffset","QosClassCount","QosPolicies","QosDisableReasons","ThreadClassification","NumberOfLogicalCores","NumberOfWorkLoadClasses","TableCount","HardwareTable","NormalizedTable","TotalFavouredUnparkedCores","CurrentPickedFavouredCoreIndex","PerformanceClassIndex","EfficiencyClassIndex","WorkloadCount","PerformanceWorkloadTotalCycles","EfficiencyWorkloadTotalCycles","TotalCoresUnparkedCount","EfficiencyCoresUnparkedCount","ContainmentEnabled","WorkLoadClass","ThreadQoS","RunningType","DynamicHeteroCpuPolicy","LowerThreshold","UpperThreshold","IdealMask","PreferredMask","AvailableMask","RestrictionMask","HeteroCpuPolicy","RankListEntries","RankList","ImportantUtility","TotalImportantUtility","OldIdealUnpark","CurrentClassUnparkCount","CurrentClassPlusUnparkCount","TargetUnparkedAccumulation","AccumulatedDuration","RawTargetUnparkCount","UpdatedTargetUnparkCount","MaxUnparkCount","SelectionFlag","IncreasePolicy","DecreasePolicy","IncreaseTimePolicy","DecreaseTimePolicy","ParkCheckCount","MapTable","EnergyStatusUnit","EsuToMilliJoulesMethod","BucketFrequencies","BucketPowerWeights","QosPerfSelection","ForceParked","ContainmentGroupCount","ContainmentGroup","HeteroPolicy","IsPerfMaxOverrideEnabled","IsLatencyBoostActive","IsMinPolicyDisabledContainment","HeteroContainmentPolicy","IsGlobalParkHintsPresent","ContainmentCheckCount","ContainmentCrossOverRequired","PreviousSelectedContainmentGroup","CurrentDesiredContainmentGroup","CurrentSelectedContainmentGroup","BeforePerfUnparkCount","BeforeEfficientUnparkCount","AfterPerfUnparkCount","AfterEfficientUnparkCount","IsTimeWindowIsInProgress","IsIncreaseTimeWindowActive","IsDecreaseTimeWindowActive","ContainmentGroupType","EquivalencyMasks","MaxPolicyPercent","MaxEquivalentFrequencyPercent","MinPolicyPercent","AutonomousActivityWindow","EnergyPerfPreference","ProvideGuidance","AllowThrottling","PerfBoostMode","LatencyHintPerf","TrackDesiredCrossClass","LatencyHintEpp","StateChanged","RankingCount","Ranking","CumulativeUnparkedCount","PerfUnparkedCount","Candidates","ParkedCores","ChosenCores","ComplexCandidates","ModuleCandidates","PackageCandidates","CoreCandidates","OverUtilizedCores","LowestUnparkOrderingCandidates","HighPerfOverride","SoftParkLatencyUs","TotalEntrySize","BytesGathered","SourceKeyPath","DriverBase","DriverSize","DriverCheckSum","Fdo","DeviceCharacteristics","PowerType","DataKey","DataMgr","StoreOffset","StoreKey","StoreFileKey","UserDataMgr","MetadataMgr","RegionSize","RegionCount","SectorSize","EncryptionStrength","BlocksStored","RegionsInUse","TotalSpaceUsed","MetaRegionCount","MetaRegionsInUse","MetaRegionsSpaceUsed","StoreTime","OwnerProcessId","RegionIndex","Virtual_Address","Physical_Address","Corruption_Window_Size","FileBacked","Cache_path","TxUow","TxDescriptionLength","TxDescription","ClfsStatus","RmDescriptionLength","RmDescription","TmIdentity","TmLogFileNameLength","TmLogFileName","Password_reset_timer_deadline","Password_reset_retry_count","Mitigating","DisengagedValue","FullyEngagedValue","DistanceThreshold","MDUsed","MovementPrecision","SpeedBasedWaitTimeSec","MDBasedWaitTimeSec","MinWaitTimeToMeetBudgetSec","SelectedWaitTimeSec","CumulativeRunningTimeSec","CumulativeAcquireTimeSec","RequestsCount","IsSpeedUnknown","RecentMovementTimeBoundApplied","UACElevateFileID","hWndLensCtx","SrcRect","DesktopComposited","CycleDuration","CyclesTotal","OldCpuTime","OldCycleTime","OldWorkingSet","OldPageFaults","NewUserTime","NewKernelTime","NewWorkingSet","NewPageFaults","NewCycleTime","Prop_string1","Prop_string2","Prop_AnsiString","Oem_MemFree_ptr","CDRMMemoryCacheFree_ptr","CDRMMemoryCacheDRM_FREE_ptr","CDRMMemoryCacheClearFreeList_ptr","MenuItemCount","UDN","instanceID","ui32","URIMetadata","CompID","PresentID","FragmentCount","ScanoutType","CompletedOutputs","NumOutputs","CompositionLatency","deltaQPC_ns","dwmSmoothedTargetQPC","deltaDwmTargetQPC_ns","deltaSmoothedJitter_ns","deltaQPC_us","timingFramePeriod_us","lowerTolerance_us","upperTolerance_us","targetIndex","timingTargetIndex","wasIFlip","SkipReconType","AdjustmentType","TargetIndex","VidPnTarget","CompositionframeId","CompletedTimeHNS","StartedTimeHNS","VBlankDuration_ps","framePeriod_ps","OutstandingPresents","InputViewIndex","InputFrameOrField","Mirrored","MaxLuminanceIn","MaxLuminanceOut","bytestowrite","byteswritten","MFTobject","BitmapSourceProxyobject","CachedRectLeft","CachedRectTop","CachedRectRight","CachedRectBottom","AnyFailed","EncoderInstance","RateCtrlMode","AverageBitRate","PeakBitRate","EntropyMode","MultithreadEncodingMode","NumberOfWorkerThreads","GOPNumber","CVEId","WidthSource","WidthHeight","FormatSize","SampleSizeInBytes","ThinningMode","DropMode","PostProcessingLevel","MaxBitRate","Progressive","MuxFormat","param14","ClientRefStringLength","ClientRefString","StatusCount","DomainMultiplier","IsTimerEvent","IdleCycles","UpdateTime","LowTemperature","HighTemperature","DsmSupportBitmask","DsmState","ThermalDeviceId","RequestToken","ReturnedTemperature","CheckMode","ThermalReadRetryCount","ThermalReadFailure","CurrentTemperature","DsmGuid","InputState","InputErrors","OutputState","OutputErrors","ThreadJoinable","HasValue","Hasvalue","ForcePublish","srcSamplingRate","AudioMode","BlobVer","LicensorIndex","dwordarg","IDRCount","POC","PictureType","QualityMode","SARWidth","SARHeight","BitDepthLuma","BitDepthChroma","ChromaFormat","CodecID","QualityType","Proportion","Late","ConfigBitstreamEncryption","ConfigMBcontrolEncryption","ConfigResidDiffEncryption","ConfigBitstreamRaw","ConfigMBcontrolRasterOrder","ConfigResidDiffHost","ConfigSpatialResid8","ConfigResid8Subtraction","ConfigSpatialHost8or9Clipping","ConfigSpatialResidInterleaved","ConfigIntraResidUnsigned","ConfigResidDiffAccelerator","ConfigHostInverseScan","ConfigSpecificIDCT","Config4GroupedCoefs","ConfigMinRenderTargetBuffCount","PicStructPresent","PicStruct","SampleLag","NumSurfaces","D3DFormat","dwWidth","dwHeight","MaxHeaderSize","ReqBodySize","MaxBodySize","MaxXmlDepth","QueueCountLimit","SpokenText","CancelledMessage","AutomationContext","EventClass","IsWindowActive","CurrentOSKState","CurrentOrientation","EventCancelled","SeletionModeEnabled","SoundResourceId","WasCanceled","ElementAddress","NarratorPerfScenario","IsElementInPeripheralUI","HandlerObject","MissCount","IgnoreCount","NumberSegments","IsCachedStream","TextLength","ShouldPassivePollRun","WasPassivePollRunning","IsPassivePollAllowed","ClientPresent","UserPresent","NetworkQuietMode","DeadUserPollCount","DeadNetPollCountV4","DeadNetPollCountV6","SupportedWolPatterns","SupportedProtocolOffloads","SupportedWakeUpFlags","SupportedMediaWakeUpEvents","IdleCondition","WolPatterns","ProtocolOffloads","WakeUpFlags","MediaWakeUpEvents","MatchingHardwareId","CaptureErrors","InstallTimestamp","FilterPnPFlags","AdminStatus","OperStatus","OperStatusFlags","SyncFlags","WSyncFlags","InterlockedFlags","EventLogCount","EventLog","LastEventTimestamp","FilterListCount","FilterList","ProtocolListCount","ProtocolList","MajorNdisVersion","MinorNdisVersion","CharacteristicsFlags","MajorDriverVersion","MinorDriverVersion","TimeSinceLast","CurrentProc","BytesTxRx","IfMediaType","ProcId","_ListHead","_Entry","_EntryFlink","_EntryBlink","_Flags","TaskCounter","IterationCounter","WorkCounter","Dispatcher","CurrentIsolationStateNumeric","CurrentProbationTime","CurrentFixupUrl","PreviousIsolationState","PreviousIsolationStateNumeric","PreviousProbationTime","PreviousFixupUrl","Blackout","DomainJoined","OSSKU","ProcessorType","HealthState","Shas","FCS","ProbationExpiry","Help","CSP","KeySpec","Urls","Dns","CurrentExtendedIsolationState","CurrentExtendedIsolationStateNumeric","PreviousExtendedIsolationState","PreviousExtendedIsolationStateNumeric","ExtendedHealthState","NetworkChangeGuid","InternetPresent","WnfStatusCode","FreeNetworkPresent","ProfileChange","FragmentationLevel","SvSvcCmd","A15_LastVcn","A16_NewFinalVcn","A17_NewFinalVcnInMcb","A18_NumberOfRanges","NtfsGetLastVcnForNewMappingPairSize_IC","p_Using_LastVcn","MoveAttributeToOwnRecord_IC","x_Bytes2Free","x_OldMappingSize","x_NewMappingSize","param15","p_ClustersAllocated","NtfsDeallocateClusters_IC","p_ClustersDeallocated","NtfsModifyBitsInBitmap_IC","p_Bitmap","NtfsAllocateBitmapRun_IC","NtfsRestartSetBitsInBitMap_IC","NtfsFreeBitmapRun_IC","NtfsRestartClearBitsInBitMap_IC","NtfsSetOrClearBitsUsingBaseMcb_IC","p_Result","u_BitPosition","ld_GroupIndex","ld_GroupShiftFactor","BinIndex","ld_RelativeBinIndex","ld_MaxKey","BinGroupShift","Unexpected_open_type_received","p_RelatedFileObject","p_FileIdBuffer","p_Path","d_Status","S_ProcessName","SCB","p_MinorCode","IC","Scrub_resume_from_SystemScbIndex","u_Vcn","p_Scrub_resume_from_Vcn","Scrub_SystemScbIndex","p_Incomplete_IoCount","u_Cancel","u_ParityExtentCount","p_Scrub_no_more_Mcb_entries_from_StartingVcn","p_Scrub_skipping_UNUSEDLCN_Vcn","p_StartingVcn","I64x_Bytes_StartingVcn","p_DsmActionScrub_call_failed_Status","p_DsmActionScrub_operation_failed_Status","p_FSCTLREPAIRCOPIES_no_more_Mcb_entries_from_StartingVcn","p_FSCTLREPAIRCOPIES_No_more_Mcb_entries_unallocated_from_StartingVcn","p_FSCTLREPAIRCOPIES_skipping_UNUSEDLCN_Vcn","I64x_Bytes_FileOffset","p_DsmActionRepair_call_failed_Status","p_DsmActionRepair_operation_failed_Status","p_DsmActionRepair_completed_IrpStatus","FsLibGetBadAddressRanges_returned_Status","FsInputRangeIndex","p_Status","S_AbnormalTermination","NtfsCommitCurrentTransaction_IC","I64x_ClearAll","p_Processing_range_DeallocatedClusters","p_RunIndex","d_StartingLcn","FsLibGroupSubExtentsByDanglingMdl_failed","FsLibAddBaseMcbEntryEx_failed","NtfsRemoveNtfsMcbEntry_Scb","NtfsRemoveNtfsMcbEntry_Mcb","NtfsAddNtfsMcbEntry_Scb","NtfsAddNtfsMcbEntry_Mcb","NtfsUnloadNtfsMcbRange_Scb","NtfsUnloadNtfsMcbRange_Mcb","NtfsGrowMftsAttributeListAllocation_Vcb","p_AttrListScb","param16","param17","param18","param19","param20","param21","NtfsProcessException_IC","A19_DeletedNextAttribute","A20_Mcb1StartWithNewStartVcn","A21_Mcb1HoldNewStartVcn","A22_Mcb2StartWithNewStartVcn","A23_Mcb2HoldNewStartVcn","A24_McbArraySizeInUseChange","A14_Attribute->Form.Nonresident.AllocatedLength","A15_Attribute->Form.Nonresident.FileSize","A16_Attribute->Form.Nonresident.ValidDataLength","A17_Attribute->Form.Nonresident.TotalAllocated","A18_Sizes->AllocationSize","A19_Sizes->FileSize","A20_Sizes->ValidDataLength","A21_Sizes->TotalAllocated","A17_FrsConsolidationContextRestartAttributeListEntryOffset","A18_AttributeListEntryOffset","A20_AttributeListGrowBy","A21_AttributeListGrowBy","A15_VcbReadOnlyCloseCount","A16_VcbCloseCount","A17_VcbSystemFileCloseCount","A17_FcbFcbState","A18_IrpSpFlags","A16_CreateContextCurrentFcbFcbState","A11_ParentScbFcbVcb","A12__ParentScbFcbVcbVolumeName","A13_WppCountedStringWParentScbFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHParentScbFcbVcbVpb","A14_ParentScbFcb","A15_NtfsFullFileRefNumber_ParentScbFcbFileReference","A16_ParentScbFcbFcbState","A17_ParentScbFcbTxfRmcbRmState","A18_AttrTypeCode","A11_ParentScbVcb","A12__ParentScbVcbVolumeName","A13_WppCountedStringWParentScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHParentScbVcbVpb","A16_ThisEaInformationNeedEaCount","A17_CreateContextIrpSpParametersCreateOptions","A18_CcbFlags","A16_AttrTypeCode","A17_CreateDisposition","A17_FileAttributes","A16_CreateContextThisScbAttributeTypeCode","A17_CreateContextThisScbState","A18_CreateContextThisScbScbTypeDataHighWaterMark","A15_CreateDisposition","A11_ThisScbVcb","A12__ThisScbVcbVolumeName","A13_WppCountedStringWThisScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisScbVcbVpb","A14_ThisScbFcb","A15_NtfsFullFileRefNumber_ThisScbFcbFileReference","A16_ThisScb","A17_ThisScbAttributeTypeCode","A18__ThisScbAttributeName","A19_IrpSpParametersCreateShareAccess","A20_IrpSpParametersCreateSecurityContextAccessStatePreviouslyGrantedAccess","A19_IrpSpParametersCreateSecurityContextAccessStatePreviouslyGrantedAccess","A17_ThisScbMarkHandleDisallowWritesCount","A18_IrpSpParametersCreateSecurityContextDesiredAccess","A20_GrantedAccess","A16_IrpSpParametersCreateShareAccess","A17_IrpSpFileObjectFlags","A16_IrpSpParametersCreateSecurityContextDesiredAccess","A17_ThisFcbInfoFileAttributes","A17_ThisScbAttributeFlags","A16_CreateContextCurrentFcbCleanupCount","A17_NtfsDataEncryptionCallBackTableImplementationFlags","A11_LcbFcbVcb","A12__LcbFcbVcbVolumeName","A13_WppCountedStringWLcbFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHLcbFcbVcbVpb","A16_WppCountedStringWLcbFileNameAttrFileNameUSHORTLcbFileNameAttrFileNameLength","A17_DesiredAccess","A18_DesiredShareAccess","A19_IoShareAccessFlags","A20_LinkShareAccessOpenCount","A21_LinkShareAccessDeleters","A22_LinkShareAccessSharedDelete","A16_ScbAttributeTypeCode","A17__ScbAttributeName","A18_DesiredAccess","A19_DesiredShareAccess","A20_IoShareAccessFlags","A21_ShareAccessOpenCount","A22_ShareAccessReaders","A23_ShareAccessWriters","A24_ShareAccessDeleters","A25_ShareAccessSharedRead","A26_ShareAccessSharedWrite","A27_ShareAccessSharedDelete","A18_WppCountedStringWLcbFileNameAttrFileNameUSHORTLcbFileNameAttrFileNameLength","A19_DesiredAccess","A20_DesiredShareAccess","A21_IoShareAccessFlags","A22_ShareAccessOpenCount","A23_ShareAccessReaders","A24_ShareAccessWriters","A25_ShareAccessDeleters","A26_ShareAccessSharedRead","A27_ShareAccessSharedWrite","A28_ShareAccessSharedDelete","A29_LinkShareAccessOpenCount","A30_LinkShareAccessDeleters","A31_LinkShareAccessSharedDelete","A18_ARGUMENT_PRESENTLcbWppCountedStringWLcbFileNameAttrFileNameUSHORTLcbFileNameAttrFileNameLengthWppCountedStringWNULL0","A19_AccessStatePreviouslyGrantedAccess","A20_AccessStateFlags","A21_DesiredShareAccess","A22_CreateDisposition","A23_ScbShareAccessOpenCount","A24_ScbShareAccessReaders","A25_ScbShareAccessWriters","A26_ScbShareAccessDeleters","A27_ScbShareAccessSharedRead","A28_ARGUMENT_PRESENTLcbLcbLinkShareAccessDeleters0","A19_ScbPersist","A20_CcbFlags","A18_ScbAttributeNameBuffer","A20_CcbNULLCcbFlags0","A19_CcbFlags","A19_ARGUMENT_PRESENTCcbCcbAccessFlags0","A20_ARGUMENT_PRESENTCreateContextCreateContextPreviouslyGrantedAccess0","A19_ScbVcbVpbRealDeviceFlags","A16_RenameCleanupTargetLinkFcbTxfFcbTxfNumWriters","A14_LcbToDeleteFcb","A15_NtfsFullFileRefNumber_LcbToDeleteFcbFileReference","A16_LcbToDelete","A17_WppCountedStringWLcbToDeleteFileNameAttrFileNameUSHORTLcbToDeleteFileNameAttrFileNameLength","A18_LcbToDeleteTxfNumWriters","A18_LcbToDeleteCleanupCount","A19_SplitPrimaryLcb","A20_SplitPrimaryLcbNULLWppCountedStringWSplitPrimaryLcbFileNameAttrFileNameUSHORTSplitPrimaryLcbFileNameAttrFileNameLengthWppCountedStringWNULL0","A21_SplitPrimaryLcbNULLSplitPrimaryLcbCleanupCount0","A16_LcbFcbFcbState","A17_Lcb","A19_LcbFileNameAttrFlags","A20_LcbLcbState","A16_TargetParentScbFcbInfoFileAttributes","A17_TargetParentScbFcbFcbState","A17_TxfVisibleLinks","A17_AccessStatus","A17_TargetParentScbFcbTxfRmcbRmState","A18_NtfsFullFileRefNumber_ParentScbFcbFileReference","A11_NextScbVcb","A12__NextScbVcbVolumeName","A13_WppCountedStringWNextScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHNextScbVcbVpb","A14_NextScbFcb","A15_NtfsFullFileRefNumber_NextScbFcbFileReference","A16_NextScbCleanupCount","A16_ByIdCcbs","A17_NextScbCleanupCount","A19_ScbState","A20_ScbScbTypeDataHighWaterMark","A11_DirectoryScbVcb","A12__DirectoryScbVcbVolumeName","A13_WppCountedStringWDirectoryScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHDirectoryScbVcbVpb","A14_DirectoryScbFcb","A15_NtfsFullFileRefNumber_DirectoryScbFcbFileReference","A16_ULONGIrpIoStatusInformation","A17_BatchOplockCount","A15_VcbDisallowDismountCount","A16_ExplicitLock10","A17_ReadULongNoFence_VcbCleanupCount","A18_UserHandleCountSystemHandleCountVcbExternalMetadataCleanupCount","A14_VcbCloseCount","A15_VcbSystemFileCloseCount","A16_UserHandleCount","A15_TypeOfOpen","A15_IrpRequestorMode","A15_CcbFlags","A16_CallerId","A17_ContextOwnerId","A17_CcbAccessFlags","A18_FileObjectWriteAccess10","A18_ScbAttributeFlags","A18_HandleInfoHandleInfo","A19_IrpRequestorMode","A20_HandleInfoHandleInfo","A16_FcbFcbState2","A17_Scb","A18_ScbAttributeTypeCode","A19__ScbAttributeName","A20_ScbPersist","A21_HandleInfoHandleInfo","A22_IrpRequestorMode","A19_HandleInfoHandleInfo","A19_ScbShareAccessWriters","A18_CcbNULLCcbAccessFlags0","A15_IrpSpFileObjectWriteAccess10","A16_ScbFcb","A17_NtfsFullFileRefNumber_ScbFcbFileReference","A19_ScbFcbFcbState","A20_CcbNULL_CcbFullFileNameNULL","A17__CcbFullFileName","A18_CcbAccessFlags","A16_FcbInfoFileAttributes","A18_ScbFcbFcbState2","A19_CcbNULL_CcbFullFileNameNULL","A20_CcbNULLCcbAccessFlags0","A21_CcbNULLCcbFlags20","A18_CcbNULL_CcbFullFileNameNULL","A19_CcbNULLCcbAccessFlags0","A19_EffectiveMode","A18_IrpSpMinorFunction","A18_IrpSpFileObjectWriteAccess","A14_AttributeFormNonresidentAllocatedLength","A15_AttributeFormNonresidentFileSize","A16_AttributeFormNonresidentValidDataLength","A17_AttributeFormNonresidentTotalAllocated","A18_SizesAllocationSize","A19_SizesFileSize","A20_SizesValidDataLength","A21_SizesTotalAllocated","A16_CcbAccessFlags","A16_NextScb","A17_NextScbAttributeTypeCode","A18__NextScbAttributeName","A18_Flags","A17_NextTxfVscbReaderCleanupCount","A18__CcbFullFileName","A17_CcbTxfFo","A18_CcbTxfFoKtmTrans","A19_ScbFcbTxfRmcb","A20_CcbFullFileNameBuffer","A19_FileObjectWriteAccess","A20_FileObjectDeleteAccess","A19_ScbCleanupCount","A17_FsInformationClass","A18_Scb","LocalSendConfirm","PeerSendConfirm","LogLine","CommitFrameError","CommitFrameSize","MinCommitFrameSize","AlgorithmNumber","ExpectedAlgorithmNumber","ExpectedTransactionId","MethodIndex","SourceHwnd","RequestName","fZDP","fOOBE","fExistingUser","fExplorer","fPostZDP","fExistingUserOrPostZDP","fTouchDevice","fMouseDevice","Started","val","tcid","UnitModifiedTimestamp","GetModifiedTimeHRESULT","CollectionConsistencyTimestamp","IncrementEnergy","SrvTime","EndByteOffset","LastIdleState","IsRandom","LocalLastCompTime","SharedLastCompTime","CompTime","Rid","Secondary","PreciseTime","EnterReason","AbortReason","TimeActivated","ConnectedStandbyTimeAndActivationCount","ClientIdAndFlags","MaxActivationDuration","ClientFlags","TimeContinuouslyActive","ClientIdAndActivityTypeAndOnAc","UserClientProcess","MaxActiveTime","MinActiveTime","TotalActiveTime","Updated","PolicyActive","ClientRevocationCount","ClientRevocationPolicy","ObjectIndex","BytesLeft","param22","param23","param24","param25","param26","param27","param28","param29","param30","param31","param32","param33","param34","param35","param36","param37","param38","param39","param40","param41","param42","param43","param44","param45","param46","param47","param48","param49","param50","param51","param52","param53","param54","param55","param56","param57","param58","param59","param60","param61","param62","param63","param64","param65","param66","param67","param68","param69","param70","param71","param72","param73","param74","param75","param76","param77","param78","param79","param80","param81","param82","param83","param84","param85","param86","param87","param88","param89","param90","param91","param92","param93","param94","param95","param96","param97","param98","param99","param100","param101","param102","param103","param104","param105","param106","param107","param108","param109","param110","param111","param112","param113","param114","param115","param116","param117","param118","param119","param120","param121","param122","param123","param124","param125","param126","param127","param128","param129","param130","param131","param132","param133","param134","param135","param136","param137","param138","param139","param140","param141","param142","param143","param144","param145","param146","param147","param148","param149","param150","param151","param152","param153","param154","param155","param156","param157","param158","param159","param160","param161","param162","param163","param164","param165","param166","param167","param168","param169","param170","param171","param172","param173","param174","param175","param176","param177","param178","param179","param180","param181","param182","param183","param184","param185","param186","param187","param188","param189","param190","param191","param192","param193","param194","param195","param196","param197","param198","param199","param200","param201","param202","param203","param204","param205","param206","param207","param208","param209","param210","param211","param212","param213","param214","param215","param216","param217","param218","param219","param220","param221","param222","param223","param224","param225","param226","param227","param228","param229","param230","param231","param232","param233","param234","param235","param236","param237","param238","param239","param240","param241","param242","param243","param244","param245","param246","param247","param248","param249","param250","param251","param252","param253","param254","param255","param256","param257","param258","param259","param260","param261","param262","param263","param264","param265","param266","param267","param268","param269","param270","param271","param272","param273","param274","param275","param276","param277","param278","param279","param280","param281","param282","param283","param284","param285","param286","param287","param288","param289","param290","param291","param292","param293","param294","param295","param296","param297","param298","param299","param300","param301","param302","param303","param304","param305","param306","param307","param308","param309","param310","param311","param312","param313","param314","param315","param316","param317","param318","param319","param320","param321","param322","param323","param324","param325","param326","param327","param328","param329","param330","param331","param332","param333","param334","param335","param336","param337","param338","param339","param340","param341","param342","param343","param344","param345","param346","param347","param348","param349","param350","param351","param352","param353","param354","param355","param356","param357","param358","param359","param360","param361","param362","param363","param364","param365","param366","param367","param368","param369","param370","param371","param372","param373","param374","param375","param376","param377","param378","param379","param380","param381","param382","param383","param384","param385","param386","param387","param388","param389","param390","param391","param392","param393","param394","param395","param396","param397","param398","param399","param400","param401","param402","param403","param404","param405","param406","param407","param408","param409","param410","param411","param412","param413","param414","param415","param416","param417","param418","param419","param420","param421","param422","param423","param424","param425","param426","param427","param428","param429","param430","param431","param432","param433","param434","param435","param436","param437","param438","param439","param440","param441","param442","param443","param444","param445","param446","param447","param448","param449","param450","param451","param452","param453","param454","param455","param456","param457","param458","param459","param460","param461","param462","param463","param464","param465","param466","param467","param468","param469","param470","param471","param472","param473","param474","param475","param476","param477","param478","param479","param480","param481","param482","param483","param484","param485","param486","param487","param488","param489","param490","param491","param492","param493","param494","param495","param496","param497","param498","param499","param500","param501","param502","param503","param504","param505","param506","param507","param508","param509","param510","param511","param512","param513","param514","param515","param516","param517","param518","param519","param520","param521","param522","param523","param524","param525","param526","param527","param528","param529","param530","param531","param532","param533","param534","param535","param536","param537","param538","param539","param540","param541","param542","param543","param544","param545","param546","param547","param548","param549","param550","param551","param552","param553","param554","param555","param556","param557","param558","param559","param560","param561","param562","param563","param564","param565","param566","param567","param568","param569","param570","param571","param572","param573","param574","param575","param576","param577","param578","param579","param580","param581","param582","param583","param584","param585","param586","param587","param588","param589","param590","param591","param592","param593","param594","param595","param596","param597","param598","param599","param600","param601","param602","param603","param604","param605","param606","param607","param608","param609","param610","param611","param612","param613","param614","param615","param616","param617","param618","param619","param620","param621","param622","param623","param624","param625","param626","param627","param628","param629","param630","param631","param632","param633","param634","param635","param636","param637","param638","param639","param640","param641","param642","param643","param644","param645","param646","param647","param648","param649","param650","param651","param652","param653","param654","param655","param656","param657","param658","param659","param660","param661","param662","param663","param664","param665","param666","param667","param668","param669","param670","param671","param672","param673","param674","param675","param676","param677","param678","param679","param680","param681","param682","param683","param684","param685","param686","param687","param688","param689","param690","param691","param692","param693","param694","param695","param696","param697","param698","param699","param700","param701","param702","param703","param704","param705","param706","param707","param708","param709","param710","param711","param712","param713","param714","param715","param716","param717","param718","param719","param720","param721","param722","param723","param724","param725","param726","param727","param728","param729","param730","param731","param732","param733","param734","param735","param736","param737","param738","param739","param740","param741","param742","param743","param744","param745","param746","param747","param748","param749","param750","param751","param752","param753","param754","param755","param756","param757","param758","param759","param760","param761","param762","param763","param764","param765","param766","param767","param768","param769","param770","param771","param772","param773","param774","param775","param776","param777","param778","param779","param780","param781","param782","param783","param784","param785","param786","param787","param788","param789","param790","param791","param792","param793","param794","param795","param796","param797","param798","param799","param800","param801","param802","param803","param804","param805","param806","param807","param808","param809","param810","param811","param812","param813","param814","param815","param816","param817","param818","param819","param820","param821","param822","param823","param824","param825","param826","param827","param828","param829","param830","param831","param832","param833","param834","param835","param836","param837","param838","param839","param840","param841","param842","param843","param844","param845","param846","param847","param848","param849","param850","param851","param852","param853","param854","param855","param856","param857","param858","param859","param860","param861","param862","param863","param864","param865","param866","param867","param868","param869","param870","param871","param872","param873","param874","param875","param876","param877","param878","param879","param880","param881","param882","param883","param884","param885","param886","param887","param888","param889","param890","param891","param892","param893","param894","param895","param896","param897","param898","param899","param900","param901","param902","param903","param904","param905","param906","param907","param908","param909","param910","param911","param912","param913","param914","param915","param916","param917","param918","param919","param920","param921","param922","param923","param924","param925","param926","param927","param928","param929","param930","param931","param932","param933","param934","param935","param936","param937","param938","param939","param940","param941","param942","param943","param944","param945","param946","param947","param948","param949","param950","param951","param952","param953","param954","param955","param956","param957","param958","param959","param960","param961","param962","param963","param964","param965","param966","param967","param968","param969","param970","param971","param972","param973","param974","param975","param976","param977","param978","param979","param980","param981","param982","param983","param984","param985","param986","param987","param988","param989","param990","param991","param992","param993","param994","param995","param996","param997","param998","param999","param1000","param1001","param1002","param1003","param1004","param1005","param1006","param1007","param1008","param1009","param1010","param1011","param1012","param1013","param1014","param1015","param1016","param1017","param1018","param1019","param1020","param1021","param1022","param1023","param1024","param1025","param1026","param1027","param1028","param1029","param1030","param1031","param1032","param1033","param1034","param1035","param1036","param1037","param1038","param1039","param1040","param1041","param1042","param1043","param1044","param1045","param1046","param1047","param1048","param1049","param1050","param1051","param1052","param1053","param1054","param1055","param1056","param1057","param1058","param1059","param1060","param1061","param1062","param1063","param1064","param1065","param1066","param1067","param1068","param1069","param1070","param1071","param1072","param1073","param1074","param1075","param1076","param1077","param1078","param1079","param1080","param1081","param1082","param1083","param1084","param1085","param1086","param1087","param1088","param1089","param1090","param1091","param1092","param1093","param1094","param1095","param1096","param1097","param1098","param1099","param1100","param1101","param1102","param1103","param1104","param1105","param1106","param1107","param1108","param1109","param1110","param1111","param1112","param1113","param1114","param1115","param1116","param1117","param1118","param1119","param1120","param1121","param1122","param1123","param1124","param1125","param1126","param1127","param1128","param1129","param1130","param1131","param1132","param1133","param1134","param1135","param1136","param1137","param1138","param1139","param1140","param1141","param1142","param1143","param1144","param1145","param1146","param1147","param1148","param1149","param1150","param1151","param1152","param1153","param1154","param1155","param1156","param1157","param1158","param1159","param1160","param1161","param1162","param1163","param1164","param1165","param1166","param1167","param1168","param1169","param1170","param1171","param1172","param1173","param1174","param1175","param1176","param1177","param1178","param1179","param1180","param1181","param1182","param1183","param1184","param1185","param1186","param1187","param1188","param1189","param1190","param1191","param1192","param1193","param1194","param1195","param1196","param1197","param1198","param1199","param1200","param1201","param1202","param1203","param1204","param1205","param1206","param1207","param1208","param1209","param1210","param1211","param1212","param1213","param1214","param1215","param1216","param1217","param1218","param1219","param1220","param1221","param1222","param1223","param1224","param1225","param1226","param1227","param1228","param1229","param1230","param1231","param1232","param1233","param1234","param1235","param1236","param1237","param1238","param1239","param1240","param1241","param1242","param1243","param1244","param1245","param1246","param1247","param1248","param1249","param1250","param1251","param1252","param1253","param1254","param1255","param1256","param1257","param1258","param1259","param1260","param1261","param1262","param1263","param1264","param1265","param1266","param1267","param1268","param1269","param1270","param1271","param1272","param1273","param1274","param1275","param1276","param1277","param1278","param1279","param1280","param1281","param1282","param1283","param1284","param1285","param1286","param1287","param1288","param1289","param1290","param1291","param1292","param1293","param1294","param1295","param1296","param1297","param1298","param1299","param1300","param1301","param1302","param1303","param1304","param1305","param1306","param1307","param1308","param1309","param1310","param1311","param1312","param1313","param1314","param1315","param1316","param1317","param1318","param1319","param1320","param1321","param1322","param1323","param1324","param1325","param1326","param1327","param1328","param1329","param1330","param1331","param1332","param1333","param1334","param1335","param1336","param1337","param1338","param1339","param1340","param1341","param1342","param1343","param1344","param1345","param1346","param1347","param1348","param1349","param1350","param1351","param1352","param1353","param1354","param1355","param1356","param1357","param1358","param1359","param1360","param1361","param1362","param1363","param1364","param1365","param1366","param1367","param1368","param1369","param1370","param1371","param1372","param1373","param1374","param1375","param1376","param1377","param1378","param1379","param1380","param1381","param1382","param1383","param1384","param1385","param1386","param1387","param1388","param1389","param1390","param1391","param1392","param1393","param1394","param1395","param1396","param1397","param1398","param1399","param1400","param1401","param1402","param1403","param1404","param1405","param1406","param1407","param1408","param1409","param1410","param1411","param1412","param1413","param1414","param1415","param1416","param1417","param1418","param1419","param1420","param1421","param1422","param1423","param1424","param1425","param1426","param1427","param1428","param1429","param1430","param1431","param1432","param1433","param1434","param1435","param1436","param1437","param1438","param1439","param1440","param1441","param1442","param1443","param1444","param1445","param1446","param1447","param1448","param1449","param1450","param1451","param1452","param1453","param1454","param1455","param1456","param1457","param1458","param1459","param1460","param1461","param1462","param1463","param1464","param1465","param1466","param1467","param1468","param1469","param1470","param1471","param1472","param1473","param1474","param1475","param1476","param1477","param1478","param1479","param1480","param1481","param1482","param1483","param1484","param1485","param1486","param1487","param1488","param1489","param1490","param1491","param1492","param1493","param1494","param1495","param1496","param1497","param1498","param1499","param1500","param1501","param1502","param1503","param1504","param1505","param1506","param1507","param1508","param1509","param1510","param1511","param1512","param1513","param1514","param1515","param1516","param1517","param1518","param1519","param1520","param1521","param1522","param1523","param1524","param1525","param1526","param1527","param1528","param1529","param1530","param1531","param1532","param1533","param1534","param1535","param1536","param1537","param1538","param1539","param1540","param1541","param1542","param1543","param1544","param1545","param1546","param1547","param1548","param1549","param1550","param1551","param1552","param1553","param1554","param1555","param1556","param1557","param1558","param1559","param1560","param1561","param1562","param1563","param1564","param1565","param1566","param1567","param1568","param1569","param1570","param1571","param1572","param1573","param1574","param1575","param1576","param1577","param1578","param1579","param1580","param1581","param1582","param1583","param1584","param1585","param1586","param1587","param1588","param1589","param1590","param1591","param1592","param1593","param1594","param1595","param1596","param1597","param1598","param1599","param1600","param1601","param1602","param1603","param1604","param1605","param1606","param1607","param1608","param1609","param1610","param1611","param1612","param1613","param1614","param1615","param1616","param1617","param1618","param1619","param1620","param1621","param1622","param1623","param1624","param1625","param1626","param1627","param1628","param1629","param1630","param1631","param1632","param1633","param1634","param1635","param1636","param1637","param1638","param1639","param1640","param1641","param1642","param1643","param1644","param1645","param1646","param1647","param1648","param1649","param1650","param1651","param1652","param1653","param1654","param1655","param1656","param1657","param1658","param1659","param1660","param1661","param1662","param1663","param1664","param1665","param1666","param1667","param1668","param1669","param1670","param1671","param1672","param1673","param1674","param1675","param1676","param1677","param1678","param1679","param1680","param1681","param1682","param1683","param1684","param1685","param1686","param1687","param1688","param1689","param1690","param1691","param1692","param1693","param1694","param1695","param1696","param1697","param1698","param1699","param1700","param1701","param1702","param1703","param1704","param1705","param1706","param1707","param1708","param1709","param1710","param1711","param1712","param1713","param1714","param1715","param1716","param1717","param1718","param1719","param1720","param1721","param1722","param1723","param1724","param1725","param1726","param1727","param1728","param1729","param1730","param1731","param1732","param1733","param1734","param1735","param1736","param1737","param1738","param1739","param1740","param1741","param1742","param1743","param1744","param1745","param1746","param1747","param1748","param1749","param1750","param1751","param1752","param1753","param1754","param1755","param1756","param1757","param1758","param1759","param1760","param1761","param1762","param1763","param1764","param1765","param1766","param1767","param1768","param1769","param1770","param1771","param1772","param1773","param1774","param1775","param1776","param1777","param1778","param1779","param1780","param1781","param1782","param1783","param1784","param1785","param1786","param1787","param1788","param1789","param1790","param1791","param1792","param1793","param1794","param1795","param1796","param1797","param1798","param1799","param1800","param1801","param1802","param1803","param1804","param1805","param1806","param1807","param1808","param1809","param1810","param1811","param1812","param1813","param1814","param1815","param1816","param1817","param1818","param1819","param1820","param1821","param1822","param1823","param1824","param1825","param1826","param1827","param1828","param1829","param1830","param1831","param1832","param1833","param1834","param1835","param1836","param1837","param1838","param1839","param1840","param1841","param1842","param1843","param1844","param1845","param1846","param1847","param1848","param1849","param1850","param1851","param1852","param1853","param1854","param1855","param1856","param1857","param1858","param1859","param1860","param1861","param1862","param1863","param1864","param1865","param1866","param1867","param1868","param1869","param1870","param1871","param1872","param1873","param1874","param1875","param1876","param1877","param1878","param1879","param1880","param1881","param1882","param1883","param1884","param1885","param1886","param1887","param1888","param1889","param1890","param1891","param1892","param1893","param1894","param1895","param1896","param1897","param1898","param1899","param1900","param1901","param1902","param1903","param1904","param1905","param1906","param1907","param1908","param1909","param1910","param1911","param1912","param1913","param1914","param1915","param1916","param1917","param1918","param1919","param1920","param1921","param1922","param1923","param1924","param1925","param1926","param1927","param1928","param1929","param1930","param1931","param1932","param1933","param1934","param1935","param1936","param1937","param1938","param1939","param1940","param1941","param1942","param1943","param1944","param1945","param1946","param1947","param1948","param1949","param1950","param1951","param1952","param1953","param1954","param1955","param1956","param1957","param1958","param1959","param1960","param1961","param1962","param1963","param1964","param1965","param1966","param1967","param1968","param1969","param1970","param1971","param1972","param1973","param1974","param1975","param1976","param1977","param1978","param1979","param1980","param1981","param1982","param1983","param1984","param1985","param1986","param1987","param1988","param1989","param1990","param1991","param1992","param1993","param1994","param1995","param1996","param1997","param1998","param1999","param2000","param2001","param2002","param2003","param2004","param2005","param2006","param2007","OldBadMemoryRangesCount","NewBadMemoryRangesCount","ROIWidth","ROIHeight","ROIX","ROIY","OutWidth","OutHeight","Subband","BitStreamFormat","IgnoreOverlap","DiscardAlpha","TcpIpChecksum","TcpLargeSend","Ieee8021Q","NrtNameResolutionId","TcpSendOffloadsSupplementalInfo","SwitchForwardingDetail","GftOffloadInfo","LogicalPersistentMemoryDiskGuid","The_Peer_Name_Resolution_Protocol_cloud_did_not_start_because_the_creation_of_the_default_identity_failed_with_error_code","CAD","MeterId","DefaultSamplingPeriodInMs","MeterNameLength","MeterName","MeteredHardwareCount","MeteredHardwareName","ChannelNameLength","AbsoluteEnergy","AbsoluteTime","MeterType","PeriodInMs","SourceArchitecture","TargetArchitecture","TargetServerArchitecture","CabFileName","DeviceSection","DriverModelVersion","RegistryKey1","RegistryKey2","Jobs","DeviceObjectInstanceIdentifier","MissingManifest","MultipleManifests","NumProcessors","Acknowledged","PlmRequestedPriority","EffectivePriority","ActivationFlags","ApplicationNameSize","CurrentDirectorySize","DllNameSize","InterfaceCLSID","DisplayNameSize","FullImagePathSize","FullImagePath","PropertyFmtid","PropertyPid","PropertyPublisher","PropertyProduct","PropertySourceUrl","KeepPropertyCanonicalName","KeepPropertyPropertyKey","KeepPropertyPublisher","KeepPropertyProduct","KeepPropertySourceUrl","OmitPropertyCanonicalName","OmitPropertyPropertyKey","OmitPropertyPublisher","OmitPropertyProduct","VerboseLog","PortNo","DebugParam","SHA1_Certificate_Hash","SHA256_Certificate_Hash","SHA1CertificateHash","SHA256CertificateHash","CertificateName","RB_HistoryCount","RB_BootPlanAge","RB_DiskAssessmentRPM","ProcessKey","UserActive","LengthInBytes","Read","PartialBmpHit","InternalInterface","InternetInterface","Topology","PrefixType","ConnectionURL","ms_all_packets_throughout_connection","HistoryMs","MaxRecentTimeNoPacketMs","MaxTotalTimeNoDataMs","MaxTotalTimeNoHeartbeatMs","MaxTotalTimeNoPacketMs","TimeNoLastPacketMs","OnlineUi","FuncHr","CpuReserve","HardCpuLimit","FreezeProcess","MemoryLimit","NoCpuReservation","CommitUsage","PeakCommitUsage","SharedCommit","NonPagedPool","PagedPool","cmsAcquireDelay","fForcePending","pendtype","callerPid","grfFlags","fPending","ExternalNotificationType","ReleaseReason","CommitAdjustment","NotificationLowLimit","NotificationHighLimit","CommitCap","FailedAllocationSize","RebootDecision","CpuRate","HardMemoryLimit","NotifyMemoryLowLimit","NotifyMemoryHighLimit","IsBlockedByWFP","RPC ProtocolSequence","RPCProtocolSequence","RPCEndpoint","ExpectedInterfaceID","ReceivedInterfaceID","WnfStateNameData0","WnfStateNameData1","CredHandle","ServerRefreshIntervalInSeconds","DriveRefreshIntervalInSeconds","VolumeRefreshIntervalInSeconds","VmRefreshIntervalInSeconds","VSwitchRefreshIntervalInSeconds","JobsRefreshIntervalInSeconds","CacheDumpIntervalInSeconds","RepeatCount","ReferenceTime","UsesFilter","UsesPropertyHandler","ITrans","ResID","CrawlNumber","CrawlType","Extra1","Extra2","Extra3","QueryText","Rowset","Chapter","RowsToSkip","RowsRequested","RowsReturned","WaitHint","CheckPoint","ProjectPtr","IsCompact","CacheCapacity","MaxWID","SDID","MemAvail","MemTreshold","IsLow","ACLineStatus","BackOffOnBattery","IsBackOffNeeded","BatteryFlag","BatteryLifePercent","LowBatteryThreshold","DiskAvail","LowDiskThreshold","IsUserActive","Idle","MaxIdle","IsHigh","HighIOThreshold","NotificationRate","HighNotificationThreshold","PendingNotifications","NotificationsForceAtMost","NotificationsForced","LastIndexNewItemReason","IndexNewItemReason","BackoffReason","AllReasons","FeatureDisabled","BackoffRecoveryIsON","ProcessNotifications","BackOffOnPendingNotifications","PendingHiPriNotifications","BackOffOnPowerSetting","XPScreenSaverAndNoBattery","Merging","OldPrefix","NewPrefix","NoRun","SystemSetupOver","CrawlNo","IsCatalogLevel","StartPageName","StartPageRefID","CrawlIsInProgress","IsDone","hrCode","StartAddressId","DocId","hrTransactionError","ChangeAdvice","TransactionURL","ElementCount","SearchRootURL","ScopeRuleURL","IsIncluded","IsInclude","FollowFlags","OverrideChildren","HasChildRule","HasParentRule","NumWID","GathererCodeLocation","TransactionsInFile","TransactionsInMemory","TransactionQueueLength","TransactionsInFileNotifications","TransactionsInMemoryNotifications","TransactionQueueLengthNotifications","TransactionsHighLimit","TransactionsLowLimitPerCrawl","TransactionsHighLimitPerCrawl","TransactionsInIncrementalQueue","TransactionsInNotificationQueue","TansactionsInNotificationHighPriorityQueue","Qid","ObjectWid","KeyPid","GroupPids","KeyStr","KeyStartPid","KeyEndStr","UseQueryPerfOpt","Restarted","IndexIds","TotalSizeInPages","MaxWid","WordListId","KeyTargetPid","KeyTargetStr","RowSeekMethod","RowOffset","Bookmarks","Numerator","Denominator","WidStart","RequestedRows","RowsTransferred","TextPrefix","LocaleID","CBID","DocCount","Scheduled","AvailableCBCount","DirtyCBCount","InUseCBCount","PublishedCBCount","DocID","PropID","Indexed","OutstandingAdds","OutstandingModifies","Passes","DesiredPosition","CurrentPosition","IdxName","IsShadow","ColumnType","SeekType","HasStartVariant","HasEndVariant","ExcludeStartVariant","ExcludeEndVariant","RangeSet","Cursor","WhereID","LocaleSource","IncrementCallID","LocaleOriginal","LocaleSubstitute","TopLCID","TopScore","SecondLCID","SecondScore","SuccessEvent","Paths","CreatorProcessId","CreatorProcessTime","CreatorProcessName","ImageSHA256","ImageSHA1","ImageMD5","MotW","Elevated","CreatorProcessStartKey","CommandLineTruncated","ImageLSH","MitigationPolicy","EnterprisePolicy","InferredParentProcessId","InferredParentProcessTime","InferredParentProcessName","InferredParentProcessStartKey","CiIsSigningChainValid","CiIsMicrosoftRoot","CiIsMicrosoftApplicationRoot","CiSigningLevel","ImageOriginalName","CreationAnomalies","InitialThreadId","InitialThreadStartAddress","WindowFlags","ShowWindowFlags","StandardInputDeviceType","StandardOutputDeviceType","StandardErrorDeviceType","DesktopInfo","DriverUnloadTime","DriverLoadTime","Dispositon","RequestSource","IsSensitive","NewKey","Hive","RestoreFlags","NewHive","OldValueDataType","OldValueDataSize","OldValueCopiedSize","OldValueData","NewValueDataType","NewValueDataSize","NewValueCopiedSize","NewValueData","VolReadOffset","VolReadSize","VolumeShadowCopy","ValueDataSize","ValueCopiedSize","ValueData","RemoteClientsAccess","NamedPipeEnd","TargetProcessTime","TargetThreadStartAddress","StartAddressVadQueryResult","StartAddressVadAllocationBase","StartAddressVadAllocationProtect","StartAddressVadRegionType","StartAddressVadRegionSize","StartAddressVadProtect","SourceProcessStartKey","MappedModuleName","TargetProcess","Desktop","Duplicate","Kernel","VolWriteOffset","VolWriteSize","SystemModeImage","LoadImageAddress","LoadImageSize","ImageSignatureLevel","ImageDeviceType","ImageDeviceCharacteristics","ImageDeviceFlags","ImageSignatureType","CurrentCodeIntegrityOptions","OriginalCodeIntegrityOptions","AffectedProcessId","AffectedProcessTime","CurrentTokenPointer","CurrentTokenSource","CurrentTokenPrivPresent","CurrentTokenPrivEnabled","CurrentTokenPrivEnabledByDefault","CurrentTokenIntegrityLevel","CurrentTokenUserSid","PreviousTokenPointer","PreviousTokenSource","PreviousTokenPrivPresent","PreviousTokenPrivEnabled","PreviousTokenPrivEnabledByDefault","PreviousTokenIntegrityLevel","PreviousTokenUserSid","OriginalTokenPointer","OriginalTokenSource","OriginalTokenPrivPresent","OriginalTokenPrivEnabled","OriginalTokenPrivEnabledByDefault","OriginalTokenIntegrityLevel","OriginalTokenUserSid","SystemTokenPointer","InlineCheck","AffectedProcessStartKey","PrimaryTokenFrozen","ParentTokenIntegrityLevel","NormalizedSharePath","OpenDirection","CurrentDaclPointer","CurrentDaclValidAceList","CurrentDaclAceCount","CurrentDaclSids","CurrentDaclAccessMaskBlobSize","CurrentDaclAccessMasks","PreviousDaclPointer","PreviousDaclValidAceList","PreviousDaclAceCount","PreviousDaclSids","PreviousDaclAccessMaskBlobSize","PreviousDaclAccessMasks","OriginalDaclPointer","OriginalDaclValidAceList","OriginalDaclAceCount","OriginalDaclSids","OriginalDaclAccessMaskBlobSize","OriginalDaclAccessMasks","CallerAddress","BackTraceSize","BackTrace","TargetCodeSize","TargetCode","CallerCodeSize","CallerCode","IsSynchronous","SuspiciousPointerIndex","TableSize","Table","CodeSize","OriginalCreationTime","OriginalLastAccessTime","OriginalLastWriteTime","OriginalChangeTime","ModifiedCreationTime","ModifiedLastAccessTime","ModifiedLastWriteTime","ModifiedChangeTime","DriverInit","DriverStartIo","DriverUnload","MajorFunctionArraySize","MajorFunctionArray","FastIoDispatchArraySize","FastIoDispatchArray","SuspiciousDispatchBitmap","ContextInfoArraySize","ContextInfoArray","FileOpenSource","OriginalSecurityDescriptor","OriginalCommandLine","ModifiedCommandLine","CorruptedCommandLine","MaximumVolumeSpace","DriverOriginalName","IsEnforced","OperationBlocked","RegistryOperations","TimeBeforeAcquiringLock","TimeAfterAcquiringLock","TimeBeforeReleasingLock","StatusOplockAcquiring","StatusFileOpening","StatusDuplicateHandle","OpenFlags","StatusBeforeRetry","StatusOfRetry","StatusAfterRetry","IoFunction","SuspiciousEntryIndex","ModuleTag","IsBlocked","IsExistingConnection","IsLowPriorityInit","SenseCM","NumSubscribers","BitSize","ExpectedBitSize","ReportCount","ExpectedReportCount","Exponent","ExpectedExponent","IoctlType","SensorObj","CollectionListPtr","Sensor","DriverCollectionList","BufferCollectionList","progressTicks","initialLastBootTime","currentLastBootTime","alreadyRebooted","ExecutionPhase","NewStartType","NewValueName","ServiceHostName","LoadOrderGroup","SvchostGroup","IsCritical","IsUserService","IsOwnProcess","SourceFunction","EnableSharingErrorDetails","DWORD3","ReadyForInputScenario","CredProvUsageScenario","CredProvCount","IsLogonScenario","IsFirstLogon","DWORD4","DWORD5","OutstandingTasks","TasksCancelled","InvokeObject","DeviceHandler","MaxResults","iGroup","iItem","fWaitingOnRealization","pszTemplate","pszName","FakeShutdownReason","WParam","LParam","WTSFlags","SizeX","SizeY","QueryId","ImageQualityFlags","IconSize","CompletionDelta","SecondTimeDelta","WindowSumOfRates","CalculatedRate","PointsCurrent","PointsTotal","SizeCurrent","SizeTotal","ItemsCurrent","ItemsTotal","WorkDone","NewMean","AverageMean","Estimate","IsBytesPerSecond","DROPEFFECT","pszOperationSource","pszOperationDestination","IsOperationUndo","UndoFlags","FromIconSize","ToIconSize","fVal","uMode","uAnimationType","EXTENDED_NAME_FORMAT","nIcons","uReasonForDelete","HWNDSrc","HWNDThumbnail","iId","fFromGlom","fShowText","pObj","nTotalHeight","nTotalFixedHeight","IsFlashed","EventReadyState","IItemCollection","ICollectionEventSink","WPARAM","LPARAM","BrowserId","InstalledVersion","StoreVersion","CLSIDTextService","LangId","LangProfile","QueryLen","AltCount","AnimId","ElemId","IsUILess","IsIntegratable","Events","Flushed","Batched","ANIMATIONTYPE","AnimationTime","BackBuffersUsed","SetRedrawCount","TimeToNextTick","dwColorChosen","uImageWidth","uImageHeight","fFillChosenOverFit","uMonitorWidth","uMonitorHeight","pszBranchToRun","pszKeyName","activeSetupDisabled","allowTaskOverride","taskEnabled","pszPathName","CandidateCount","CandidateToFocusIndex","PageToFocusIndex","ButtonType","EnumValue","AppliesTo","ItemPath","ScopeAffetcedItems","ItemSyncState","ItemSyncStatus","ItemSyncStatusDescription","ItemSyncStatusAction","TileID","TileCount","IsEnthusiastMode","TopViewId","NumExtensionFilters","AppQuery","UserQuery","FolderDepth","IndexerOption","NumSortEntries","CountBytesRequested","KnownItemRequested","RequestedSize","LifetimeOption","HasAccess","szFilename","FormatId","psi","grfMode","IndexFrom","IndexTo","psiFolder","szPlaylistName","TileAutomationID","AnimationStatus","GotRealDevice","VerticalResolution","HorizontalResolution","VerticalSize","HorizontalSize","ComputedScaleFactor","ComputedDPI","ChangedFlags","ParentShortcutPath","NewValues","ValuesToChange","FileCompletionState","QuestionID","QuestionType","Answer","FollowupAnswer","ImageCount","OnPrimaryMonitor","LayoutChosen","EnterLayout","ExitLayout","AmbientLayout","DualMonitorSourcing","PossibleLayoutRegions","ImageWidth","ImageHeight","FullRefresh","WasInitialized","BucketSize","ValidatedItems","MeetsLayoutConstraints","MeetsTimeConstraints","MeetsSlideReuseConstraints","TargetIsURL","BlockerNameLength","BlockerName","ActiveTimeAndCommonData","TopLevelActiveTime","BlockerHierarchyLevel1","BlockerHierarchyLevel2","BlockerHierarchyLevel3","ParentBlockerGuid","ActiveTimeBuckets","ActiveTimePerBucket","UnattributedActiveTimeBuckets","UnattributedActiveTimePerBucket","NonActiveTime","NonActiveTimeBuckets","NonActiveTimePerBucket","UnattributedNonActiveTimeBuckets","UnattributedNonActiveTimePerBucket","BlockerType","DeviceHardwareIdLength","DeviceHardwareId","ResourceFileNameLength","ResourceFileName","SubstitutionStringCount","SubstitutionStrings","CsEnterReason","CurrentSystemTime","PreVetoCount","IRTruncatePercentage","AudioDurationInUs","EnergySaverPolicy","VideoTimeoutInSec","LockConsoleTimeoutInSec","StandbyTimeoutInSec","EnergyDrainV2Flags","EnergyDrainV2","DirectedDripsTransitionCount","IsHibernateEnabled","HibernateTimeoutInSec","HibernateBudgetPercentage","IsLockConsoleTimeoutActive","IsDebuggerEnabled","RemainingSleepTimeoutInSeconds","IdleTimeoutSource","UserConnectivitySetting","RemoteDesktopEnabled","BIRequestActive","TimerRebaseThresholdInSec","CumulativeTimerRebaseInUs","AusterityMode","NonDripsIdleCpuInUs","IdleMinDurationInUs","IdleMaxDurationInUs","IdleTotalDurationInUs","BatteryRemainingCapacity","BatteryFullChargeCapacity","ExternalMonitorState","RemainingBatteryCapacity","MaxBatteryCapacity","RequestorCallerType","RequestorProcessId","RequestorServiceTag","RequestorDescriptionLength","RequestorDescription","WakeSrcFriendlyNameLength","WakeSrcFriendlyName","WakeSrcClassNameLength","WakeSrcClassName","WakeSrcAttributeReason","BootAppCheckpoint","BatteryChargeLimitingMode","BatteryChargingStatePowerSupplyPresent","BatteryChargingStateAdequate","BatteryTripPointSupported","BlockerHandle","BlockerActive","CollectionActive","BlockerId","CollectionNameLength","ScDeviceEnumGuid","ParamType","ProtocolVersion","MaxReadWriteSize","MaxFragmentedReceiveSize","MaxSendSize","MaxFragmentedSendSize","InboundReadDepth","OutboundReadDepth","RcqProcessorGroup","RcqProcessorMask","RcqProcessorIndex","ScqProcessorGroup","ScqProcessorMask","ScqProcessorIndex","NegotiatedVersion","HidReadRequest","ElementsExamined","ElementsAdded","CrossProcCalls","_Reset","MinutesSinceLastIncident","EnergyConsumptionTrackedDurationInMinutes","ChargeCapacityRatio","MinTimePeriod","TriggerDrainRate","PoDc","MonitorOn","LongTermTimer","AppIdType","FgCyclesInMillions","BgCyclesInMillions","FgBytesReadInKB","Costed","BytesSentInKB","BytesReceivedInKB","StartNameResTrigger","PackageDependencyPrimaryKey","PackageDependencyUser","PackageDependencyPackageFamilyName","PackageDependencyMinVersion","PackageDependencyArchitectures","PackageDependencyLifetimeKind","PackageDependencyLifetimeArtifact","PackageDependencyFlags","PackageDependencyProcessId","CurrentBatteryPercent","TimeSinceLastLogged","BatteryDrainInfoFlags","AskedToMoveToFlash","AskedToMoveToDisk","MovedToFlash","MovedToDisk","ProcessTimeInMinutes","DefragTimeInMinutes","NumberEntries","CurrentLength","RequestedOffset","RequestedLength","NumberOfCopies","InSyncCopies","MediaFailureCopies","FromNameLength","ToNameLength","FromName","ToName","ArgsCount","CurrentWorkingDirectory","InheritEnvironment","FullCommandline","StoreBitmap","ScoreLevel","ContainerKey","InterpretedPid","TotalPrivate","AllocPages","AllocCount","FreeCount","Fragmentation","CommitPages","ActivePages","Processes","Handles","Objects","Threads","PrivateWS","TotalWS","ProcessAgeMHiandAppStateLo","PagesCombined","AppKey","PredictionPurpose","Probability","SecondsSpentInQueue","CPUUtilization","DiskUtilization","GPUUtilization","ModifiedMemory","OkToPrelaunch","FullPackageName","LongLookahead","BenefitScore","AppNameKey","NewFailCount","LaunchResult","Requeue","AppStatus","AppSkipReason","TimeFromPrefetchToSwitchInMS","NewBenefitScore","NewAggregateBenefitScore","ReasonsNotToPrefetch","ACPowered","PreviousPrefetchTime","PrefetchCount","StartScanAfter","ManualRemediationStateChangeCheckInterval","ManualRemediationTimeoutInterval","lParam","IsOnEditField","EventOriginProcess","OrginType","IsRegularKeyPress","InLaptopMode","eMethod","ForegroundHwnd","fOptedIntoFocusTracking","Caret_left","Caret_top","Caret_right","Caret_bottom","CaretWnd_left","CaretWnd_top","CaretWnd_right","CaretWnd_bottom","Caret_Flags","CaretHwnd","CaretVisible","NumberOfKeys","HKL","gutter","IsSplitLayout","LeftBumpId","RightBumpId","IsLKey","KeyLocation","ToScope","PasswordMode","LMCapabilites","PreContext","PostContext","Character","probability","TopPrediction","Alternate1","Alternate2","Alternate3","KeyboardState","RawText","TextBeingReplaced","FixedText","FixedTextSuffix","FluidText","FixedTextAlternates","NewThumbSize","PhysicalWidthInHiMetric","PhysicalHeightInHiMetric","WaveFileResourceID","IMEMode","KeyFired","IP_Left","IP_Top","IP_Right","IP_Bottom","Monitor_Left","Monitor_Top","Monitor_Right","Monitor_Bottom","Keyboard","Landscape","StoryBoardID","intvalue","ContactsDownCount","PacketsInContactCount","HistoryPacketsInContactCount","GestureId","promotionFlags","InteractionId","scrollMode","NoIdleReason","DATA1","DATA2","TimeSinceUserNotPresent","DATA","EnablePMTUDiscovery","TcpUseRFC1122UrgentPointer","DisableTaskOffload","EnablePMTUBHDetect","DisableTcpChimneyOffload","DisableRss","EcnCapability","TcpMaxDataRetransmissions","KeepAliveTime","KeepAliveInterval","TcpTimedWaitDelay","SillyWindowTimeout","TcpFinWait2Delay","Tcp1323Opts","AutoTuningLevelLocal","AutoTuningLevelGroupPolicy","AoAcCapable","BitmapPatternSupported","ARPNDOffloadSupported","IPAddressWakeReady","PatternPriority","HasBeenAoAcCapable","PrDestinationPrefixLength","PrDestinationPrefixAddressLength","PrDestinationPrefix","PrNextHopAddressLength","PrNextHopAddress","PrInterfaceIndex","PrInterfaceMetric","PrRouteMetric","NonPrDestinationPrefixLength","NonPrDestinationPrefixAddressLength","NonPrDestinationPrefix","NonPrNextHopAddressLength","NonPrNextHopAddress","NonPrInterfaceIndex","NonPrInterfaceMetric","NonPrRouteMetric","PreferenceReason","OldProbeCount","NewProbeCount","OldUnreachablePaths","NewUnreachablePaths","OldMovedPaths","NewMovedPaths","OldStateChangeTick","NewStateChangeTick","DgdNeedsReset","OldBasetime","NewBasetime","EnteredStandbySystemTickCount","ValidLifetimeHighWaterTickCount","PacketsIndicated","PacketsReturned","PacketsInjected","PacketsCloned","PacketsClonedWithNBSplit","PacketsDropped","PacketsSilentlyDropped","SourceIpAddress","PrefixValue","FlagsValue","IsRoute","IsSitePrefix","IsRouterAddress","IsAutonomous","IsOnLink","Multiparty","DisconnectInitiator","DisconnectDetailsGroup","DisconnectDetailsGppLocation","DisconnectDetailsGppCause","CurrentVideoCallingEnabled","VideoCallingSetting","CacheVideoCallingSetting","TargetVideoCallingEnabled","anyCallNeedsAudio","anyCallNeedsAudioActive","localHoldSupported","ConferenceContextId","UpdatedState","dwTotalNumberOfDetailItems","dwNumberOfSummaryItems","dwMwiType","dwNumberOfNewMessages","dwNumberOfOldMessages","dwNumberOfNewUrgentMessages","dwNumberOfOldUrgentMessages","TargetAudioType","CurrentAudioType","isInHandover","AllowSwap","MinTime","TileMode","HasVoicemail","MissedCallCount","HasLargeContent","videoCallingSetting","cacheVideoCallingSetting","userRequest","TTYEnabled","cellularDataEnabled","UiccPointer","Huiccapp","KeyRef","VerifyCount","UnblockCount","LastSuccessfulSync","TimeInHours","RequestPath","HttpErrorCode","NetworkingErrorCode","TetheringStartResult","EntitlementCheckCompletionTime","MbConnectCompletionTime","ApStartCompletionTime","IcsStartCompletionTime","CompletedTime","WlanInterfaceGuid","dwColorsChanged","pszBackgroundFile","dwColor","TargetProcessCreateTime","TargetProcessSignatureLevel","TargetProcessSectionSignatureLevel","TargetProcessProtection","OriginalProcessId","OriginalProcessCreateTime","OriginalProcessStartKey","OriginalProcessSignatureLevel","OriginalProcessSectionSignatureLevel","OriginalProcessProtection","AllocationType","LastProtectionMask","VaVadQueryResult","VaVadAllocationBase","VaVadAllocationProtect","VaVadRegionType","VaVadRegionSize","VaVadCommitSize","VaVadMmfName","FullRegionSize","ViewSize","TargetThreadAlertable","ApcRoutine","ApcArgument1","ApcArgument2","ApcArgument3","RealEventTime","ApcRoutineVadQueryResult","ApcRoutineVadAllocationBase","ApcRoutineVadAllocationProtect","ApcRoutineVadRegionType","ApcRoutineVadRegionSize","ApcRoutineVadCommitSize","ApcRoutineVadMmfName","ApcArgument1VadQueryResult","ApcArgument1VadAllocationBase","ApcArgument1VadAllocationProtect","ApcArgument1VadRegionType","ApcArgument1VadRegionSize","ApcArgument1VadCommitSize","ApcArgument1VadMmfName","ContextMask","Sp","Lr","Fp","Reg0","Reg1","Reg2","Reg3","Reg4","Reg5","Reg6","Reg7","PcVadQueryResult","PcVadAllocationBase","PcVadAllocationProtect","PcVadRegionType","PcVadRegionSize","PcVadCommitSize","PcVadMmfName","CodeIntegrityOption","PreviousTokenQueryResult","PreviousTokenType","PreviousTokenElevation","PreviousTokenElevationType","PreviousTokenImpersonationLevel","PreviousTokenUser","PreviousTokenTrustLevelCount","PreviousTokenTrustLevel","PreviousTokenSessionId","PreviousTokenLowBoxNumber","PreviousTokenAuthenticationId","PreviousTokenGroupsCount","PreviousTokenGroups","CurrentTokenQueryResult","CurrentTokenType","CurrentTokenElevation","CurrentTokenElevationType","CurrentTokenImpersonationLevel","CurrentTokenUser","CurrentTokenTrustLevelCount","CurrentTokenTrustLevel","CurrentTokenSessionId","CurrentTokenLowBoxNumber","CurrentTokenAuthenticationId","CurrentTokenGroupsCount","CurrentTokenGroups","SyscallEnum","IsSandboxedToken","StatusInformation","ConsumerName","NamedValues","thread_flags","activation_flags","LANGID","event_order","target_tid","params","pdimNewFocus","pdimPrevFocus","langid","DocThread","GainFocus","thread","document","boolean","flags_current","flags_new","tid_current","tid_new","contextFlags","cItems","targetRangeLeft","targetRangeTop","targetRangeRight","targetRangeBottom","end","langId","clsId","guidProfile","viewflags","commit","existingTemplates","resolvedTemplates","unresolvedTemplates","invalidXAMLTemplates","secondsNow","value0","numIterations","numComputations","IsCrossMachine","ObjectReference","WindowClassName","ChildId","CoalescedEvents","IsChannelConnection","IsCombinedWithOtherMethod","IsError","ProvidersToAdviseCount","RemoteNodesCount","PartialNodesCount","PeerProcessId","RequestTimeout","RequestedMethod","RequestedTimeout","tcidParent","extraInfo","actionType","wasPressed","gallerySelect","gallery","CInet","fid_DPOutAdapterNumber","fid_DPInAdapterNumber","fid_ReasonCode1","fid_ReasonCode2","fid_UcxDevice","fid_UcxEndpoint","fid_HWVerifierFlag","fid_Description","fid_CommandTRB","fid_EventTRB","fid_TrustletRequestOpCode","fid_InputBufferLength","fid_OutputBufferLength","fid_OutstandingRequestsAtSendTime","fid_TimeInNs","fid_EndpointContextIndex","fid_StreamId","fid_InterrupterNumber","fid_EventsProcessed","fid_isEventRingEmpty","TaskFlowID","MDMCertEnrollmentReady","ADFSRaReady","RATemplateReady","ADFSPrtPresent","MDMAppID","EffectiveSid","RoleGuid","SchemeGuid","SubgroupGuid","ValueIndex","ManufactureDay","ManufactureMonth","ManufactureYear","Technology","Pad","Chemistry","DefaultAlert1","DefaultAlert2","CriticalBias","GranularityScaleCount","GranularityScale","EstimatedRuntime","BrightnessCapable","SamplingPeriod","ProcessorVendor","SchemePersonalityGuid","UserContextToken","Supported","GlobalUserPresent","UserPredictionMode","MinConfidence","LastUserAwayEndSystemTime","IntervalCount","AwayIntervals","UserAwayEndSystemTime","SystemTimeShift","EffectiveBrightnessPercentage","EffectiveBrightnessMillinits","NewBrightnessTransitionTime","DimmingTransitionTime","DimmedBrightnessPercentage","DimmedBrightnessMillinits","NewDimmedTransitionTime","UnDimmingTransitionTime","TimeInStandby","RemainingBatteryPercentage","RemainingBatteryTime","ReserveBatteryTime","ExecuteAction","DataSources","StandbyBatteryDrainPercentage","BatteryDrainPercentageThreshold","ActualTimeRange","GpuCount","IdV2","OverlaySchemeGuid","AcOverlay","IsSystem","IsAc","SearchIndex","SearchStartTime","SearchEndTime","EntryTime","ProbabilityThreshold","ConfidenceThreshold","ProbabilityActual","ConfidenceActual","ThresholdCount","Thresholds","OriginalInfName","SubmissionId","FlightIds","CacheFileName","monitorConfig","fPolicyCheckOnly","systemDpi","IsHighContrastMode","StateId","HangingThreadId","TimeoutUsed","PrevChangeStamp","m_pUIWorkItem","IsChildAccount","pSystemModalDialog","AllowsButton","NotAllowsButton","OkButton","bEngageVolumeLimit","RealThreadID","LogDirectoryName","DroppedEvents","OrphanAction","MaxLength","AutoStopAction","PeriodicRestartTime","BadAppRoot","RequiredAppRoot","ListenerAdapter","DynamicIdleLoad","NumWorkerProcesses","TotalCommitMB","PhysMemoryMB","PhysMemoryFreeMB","DynamicIdle","BindingInformation","ConfigErrorDescription","LogEntry","NumKeysFound","PageMode","WebclntLookupServieTrigger","LastBlockId","TotalBytesUploaded","ApicIdValid","AssociationKey","LocalDeviceInformation","RemoteDeviceInformation","DiscoveryTime","aString","LockId","LockLevel","LockName","AcquireQpcCounts","AcquireTimeUs","HoldQpcCounts","HoldTimeMs","CallbackCount","pqmsg","inputReadyTimeMs","pidReceiver","tidReceiver","pQueue","ownerThread","hGestureInfo","fGetMessage","WindowDelegated","WasWindowDelegated","Delegated","WasDelegated","Processed","fDelayedFree","ptOffsetX","ptOffsetY","cursorId","pointerType","pointerFlags","touchMask","ptLocationX","ptLocationY","rcContactLeft","rcContactRight","rcContactTop","rcContactBottom","orientation","ulContactId","PendingPointerCount","hdfResponse","bNew","dwCursorId","wCursorId","wPointerId","dwReason","pti","dwTime","XRawPosition","YRawPosition","XPredictedPosition","YPredictedPosition","dwQEvent","hDCompInputHandle","XformQPCTime","XformStored","XformUpdated","DestinationHwnd","adapterLuid","eventMin","eventMax","idEventProcess","idEventThread","HookInstance","UsagePage","hwndTarget","ThreadStartAddress","ThreadCreateTime","cWindows","cVisWindows","ThreadInfoFlags","ThreadStartAddressMappedModuleName","ThreadStartAddressQueryResult","ThreadStartAddressVadAllocationBase","ThreadStartAddressVadAllocationProtect","ThreadStartAddressVadRegionType","ThreadStartAddressVadRegionSize","ThreadStartAddressVadProtect","pstrLib","hmod","pfnFilterProc","MsSinceLastKeyEvent","BackgroundCallCount","PreviousStateTime","IsConsoleSession","IdleAction","TimeoutValueMs","IdleStartTime","DisplayTimeoutValueMs","ScreenSaverTimeoutValueMs","DimTimeoutValueMs","DimBrightnessValue","NormalBrightnessValue","hwndDstSprite","hbmDst","DstLeft","DstTop","DstRight","DstBottom","hwndSrcSprite","hbmSrc","bitmapCX","bitmapCY","DirtyLeft","DirtyTop","DirtyRight","DirtyBottom","FULL","Offsetx","Offsety","hSprite","OldThreadId","hLogicalSurfSwapChainBind","ConfirmReason","LastPresentId","LastFrameCount","SyncFrameCount","ProcessIdOwningFocus","ProcessCreateTimeOwningFocus","OldProcessId","hLogicalSurf","hPhysicalSurf","CursorThreadId","CursorProcessId","CursorType","DisplayTimeMs","TimeSinceInputCheckMs","TimeSinceInputRemoveMs","TimeSinceOldestInputMs","TopLevelClassName","DelayTimeMs","bCreated","hDwmSprite","hPhysSurf","rcBounds","rcData","hLogicalSurfSwapChainBinding","DxgiColorFormat","uiPresentLimitSemaphoreId","BindingInfoHandle","DesktopCompositorProcess","DesktopCompositorError","DesktopCompositorRef","DesktopCompositorStatus","pEventConfirmed","cLineWidth","cElements","uId","uElapse","uType","pBatch","batchID","isNinja","SensorOriginated","ActiveProcessId","uCoalescingTolerance","pToken","pCompositionSurfaceObject","QPCTime","XLogicalT","YLogicalT","XLogicalC","YLogicalC","XHimetricT","YHimetricT","Button","Pressure","InputTransformList","PerformanceCount","LastKeyDownTime","LastKeyUpTime","TapTime","OnUp","NeedsUp","CurtainsOn","RenderSourceProcessName","RenderSourcePackageName","RenderTargetProcessName","RenderTargetPackageName","iCursorDim","NewProcessCreateTime","OldProcessCreateTime","IndependentFlip","SkipIndependentFlip","EarlyComposition","submissionTime","submissionDeadline","deferReason","hConnection","AcquireTimeMs","InternalHandle","ExternalHandle","InternalHandleAndChannel","ExternalHandleAndChannel","CreateShared","OpenShared","CommandsCount","VisualInternalHandle","InteractionInternalHandle","VisualInternalHandleAndChannel","InteractionInternalHandleAndChannel","DefaultInteraction","HandleValue","PreviousHandleValue","NewHandleValue","hwndParent","visRgnType","changed","CallerPid","CallerProcessCreateTime","OwnerPid","OwnerProcessCreateTime","ClipboardSequenceNumber","IFlip","IFlipCompleted","ConvertedToNonIflip","RequestDwmConfirm","RequestDwmExit","IndependentFlipCandidate","SignalValue","PresentAtTimeHns","CurrentTimeHns","PresentAtTimeMinusCurrentTimeHns","ContentResource","BufferResource","Displayable","FrameTimeHns","MaxAcceptableTargetTimeHns","PresentTimeMinusFrameTimeHns","CompletedQpc","DurationQpc","PresentQueueDepth","FlipIndex","Packed_High_Height_Low_Width","UIPI_Trace_Header","wParam","HookID","WinEvent","WndHandle","ChildID","SenderTID","QIL","QLBN","ClipFormat","ClipIL","ClipLBN","SysErrorType","TestV1","TestV2","TestV3","TestV4","CallInternalId","callerAppName","searchCriteria","packedScanData","clientVersion","updateId","packedInstallData","handlerResultCode","pdcActivationId","accessType","isInteractiveOrAPIDriven","stopIdleTimer","networkRefCount","systemRefCount","loadunloadinfo","Transporttype","_TestStr0Length","TestStr0","_TestStr1Length","TestStr1","_TestStr2Length","TestStr2","_TestStr0WLength","TestStr0W","_TestStr1WLength","TestStr1W","_TestStr2WLength","TestStr2W","TestStrLength","TestStr","TestStrWLength","TestStrW","StatusLineLength","StatusLine","Order","RemoteAddressIndex","ManifestURL","NegotiationCount","ThreadInfoUIType","LocalFileName","IsIEAppContainer","MasterUrl","MinimizedRDomain","IsCreateContainer","HstsEntryCount","EntryMaxAge","Redirect","ValidateCreationTime","Factor","TargetSize","LimitType","InternetFlags","TruncatedLength","TruncatedData","IsRemote","ShutdownFlags","SystemShutdownDuration","SkuHasLogoff","StringCount","SyncPrefetchErrorCode","SyncPrefetchDurationMs","LogoffFlags","ResolverData","pNet","WinMLNetNameSize","WinMLNetName","WinMLOpNameSize","WinMLOpName","WinMLOpSectionNameSize","WinMLOpSectionName","WinMLOpErrorStringSize","WinMLOpErrorString","IsInRecovery","LifeTimeUs","LanguageErrorPointer","IsProviderSocket","SocketAccepted","SocketListening","OptName","OptLen","OptVal","TerminateStatus","HealthCheckResult","ConnectionInformation","WFDPairReturnCode","FrameUniqueID","PeerID","QueueState","CustomData1","CustomData2","CustomData3","Retransmit","RxBacklog","CmdLine","SkinPath","ModeSwitcherOption","FilesFound","FilesAdded","FilesSkipped","DirectoriesFound","DirectoriesRemoved","Levels","ToolbarID","ButtonID","Skinformation","Atom","ServerUDN","IWMMediaLibrary","EnableSharing","UpdateACLs","IgnoreUPnPDiscovery","IUPnPDevice","IHMEService","CDSVersion","IsSearchable","SupportsRME","SupportsWakeOnLAN","IHMEProvider","CHMEProvider","IHMECDS","RAMCacheId","IsAuthorized","FireEvent","IsZombie","IsAdding","numberofDMRsFound","IsChecked","IInternetProtocolSink","ASX","PlaylistMgr","IWMPPlaylist","Track","TrackDuration","MetaData","TrackURI","WMPSetupID","fRenderAlreadyExists","SecurityGroup","ChangeCount","RequestedCount","ReturnedCount","TotalMatches","PublishAllAlbumArts","FilterItemCount","SortItemCount","WrittenCount","TotalResultLength","ElementExists","CompatFlags","AttributesWritten","IsSelected","CurrentTagValue","NewTagValue","IsDeviceGiven","IsDeviceAuthorized","IsDeviceValidated","IsValidated","IsAlbumArt","IsStream","IsTranscode","FormatID","OnlyItemsInSearchResults","UPnPClassToReturn","TotalRetry","RefID","ItemsOnly","BrowseIndex","StartingIndex","BrowseChildren","RemoteMACAddress","CountAdded","WMPAtom","BrowseType","RequestsOutstanding","TimeContentRequestsBecameZero","DevicesRemoved","KeepAwake","IdleSecondsUntilMemoryFlush","ServerOrRenderer","NetworkGUID","IsFunctionalDMR","TotalDevicesAdded","DeviceFunctionalCount","TotalUDNRenderersAdded","UDNRenderersFunctionalCount","HasAVTransport","HasRenderingControl","HasConnectionManager","EnableDevice","ShouldDisplayMenu","PictureID","FrameType","VOP","TypeIndex","OrigWidth","OrigHeight","OrigAspectRatioX","OrigAspectRatioY","NewAspectRatioX","NewAspectRatioY","SwitchType","rtLagTime","dwDropModeCurrent","dwPostModeCurrent","dwDropModeNew","dwPostModeNew","D3DAWARE","InterlaceCodingType","BufferLevelInfo","NumberOfReencode","MixedMVCost","OneMVQPBicubicCost","OneMVHPBicubicCost","OneMVHPBilinearCost","IntraCost","ConcurrencyConflict","SourceItemName","SourceSyncGID","DestinationItemName","DestinationSyncGID","DataWinner","NamespaceWinner","AttributesWinner","TieBreakerWinner","ConnectInformationFlags","APIErrorCode","ModemConfigMode","ModemConfigState","ModemConfigReason","PreviousConfigIDLen","PreviousConfigID","CurrentConfigIDLen","CurrentConfigID","IsCurrentConfigDefault","OptServiceCaps","A10_ctxhandle","A11__serviceStatuserrCode","A11_ppInterfaceListdwNumberOfItems","A10_pConnectReservedType","A12_pulConnectionId","A12_ppProfileListdwNumberOfItems","A11_pdwProfileIndex","A12_pdwRoamingProfileIndexpdwRoamingProfileIndex0","A12_ppDMConfigProfileListdwNumberOfItems","A12_pReasonCode","A12_ppTrafficDescriptorListdwNumberOfItems","A10_DimTraceQueryOperation(WwanAsyncGetSetToOid(GetSetType), pDimContext->name, pDataIn, DataInSize, (PVOID)AsyncHandle, dimStatus)","A10_DimTraceSetOperation(WwanAsyncGetSetToOid(GetSetType), pDimContext->name, pDataIn, DataInSize, (PVOID)AsyncHandle, dimStatus)","A10_DimTraceQueryOperation(WwanAsyncGetSetToOid(GetSetType), pDimContext->name, pHeader, BufferSize, (PVOID)AsyncHandle, dimStatus)","A10_DimTraceSetOperation(WwanAsyncGetSetToOid(GetSetType), pDimContext->name, pHeader, BufferSize, (PVOID)AsyncHandle, dimStatus)","A10_h->Type","A10_h->Revision","A10_h->Size","A10_pProvider2->Rssi","A10_basicInfo->UserName","A10_basicInfo->Password","A10_lteAttachConfigContext->Enable > 0 ? L'True' : L'False'","A10_lteAttachContext->LteContextArray[i].Enable > 0 ? L'True' : L'False'","A10_pDeviceCaps->uStatus","A10_caps.DeviceId","A10_caps.Model","A10_pInfoRev1->SimIccId","A10_pInfoLatest->SlotId","A10_pServiceActivationStatus->uStatus","A10_pServiceActivationStatus->ServiceActivationStatus.uNwError","A10_pRadioState->uStatus","A10_pPinInfo->uStatus","A10_pPinList->uStatus","A10_pHomeProvider->uStatus","A10_pPreferredProviders->uStatus","A10_pVisibleProviders->uStatus","A10_pRegisterState->uStatus","A10_pPacketServiceState->uStatus","A10_pPacketServiceState->PacketService.uNwError","A10_pSignalState->uStatus","A10_pSignalState->SignalState.Rssi","A10_p->RSRP","A10_p->SNR","A10_pProvisionedContexts->uStatus","A10_pContextState->uStatus","A10_pContextState->ContextState.uNwError","A10_pNdisSmsConfiguration->uStatus","A10_pNdisSmsReceive->uStatus","A10_pNdisSmsSend->uStatus","A10_pNdisSmsDelete->uStatus","A10_pNdisSmsStatus->uStatus","A10_pNdisSmsStatus->SmsStatus.uFlag","A10_pNdisAuthResponse->uStatus","A10_pNdisUssdEvent->uStatus","A10_pDeviceServices->uStatus","A10_pDeviceService->uStatus","A10_pDeviceService->Event.EventID","A10_pDsSupportedCmds->uStatus","A10_pPreshutdownState->uStatus","A10_pPsMediaProfState->uStatus","A10_pSarConfig->uStatus","A10_pTransmissionStatus->uStatus","A10_pLteAttachContext->uStatus","A10_pLteAttachStatus->uStatus","A10_pSysCap->uStatus","A10_pSlotMapping->uStatus","A10_pSlotInfo->uStatus","A10_pCaps->DeviceId","A10_pCaps->Model","A10_pModemConfigStatus->uStatus","A10_pNdisBaseStationsInfo->uStatus","A10_pNwParams->uStatus","A11_pNwParams->NetworkParamsInfo.CurrentMicoIndication","A12_pNwParams->NetworkParamsInfo.CurrentDRXParams","A13_pNwParams->NetworkParamsInfo.TaiList.Size","A14_pNwParams->NetworkParamsInfo.AllowedNssaiList.Size","A15_pNwParams->NetworkParamsInfo.ConfiguredNssaiList.Size","A16_pNwParams->NetworkParamsInfo.RejectedNssaiList.Size","A17_pNwParams->NetworkParamsInfo.DefaultConfiguredNssaiList.Size","A18_pNwParams->NetworkParamsInfo.LadnList.Size","A10__pDimContextselfGuid","A11__pDimContextparentGuid","A10_pDimContextndisVersion","A10_pDimContextname","A10_OidToStringOid","A10_DimTraceQueryOperationWwanAsyncGetSetToOidGetSetTypepDimContextnamepDataInDataInSizePVOIDAsyncHandledimStatus","A10_DimTraceSetOperationWwanAsyncGetSetToOidGetSetTypepDimContextnamepDataInDataInSizePVOIDAsyncHandledimStatus","A10_DimTraceQueryOperationWwanAsyncGetSetToOidGetSetTypepDimContextnamepHeaderBufferSizePVOIDAsyncHandledimStatus","A10_DimTraceSetOperationWwanAsyncGetSetToOidGetSetTypepDimContextnamepHeaderBufferSizePVOIDAsyncHandledimStatus","A10__pContextselfGuid","A11__pContextparentGuid","A11_pDataNormalizationEntrysourceRevision","A12_pNdisHeaderRevision","A11_pDataNormalizationEntryulSourceDataSize","A11_pDataNormalizationEntrysourceVersion","A13_pDataNormalizationEntryulSourceDataSize","A15_pDataNormalizationEntryulTargetDataSize","A10_pDataNormalizationEntryulTargetDataSize","A11_pDataSpecializationEntryulSourceDataSize","A13_pDataSpecializationEntrytargetVersion","A14_pDimContextVersion","A12_pDataSpecializationEntryulTargetDataSize","A12_pDataSpecializationEntrytargetVersion","A13_pDataSpecializationEntryulSourceDataSize","A15_pDataSpecializationEntryulTargetDataSize","A10__contextselfGuid","A10_GetLastError","A11_OidToStringOid","A10_LUNKNOWN","A13_sizeofparams","A10_hType","A10_hRevision","A10_hSize","A10_pProviderProviderId","A10_pProviderProviderState","A10_pProviderProviderName","A10_DataClassToStringInBuffpProviderWwanDataClassBuffMAX_BUFFER_STRING","A10_pProvider2ErrorRate","A10_pProvider2Rssi","A10_CellularClassToStringpProvider2WwanCellularClass","A10_SmsFormatToStringpNdisSmsReadSmsReadSmsFormat","A11_pNdisSmsReadSmsReadSmsFormat","A10_SmsFlagToStringpNdisSmsReadSmsReadReadFilterFlag","A11_pNdisSmsReadSmsReadReadFilterFlag","A12_pNdisSmsReadSmsReadReadFilterMessageIndex","A10_pNdisVisibleProviderVisibleProvidersAction","A10_RadioStateToStringpRadioStateRadioAction","A11_pRadioStateRadioAction","A10_PinTypeToStringpSetPinPinActionPinType","A11_pSetPinPinActionPinType","A10_PinOperationToStringpSetPinPinActionPinOperation","A11_pSetPinPinActionPinOperation","A10_pPreferredProvidersPreferredListHeaderElementType","A10_pPreferredProvidersPreferredListHeaderElementCount","A10_pRegisterStateSetRegisterStateProviderId","A10_RegisterActionToStringpRegisterStateSetRegisterStateRegisterAction","A11_pRegisterStateSetRegisterStateRegisterAction","A10_pRegisterStateSetRegisterStateWwanDataClass","A10_pSignalIndicationSignalIndicationRssiInterval","A10_pSignalIndicationSignalIndicationRssiThreshold","A10_PacketServiceActionToStringpSetPacketServicePacketServiceAction","A11_pSetPacketServicePacketServiceAction","A10_pSetContextStateSetContextStateConnectionId","A10_ActivationCommandToStringpSetContextStateSetContextStateActivationCommand","A11_pSetContextStateSetContextStateActivationCommand","A10_pSetContextStateSetContextStateAccessString","A10_CompressionTypeToStringpSetContextStateSetContextStateCompression","A11_pSetContextStateSetContextStateCompression","A10_AuthenticationProtocolTypeToStringpSetContextStateSetContextStateAuthType","A11_pSetContextStateSetContextStateAuthType","A10_pSetProvisionedContextProvisionedContextContextId","A10_ContextTypeToStringpSetProvisionedContextProvisionedContextContextType","A11_pSetProvisionedContextProvisionedContextContextType","A10_pSetProvisionedContextProvisionedContextAccessString","A10_CompressionTypeToStringpSetProvisionedContextProvisionedContextCompression","A11_pSetProvisionedContextProvisionedContextCompression","A10_AuthenticationProtocolTypeToStringpSetProvisionedContextProvisionedContextAuthType","A11_pSetProvisionedContextProvisionedContextAuthType","A10_pSetProvisionedContextProvisionedContextbasicInfoContextId","A10_ContextTypeToStringpSetProvisionedContextProvisionedContextbasicInfoContextType","A11_pSetProvisionedContextProvisionedContextbasicInfoContextType","A10_pSetProvisionedContextProvisionedContextbasicInfoAccessString","A10_CompressionTypeToStringpSetProvisionedContextProvisionedContextbasicInfoCompression","A11_pSetProvisionedContextProvisionedContextbasicInfoCompression","A10_AuthenticationProtocolTypeToStringpSetProvisionedContextProvisionedContextbasicInfoAuthType","A11_pSetProvisionedContextProvisionedContextbasicInfoAuthType","A10_pSetProvisionedContextProvisionedContextOperation","A10_IPTypeToStringpSetProvisionedContextProvisionedContextIPType","A11_pSetProvisionedContextProvisionedContextIPType","A10_pSetProvisionedContextProvisionedContextEnable","A10_pSetProvisionedContextProvisionedContextRoaming","A10_pSetProvisionedContextProvisionedContextMediaType","A10_ConfigurationSourceToStringpSetProvisionedContextProvisionedContextSource","A11_pSetProvisionedContextProvisionedContextSource","A10_pNdisSetSmsConfigurationSetSmsConfigurationScAddress","A10_SmsFormatToStringpNdisSetSmsConfigurationSetSmsConfigurationSmsFormat","A11_pNdisSetSmsConfigurationSetSmsConfigurationSmsFormat","A10_SmsFormatToStringpNdisSmsSendSmsSendSmsFormat","A11_pNdisSmsSendSmsSendSmsFormat","A10_pNdisSmsSendSmsSenduCdmaEncodingId","A10_pNdisSmsSendSmsSenduCdmaLanguageId","A10_pNdisSmsSendSmsSenduCdmaSizeInBytes","A10_pNdisSmsSendSmsSenduCdmaSizeInCharacters","A10_pNdisSmsSendSmsSenduPduSize","A10_SmsFlagToStringpNdisSmsDeleteSmsFilterFlag","A11_pNdisSmsDeleteSmsFilterFlag","A12_pNdisSmsDeleteSmsFilterMessageIndex","A10_AuthMethodToStringpNdisAuthChallengeAuthChallengeAuthMethod","A11_pNdisAuthChallengeAuthChallengeAuthMethod","A10_pNdisAuthChallengeAuthChallengeuAuthSimn","A10_unsignedpNdisUssdRequestUssdRequestRequestType","A10_unsignedpNdisUssdRequestUssdRequestUssdStringDataCodingScheme","A10_unsignedpNdisUssdRequestUssdRequestUssdStringStringLength","A10__pNdisDSCommandCommandDeviceServiceGuid","A10_pNdisDSCommandCommandCommandID","A10_pNdisDSCommandCommanduDataSize","A10_pNdisBaseStationRequestBaseStationsInfoRequestMaxGSMCount","A10_pNdisBaseStationRequestBaseStationsInfoRequestMaxUMTSCount","A10_pNdisBaseStationRequestBaseStationsInfoRequestMaxTDSCDMACount","A10_pNdisBaseStationRequestBaseStationsInfoRequestMaxLTECount","A10_pNdisBaseStationRequestBaseStationsInfoRequestMaxCDMACount","A10_pNdisGetSlotInfoGetSlotInfoSlotIndex","A10_pNdisDSSubscribeDeviceServiceListHeaderElementType","A10_pNdisDSSubscribeDeviceServiceListHeaderElementCount","A10_pNdisSlotMappingSetDeviceSlotMappingInfoSlotMapListHeaderElementType","A10_pNdisSlotMappingSetDeviceSlotMappingInfoSlotMapListHeaderElementCount","A11_pMap","A10_basicInfoContextId","A10_ContextTypeToStringbasicInfoContextType","A11_basicInfoContextType","A10_basicInfoAccessString","A10_basicInfoUserName","A10_basicInfoPassword","A10_CompressionTypeToStringbasicInfoCompression","A11_basicInfoCompression","A10_AuthenticationProtocolTypeToStringbasicInfoAuthType","A11_basicInfoAuthType","A10_basicInfoProviderId","A10_OperationsToStringlteAttachConfigContextOperation","A11_lteAttachConfigContextOperation","A10_IPTypeToStringlteAttachConfigContextIPType","A11_lteAttachConfigContextIPType","A10_LteAttachRoamingToStringlteAttachConfigContextRoaming","A11_lteAttachConfigContextRoaming","A10_MediaToStringlteAttachConfigContextMediaType","A11_lteAttachConfigContextMediaType","A10_ConfigurationSourceToStringlteAttachConfigContextSource","A11_lteAttachConfigContextSource","A10_lteAttachContextElementCount","A10_LteAttachRoamingToStringlteAttachContextLteContextArrayiRoaming","A11_lteAttachContextLteContextArrayiRoaming","A10_ConfigurationSourceToStringlteAttachContextLteContextArrayiSource","A11_lteAttachContextLteContextArrayiSource","A10_MediaToStringlteAttachContextLteContextArrayiMediaType","A11_lteAttachContextLteContextArrayiMediaType","A10_IPTypeToStringlteAttachContextLteContextArrayiIPType","A11_lteAttachContextLteContextArrayiIPType","A10_lteAttachContextLteContextArrayibasicInfoAccessString","A10_LteAttachStateToStringlteAttachStatusLteAttachState","A11_lteAttachStatusLteAttachState","A10_lteAttachStatusNetworkError","A10_IPTypeToStringlteAttachStatusIPType","A11_lteAttachStatusIPType","A10_lteAttachStatusbasicInfoAccessString","A10_pDeviceCapsHeaderRevision","A10_pDeviceCapsuStatus","A10_DeviceTypeToStringcapsWwanDeviceType","A11_capsWwanDeviceType","A10_CellularClassToStringcapsWwanCellularClass","A11_capsWwanCellularClass","A10_VoiceClassToStringcapsWwanVoiceClass","A11_capsWwanVoiceClass","A10_SimClassToStringcapsWwanSimClass","A11_capsWwanSimClass","A10_DataClassToStringInBuffcapsWwanDataClassBuffMAX_BUFFER_STRING","A11_capsWwanDataClass","A10_capsWwanDataClass_WWAN_DATA_CLASS_CUSTOMcapsCustomDataClassLNOTUSEDFIELD","A10_GsmBandClassToStringInBuffcapsWwanGsmBandClassBuffMAX_BUFFER_STRING","A11_capsWwanGsmBandClass","A10_CdmaBandClassToStringInBuffcapsWwanCdmaBandClassBuffMAX_BUFFER_STRING","A11_capsWwanCdmaBandClass","A10_SmsCapsToStringInBuffcapsWwanSmsCapsBuffMAX_BUFFER_STRING","A11_capsWwanSmsCaps","A10_ControlCapsToStringInBuffcapsWwanControlCapsBuffMAX_BUFFER_STRING","A11_capsWwanControlCaps","A10_AuthAlgoCapsToStringInBuffcapsWwanAuthAlgoCapsBuffMAX_BUFFER_STRING","A10_ElementTypeToStringcapsCellularClassListHeaderElementType","A11_capsCellularClassListHeaderElementType","A10_capsCellularClassListHeaderElementCount","A10_capsDeviceId","A10_capsManufacturer","A10_capsModel","A10_capsFirmwareInfo","A10_capsMaxActivatedContexts","A10_pDimContextVersion","A10_pReadyInfoHeaderRevision","A10_ReadyStateToStringpInfoRev1ReadyState","A11_pInfoRev1ReadyState","A10_EmergencyModeToStringpInfoRev1EmergencyMode","A11_pInfoRev1EmergencyMode","A10_pInfoRev1SubscriberId","A10_pInfoRev1SimIccId","A10_pInfoRev1CdmaShortMsgSize","A10_pInfoLatestStatusFlags","A10_pInfoLatestSlotId","A10_ElementTypeToStringpInfoLatestTNListHeaderElementType","A11_pInfoLatestTNListHeaderElementType","A10_pInfoLatestTNListHeaderElementCount","A10_pInfoPre2170StatusFlags","A10_ElementTypeToStringpInfoPre2170TNListHeaderElementType","A11_pInfoPre2170TNListHeaderElementType","A10_pInfoPre2170TNListHeaderElementCount","A10_ElementTypeToStringpInfoRev1TNListHeaderElementType","A11_pInfoRev1TNListHeaderElementType","A10_pInfoRev1TNListHeaderElementCount","A10_pServiceActivationStatusuStatus","A10_pServiceActivationStatusServiceActivationStatusuNwError","A10_pRadioStateuStatus","A10_RadioStateToStringpRadioStateRadioStateHwRadioState","A11_pRadioStateRadioStateHwRadioState","A10_RadioStateToStringpRadioStateRadioStateSwRadioState","A11_pRadioStateRadioStateSwRadioState","A10_pPinInfouStatus","A10_PinTypeToStringpPinInfoPinInfoPinType","A11_pPinInfoPinInfoPinType","A10_PinStateToStringpPinInfoPinInfoPinState","A11_pPinInfoPinInfoPinState","A10_pPinInfoPinInfoAttemptsRemaining","A10_PinModeToStringpinDescPinMode","A11_pinDescPinMode","A10_PinFormatToStringpinDescPinFormat","A11_pinDescPinFormat","A10_pinDescPinLengthMin","A10_pinDescPinLengthMax","A10_pPinListuStatus","A10_pHomeProvideruStatus","A10_pPreferredProvidersuStatus","A10_pVisibleProvidersuStatus","A10_pVisibleProvidersVisibleListHeaderElementType","A10_pVisibleProvidersVisibleListHeaderElementCount","A10_pRegisterStateuStatus","A10_pRegisterStateRegistrationStateuNwError","A10_RegisterStateToStringpRegisterStateRegistrationStateRegisterState","A11_pRegisterStateRegistrationStateRegisterState","A10_RegisterModeToStringpRegisterStateRegistrationStateRegisterMode","A11_pRegisterStateRegistrationStateRegisterMode","A10_pRegisterStateRegistrationStateProviderId","A10_pRegisterStateRegistrationStateProviderName","A10_pRegisterStateRegistrationStateRoamingText","A10_RegFlagsToStringInBuffpRegisterStateRegistrationStateWwanRegFlagsBuffMAX_BUFFER_STRING","A11_pRegisterStateRegistrationStateWwanRegFlags","A10_CellularClassToStringpRegisterStateRegistrationStateCurrentCellularClass","A11_pRegisterStateRegistrationStateCurrentCellularClass","A10_pRegisterStateRegistrationStatePreferredDataClasses","A10_pPacketServiceStateuStatus","A10_pPacketServiceStatePacketServiceuNwError","A10_PacketServiceStateToStringpPacketServiceStatePacketServicePacketServiceState","A11_pPacketServiceStatePacketServicePacketServiceState","A10_pPacketServiceStatePacketServiceAvailableDataClass","A10_pPacketServiceStatePacketServiceCurrentDataClass","A10_FrequencyRangeToStringpPacketServiceStatePacketServiceFrequencyRange","A10_pSignalStateuStatus","A10_pSignalStateSignalStateRssi","A10_pSignalStateSignalStateErrorRate","A10_pSignalStateSignalStateRssiInterval","A10_pSignalStateSignalStateRssiThreshold","A10_pSignalStateSignalStateSignalStateListHeaderElementType","A10_pSignalStateSignalStateSignalStateListHeaderElementCount","A10_pRSRP","A10_pRSRPThreshold","A10_pSNR","A10_pSNRThreshold","A10_DataClassToStringInBuffpDataClassBuffMAX_BUFFER_STRING","A11_pDataClass","A10_pProvisionedContextsuStatus","A10_pProvisionedContextsContextListHeaderElementType","A10_pProvisionedContextsContextListHeaderElementCount","A10_pContextId","A10_ContextTypeToStringpContextType","A11_pContextType","A10_pAccessString","A10_CompressionTypeToStringpCompression","A11_pCompression","A10_AuthenticationProtocolTypeToStringpAuthType","A11_pAuthType","A10_pContextStateHeaderRevision","A10_pContextStateuStatus","A10_pContextStateContextStateuNwError","A10_pContextStateContextStateConnectionId","A10_ActivationStateToStringpContextStateContextStateActivationState","A11_pContextStateContextStateActivationState","A10_VoiceCallStateToStringpContextStateContextStateVoiceCallState","A11_pContextStateContextStateVoiceCallState","A10_IPTypeToStringpContextStateContextStateIPType","A11_pContextStateContextStateIPType","A10_ConnectionMediaToStringpContextStateContextStateConnectionMedia","A11_pContextStateContextStateConnectionMedia","A10_pContextStateContextStateAccessString","A10_pContextStateContextStateFoundMatchingConnectionId","A10_pContextStateContextStateTrafficParametersOffset","A10_pContextStateContextStateTrafficParametersSize","A11_sizeofNDIS_WWAN_SMS_CONFIGURATION","A10_pNdisSmsConfigurationuStatus","A10_pNdisSmsConfigurationSmsConfigurationScAddress","A10_SmsFormatToStringpNdisSmsConfigurationSmsConfigurationSmsFormat","A11_pNdisSmsConfigurationSmsConfigurationSmsFormat","A10_pNdisSmsConfigurationSmsConfigurationulMaxMessageIndex","A11_sizeofNDIS_WWAN_SMS_RECEIVE","A10_pNdisSmsReceiveuStatus","A11_sizeofNDIS_WWAN_SMS_SEND_STATUS","A10_pNdisSmsSenduStatus","A10_pNdisSmsSendMessageReference","A11_sizeofNDIS_WWAN_SMS_DELETE_STATUS","A10_pNdisSmsDeleteuStatus","A11_sizeofNDIS_WWAN_SMS_STATUS","A10_pNdisSmsStatusuStatus","A10_pNdisSmsStatusSmsStatusuFlag","A10_pNdisSmsStatusSmsStatusMessageIndex","A11_sizeofNDIS_WWAN_AUTH_RESPONSE","A10_pNdisAuthResponseuStatus","A11_sizeofNDIS_WWAN_USSD_EVENT","A10_pNdisUssdEventuStatus","A10_pNdisUssdEventUssdEventEventType","A10_pNdisUssdEventUssdEventSessionState","A10_unsignedpNdisUssdEventUssdEventUssdStringDataCodingScheme","A10_unsignedpNdisUssdEventUssdEventUssdStringStringLength","A11_sizeofNDIS_WWAN_SUPPORTED_DEVICE_SERVICES","A10_pDeviceServicesuStatus","A10_pDeviceServicesDeviceServicesuMaxCommandDataSize","A10_pDeviceServicesDeviceServicesuMaxSessionDataSize","A10_pDeviceServicesDeviceServicesuMaxSessionCount","A10_pDeviceServicesDeviceServicesListHeaderElementType","A10_pDeviceServicesDeviceServicesListHeaderElementCount","A10__pServiceEntryDeviceServiceGuid","A10_pServiceEntryuMaxSessionInstances","A10_pServiceEntrySessionCapability","A11_sizeofNDIS_WWAN_DEVICE_SERVICE_RESPONSE","A10_pDeviceServiceuStatus","A10__pDeviceServiceResponseDeviceServiceGuid","A10_pDeviceServiceResponseResponseID","A10_pDeviceServiceResponseuDataSize","A11_sizeofNDIS_WWAN_DEVICE_SERVICE_EVENT","A10__pDeviceServiceEventDeviceServiceGuid","A10_pDeviceServiceEventEventID","A10_pDeviceServiceEventuDataSize","A11_sizeofNDIS_WWAN_DEVICE_SERVICE_SUBSCRIPTION","A11_sizeofNDIS_WWAN_DEVICE_SERVICE_SUPPORTED_COMMANDS","A10_pDsSupportedCmdsuStatus","A10__pDsSupportedCmdsSupportedCommandsDeviceServiceGuid","A10_pDsSupportedCmdsSupportedCommandsListHeaderElementType","A10_pDsSupportedCmdsSupportedCommandsListHeaderElementCount","A11_sizeofULONG","A10_pCmdcmdIndex","A10_pPowerState","A10_pReadyInfoFlags","A10_pPreshutdownStateuStatus","A10_pPsMediaProfStateuStatus","A10_pPsMediaProfStatenNumItems","A10_pSarConfiguStatus","A10_pSarConfigSarConfigSarMode","A11_pSarConfigSarConfigSarBackoffStatus","A12_pSarConfigSarConfigSarWifiIntegration","A10_pSarConfigSarConfigSarConfigIndexListHeaderElementCount","A11_pSarConfigSarConfigSarConfigIndexListHeaderElementType","A10_pTransmissionStatusuStatus","A10_pTransmissionStatusTransmissionStatusChannelNotification","A11_pTransmissionStatusTransmissionStatusTransmissionStatus","A12_pTransmissionStatusTransmissionStatusHysteresisTimer","A10_pLteAttachContextuStatus","A10_pLteAttachStatusuStatus","A10_pSysCapuStatus","A10_pSysCapSysCapsInfoNumberOfExecutors","A10_pSysCapSysCapsInfoNumberOfSlots","A10_pSysCapSysCapsInfoConcurrency","A10_ULONGpSysCapSysCapsInfoModemID32","A11_ULONGpSysCapSysCapsInfoModemID","A10_pSlotMappinguStatus","A10_pSlotMappingDeviceSlotMappingInfoSlotMapListHeaderElementType","A10_pSlotMappingDeviceSlotMappingInfoSlotMapListHeaderElementCount","A10_pSlotInfouStatus","A10_pSlotInfoSlotInfoSlotIndex","A10_SlotStateToStringpSlotInfoSlotInfoState","A11_pSlotInfoSlotInfoState","A10_DeviceTypeToStringpCapsWwanDeviceType","A11_pCapsWwanDeviceType","A10_CellularClassToStringpCapsWwanCellularClass","A11_pCapsWwanCellularClass","A10_VoiceClassToStringpCapsWwanVoiceClass","A11_pCapsWwanVoiceClass","A10_SimClassToStringpCapsWwanSimClass","A11_pCapsWwanSimClass","A10_DataClassToStringInBuffpCapsWwanDataClassBuffMAX_BUFFER_STRING","A11_pCapsWwanDataClass","A10_pCapsWwanDataClass_WWAN_DATA_CLASS_CUSTOMpCapsCustomDataClassLNOTUSEDFIELD","A10_DataSubClassToStringInBuffULONGpDeviceCapsDeviceCapsWwanDataSubClassBuffMAX_BUFFER_STRING","A11_ULONGpDeviceCapsDeviceCapsWwanDataSubClass","A10_GsmBandClassToStringInBuffpCapsWwanGsmBandClassBuffMAX_BUFFER_STRING","A11_pCapsWwanGsmBandClass","A10_CdmaBandClassToStringInBuffpCapsWwanCdmaBandClassBuffMAX_BUFFER_STRING","A11_pCapsWwanCdmaBandClass","A10_SmsCapsToStringInBuffpCapsWwanSmsCapsBuffMAX_BUFFER_STRING","A11_pCapsWwanSmsCaps","A10_ControlCapsToStringInBuffpCapsWwanControlCapsBuffMAX_BUFFER_STRING","A11_pCapsWwanControlCaps","A10_AuthAlgoCapsToStringInBuffpCapsWwanAuthAlgoCapsBuffMAX_BUFFER_STRING","A10_ElementTypeToStringpCapsCellularClassListHeaderElementType","A11_pCapsCellularClassListHeaderElementType","A10_pCapsCellularClassListHeaderElementCount","A10_pCapsDeviceId","A10_pCapsManufacturer","A10_pCapsModel","A10_pCapsFirmwareInfo","A10_pCapsMaxActivatedContexts","A10_pCapsExecutorIndex","A10_LSupported","A10_LNotSupported","A10_pModemConfigStatusuStatus","A10_ModemConfigModeToStringconfigInfoConfigMode","A11_configInfoConfigMode","A10_ModemConfigStatusToStringconfigInfoConfigState","A11_configInfoConfigState","A10_ModemConfigReasonToStringconfigInfoConfigReason","A11_configInfoConfigReason","A10_configInfoPreviousConfigIDConfigIdLen","A10_ModemConfigIDToStringconfigInfoPreviousConfigIDConfigIdLenconfigInfoPreviousConfigIDConfigIdasciiString","A10_configInfoCurrentConfigIDConfigIdLen","A10_ModemConfigIDToStringconfigInfoCurrentConfigIDConfigIdLenconfigInfoCurrentConfigIDConfigIdasciiString","A10_configInfoIsCurrentConfigDefaultLTrueLFalse","A10_configInfoConfigName","A10_ElementTypeToStringconfigInfoNSSAIListHeaderElementType","A11_configInfoNSSAIListHeaderElementType","A10_configInfoNSSAIListHeaderElementCount","A10_pNdisBaseStationsInfouStatus","A10_DataClassToStringInBuffpBaseStationsInfoSystemTypeBuffMAX_BUFFER_STRING","A10_pBaseStationsInfoGSMServingCellSize10","A10_pBaseStationsInfoUMTSServingCellSize10","A10_pBaseStationsInfoTDSCDMAServingCellSize10","A10_pBaseStationsInfoLTEServingCellSize10","A10_pMPDPStateuStatus","A11_pMPDPStateInfoOperation","A12__pMPDPStateInfoChildInterfaceGUID","A10_pMPDPListuStatus","A11_pMPDPListChildInterfaceListElementType","A12_pMPDPListChildInterfaceListElementCount","A10_pMPDPListChildInterfaceListElementType","A11_pMPDPListChildInterfaceListElementCount","A10_i1","A10_pNitzInfouStatus","A11_pNitzInfoNitzInfoYear","A12_pNitzInfoNitzInfoMonth","A13_pNitzInfoNitzInfoDay","A14_pNitzInfoNitzInfoHour","A15_pNitzInfoNitzInfoMinute","A16_pNitzInfoNitzInfoSecond","A17_pNitzInfoNitzInfoTimeZoneOffsetMinutes","A18_pNitzInfoNitzInfoDaylightSavingTimeOffsetMinutes","A19_pNitzInfoNitzInfoDataClasses","A10_pAppListuStatus","A11_pAppListUiccAppListVersion","A12_pAppListUiccAppListAppCount","A13_pAppListUiccAppListActiveAppIndex","A14_pAppListUiccAppListAppListSize","A10_appIndex1","A11_UiccAppTypeToStringpAppInfoAppType","A12_AppIDToStringpAppInfoAppIdSizepAppInfoAppIdappIdString","A13_pAppInfoAppName","A14_pAppInfoNumPins","A10_pFileStatusuStatus","A11_pFileStatusUiccFileStatusVersion","A12_pFileStatusUiccFileStatusStatusWord1","A13_pFileStatusUiccFileStatusStatusWord2","A14_UiccFileAccessibilityToStringpFileStatusUiccFileStatusFileAccessibility","A15_UiccFileTypeToStringpFileStatusUiccFileStatusFileType","A16_UiccFileStructureToStringpFileStatusUiccFileStatusFileStructure","A17_pFileStatusUiccFileStatusItemCount","A18_pFileStatusUiccFileStatusItemSize","A11_PinTypeToStringpFileStatusUiccFileStatusFileLockStatusi","A10_pUiccResponseuStatus","A11_pUiccResponseUiccResponseStatusWord1","A12_pUiccResponseUiccResponseStatusWord2","A13_pUiccResponseUiccResponseResponseDataSize","A10_pModemLoggingConfiguStatus","A11_pModemLoggingConfigModemLoggingConfigVersion","A12_pModemLoggingConfigModemLoggingConfigMaxSegmentSize","A13_pModemLoggingConfigModemLoggingConfigMaxFlushTime","A14_LevelConfigToStringpModemLoggingConfigModemLoggingConfigLevelConfig","A10_pRegParamsuStatus","A11_pRegParamsRegisterParamsInfoMicoMode","A12_pRegParamsRegisterParamsInfoDRXParam","A13_pRegParamsRegisterParamsInfoLADNInfo","A12_pNwParamsNetworkParamsInfoTaiListSize","A13_pNwParamsNetworkParamsInfoAllowedNssaiListSize","A14_pNwParamsNetworkParamsInfoConfiguredNssaiListSize","A15_pNwParamsNetworkParamsInfoRejectedNssaiListSize","A16_pNwParamsNetworkParamsInfoDefaultConfiguredNssaiListSize","A17_pNwParamsNetworkParamsInfoLadnListSize","A10_pNwParamsuStatus","A11_pNwParamsNetworkParamsInfoCurrentMicoIndication","A12_pNwParamsNetworkParamsInfoCurrentDRXParams","A13_pNwParamsNetworkParamsInfoTaiListSize","A14_pNwParamsNetworkParamsInfoAllowedNssaiListSize","A15_pNwParamsNetworkParamsInfoConfiguredNssaiListSize","A16_pNwParamsNetworkParamsInfoRejectedNssaiListSize","A17_pNwParamsNetworkParamsInfoDefaultConfiguredNssaiListSize","A18_pNwParamsNetworkParamsInfoLadnListSize","A10_pUePolicyuStatus","A11_pUePolicyUePolicyInfoRawTdOnlyDataOffset","A12_pUePolicyUePolicyInfoRawTdOnlyDataSize","A11_rlenpUePolicyUePolicyInfoRawTdOnlyDataSize","A12_ULONGULONG_PTRRequestId","A10_NdisStatusToStringdataStatus","A11_dataStatus","A10_ULONGdataRequestId","A10_dataDataLength","A10_g_supportedOidsioid","A10_ndisWwanMbimVersionHeaderRevision","A10_pDimContextHeaderMbimVersionInfoMbimVersion","A11_pDimContextHeaderMbimVersionInfoMbimExtendedVersion","A10_ulSourceDataSizesizeofULONGsizeofULONG","A11_pulTargetDataSize","A12_FIELD_OFFSETWWAN_READY_INFO_REV1TNListHeader","A13_FIELD_OFFSETWWAN_READY_INFOTNListHeader","A10_ulSourceDataSizesizeofULONG","A12_FIELD_OFFSETWWAN_READY_INFO_REV2_PRE2170TNListHeader","A12_targetSizeInBytestargetFixedDataSize","A10_pulTargetDataSize","A11_sizeofWWAN_SET_SMS_CONFIGURATION","A11_sizeofWWAN_SET_UICC_TERMINAL_CAPABILITY","A10_pDimContextMbimVersionInfoMbimExtendedVersion","A10_DWORDpDevCapWwanDataSubClass","A11_pDimContextMbimVersionInfoMbimExtendedVersion","A10_DWORDpDevCapWwanDataClass","A12_returnDataSizesizeofNDIS_OBJECT_HEADERpNdisWwanMbimVersionHeaderRevision0","A13_returnDataSizesizeofNDIS_OBJECT_HEADERpNdisWwanMbimVersionHeaderRevision0","ElementId","CallbackName","IsHighPriority","GraphicsDriverSupportType","MediaElementID","InFullScreen","HasOverlap","DesiredWidth","DesiredHeight","VisualOffsetX","VisualOffsetY","RenderWidth","RenderHeight","TargetElementId","CacheId","Visited","Rendered","BatchCount","PrimitivesDrawn","GeometryGeneratedPrimitivesDrawn","GeometryGeneratedVerticesDrawn","Transparent","ViewportId","TranslationX","TranslationY","ZoomFactorX","ZoomFactorY","CompositorViewportId","VBlankId","QueuedPresentCount","StartQPCTicks","EndQPCTicks","LatencyInQPCTicks","QPCTicksPerVBlank","LatencyInVBlanks","BeginPresentQPCTicks","FramesToQueue","ShouldPresent","VBlanksToSkip","VBlanksToDrop","PresentQPCTicks","PostPresentQPCTicks","PresentTimeInQPCTicks","PresentTimeInVBlanks","SurfaceId","PixelSize","IsDriverVisible","QPCTicks","VBlank0InQPCTicks","VBlankCount","PreviousRefreshVBlankCount","PreviousRefreshQPCTicks","VBlankOffset","Vsis","VisibleLeft","VisibleTop","VisibleRight","VisibleBottom","DesiredLeft","DesiredTop","DesiredRight","DesiredBottom","HighPriorityDesiredLeft","HighPriorityDesiredTop","HighPriorityDesiredRight","HighPriorityDesiredBottom","MotionFlags","SurfaceImageSource","CommandBatchId","CommandVBlankNumber","TimeToNextWorkInMilliseconds","CompNode","VisualIndex","VisualId","ZOrder","PreviousQPC","PreviousVBlank","ReportedQPC","CalculatedVBlank","ReportedVBlank","HighPriority","ApplicationViewState","SourceSurface","DestinationSurface","SourceX","SourceY","TargetOffsetX","TargetOffsetY","Pixels","ParentDCompVisual","ChildDCompVisual","PreviousSiblingDCompVisual","DCompVisual","Primitive","SplitAfter","NewPrimitiveGroup","IsEmulated","IsPlaceholder","Child","ReferenceNode","InsertAtBeginning","RemoveForReparenting","MergePrimitiveGroups","RedirectionNode","RedirectionTargetAncestor","RenderDataNode","ResourceDictionaryId","KeyIsType","OwnerIsStyle","StyleId","IsSelectionStartGripper","CenterX","CenterY","ScrollViewerId","ExtentWidth","ExtentHeight","HasPlaceholders","IsSurfaceBeingRendered","WasDiscarded","DummyMetric","PCRenderDataList","InsertAfter","TransformMainDevice","TransformSecondaryDevice","TransformGroup","M11","M12","M21","M22","M31","M32","ItemIndex","ImageId","PreviousDecodeWidth","PreviousDecodeHeight","LayoutWidth","LayoutHeight","CurrentSectionCount","ReasonKey","PageDescriptor","NavigationMode","InCache","EffectOptional","DeferredElementId","RealizedElementId","InputScopeValue","IKSkinValue","Axis","Curve","Constant","Linear","OffseY","translateX","translateY","FaultInType","IsFullScreen","ContentNodeId","SwapchainHandle","InvokeResult","SecondaryCheck","ReleaseDcompDevice","IsDeviceLost","setFocus","isProcessingTab","isShiftPressed","CRC","chunk","numChunks","NaturalWidth","NaturalHeight","RetrievedFromCache","ImageState","ImageStateKey","RequestInMS","NextTickIntervalInMS","TotalReasons","TargetProperty","Sources","Unreachable","RegisteredOn","KeyCode","OriginalSource","CountBeforeSubmitFrame","Runtime","M4x4Multiplications","M3x2AsM4x4Multiplications","M4x4PointMultiplications","M4x4TransformBounds","Count3DBoundsMode","Projections","RecalculatedCount","ReusedCount","UIElement","OnRootVisual","RegisterdOn","PointerDeviceType","IsInertial","AppBarType","PropertyEffect","ValueInt","ValueDouble","ModelTypeName","ModelPropertyName","IsPropertyTemplateBound","EffectiveSourceType","FileURI","MinimumCyclesPerQuantum","MaximumCyclesPerQuantum","GlitchesSinceEngineStarted","CpuUsage","LatencyInSamples","TotalMemoryUsage","ActiveSourceVoices","TotalSourceVoices","ActiveSubmixVoices","ActiveResamplers","ActiveMatrixMixers","MyMessage","rilSetSystemSelectionPrefsFlag","DwordName6","DwordName7","DwordName8","cbBytes5","Bytes5","cbBytes6","Bytes6","cbBytes7","Bytes7","supSvcDataStatus","LicenseType","MuiLoadString","StageHint","InContext","OutContext","LogonServer","LogonDomain","UTCStartTime","nApplications","Applications","dwRebootReasons","CommSdkMessage","CallbackFunction","CancelCount","ThreadNum","CurrentNode","NextNode","CurrentGroup","NextGroup","CurrentWorkerCount","NextWorkerCount","SubQueue","WindowLength","Absolute","TolerableDelay","TThreadId","BasePriority","PagePriority","IoPriority","ThreadFlags","GroupMask1","GroupMask2","GroupMask3","GroupMask4","GroupMask5","GroupMask6","GroupMask7","GroupMask8","KernelEventVersion","MHz","NumberOfProcessors","MemSize","AllocationGranularity","HyperThreadingFlag","HighestUserAddress","ProcessorLevel","ProcessorRevision","PaeEnabled","NxEnabled","S1","S2","S3","S4","S5","Pad1","Pad2","Pad3","InitialTime","KeyHandle","NumberOfFreeBlocks","TotalNumberOfBlocks","NextWritableAddress","NumberOfSessions","NumberOfTracks","DiscStatus","LastSessionStatus","FileSystemName","IRQAffinity","IRQGroup","IRQNum","DeviceDescriptionLen","UpperFiltersCount","LowerFiltersCount","DevStatus","DevProblem","PdoName","DeviceTimingMode","LocationInformationLen","AlignmentClusters","AvgFreeSpaceSize","ClustersPerSlab","FragmentedDirectoryExtents","FragmentedExtents","FreeSpaceCount","LargestFreeSpaceSize","LastRunActualPurgeClusters","LastRunClustersTrimmed","LastRunFullDefragTime","LastRunTime","MFTSize","TotalClusters","TotalUsedClusters","AvgFragmentsPerFile","FragmentedDirectories","FragmentedFiles","FragmentedSpace","HardwareIssue","InUseMFTRecords","InUseSlabs","LastRunActualPurgeSlabs","LastRunInitialBackedSlabs","LastRunPercentFragmentation","LastRunPinnedSlabs","LastRunPotentialPurgeSlabs","LastRunSpaceInefficientSlabs","LastRunTrimmedSlabs","LastRunUnknownEvictFailSlabs","LastRunVolsnapPinnedSlabs","MFTFragmentCount","MovableFiles","TotalMFTRecords","TotalSlabs","UnmovableFiles","VolumePathNames","DeviceManufacturer","DeviceManufacturerDisplayName","DeviceModel","DeviceModelDisplayName","MobileOperator","SocVersion","BspVersion","PeakVirtualSize","VirtualSize","PrivatePageCount","Counter1","Counter2","Counter3","Counter4","Counter5","Counter6","Counter7","Counter8","Counter9","Counter10","Counter11","NewThreadPriority","OldThreadPriority","PreviousCState","SpareByte","OldThreadWaitReason","OldThreadState","OldThreadWaitIdealProcessor","NewThreadWaitTime","BootFlags","FirmwareType","SecureBootEnabled","SecureBootCapable","UniqueProcessKey","DirectoryTableBase","ViewBase","MiscInfo","SpinLockAddress","AcquireTime","ReleaseTime","WaitTimeInCycles","AcquireDepth","InstructionPointer","Routine","SourceProcessorIndex","TargetProcessorIndex","IdealProcessorAdjust","OldIdealProcessorIndex","OpenPath","IoFlags","SpinLockSpinThreshold","SpinLockContentionSampleRate","SpinLockAcquireSampleRate","SpinLockHoldThreshold","TimerRoutine","RoutineAddr","CallbackDataPtr","HRFlags","HRPid","HRRangeCount","HRHeapTag","HRAddress","HRSize","MaximumDueTime","TimerFlags","DisableCallback","DisableContext","CallCode","IsFast","IsNested","Cpsr","X0","X1","X2","X3","X4","X5","X6","X7","X8","X9","X10","X11","X12","X13","X14","X15","X16","X17","X18","X19","X20","X21","X22","X23","X24","X25","X26","X27","X28","CommitSizeInBytes","ErrorOpcode","NewDllBaseAddress","ParentDllBaseAddress","LoadReason","LdrLoadFlags","LdrSearchFlags","SearchInfo","FullDllName","Cwd","AppDir","DllDir","DllLoadDir","Subscription","NameSub","DeliveryFlags","startTime","initialRoleState","endRoleState","pluginVersion","pluginAction","pluginError","protocolName","protocolType","certificateName","errorContext","updateTimeInMilliseconds","updateResult","oldGuestAgentVersion","newGuestAgentVersion","eventName","context1","context2","context3","pluginTime","pluginCount","startupTaskCount","endpointCount","certificateCount","firewallTimeInMilliseconds","certificateTimeInMilliseconds","pluginDownloadTimeinMilliseconds","pluginInstallTimeInMilliseconds","startupTaskTimeInMilliseconds","onStartTimeInMilliseconds","totalTimeInMilliseconds","capabilityUsed","timeInMilliseconds","ExtensionVersion","ExtensionAction","counter","isInternal","operationSuccess","extensionType","from","to","updateStatus","sdkVersion","eventSet","eventSetVersion","endTimeUTC","durationMS","counterSet","valuesFormat","values","TraceRecord","RelatedActivityID"],"_fd":["[Subject] Security ID. Indicates the account on the local system which requested the logon.","[Subject] Account Name. Indicates the account on the local system which requested the logon.","[Subject] Account Domain. Indicates the account on the local system which requested the logon.","[Subject] Logon ID. Indicates the account on the local system which requested the logon.","[New Logon] Security ID. Indicates the account for whom the new logon was created, i.e. the account that was logged on.","[New Logon] Account Name. Indicates the account for whom the new logon was created, i.e. the account that was logged on.","[New Logon] Account Domain. Indicates the account for whom the new logon was created, i.e. the account that was logged on.","[New Logon] Logon ID. Indicates the account for whom the new logon was created, i.e. the account that was logged on.","[Logon Information] Logon Type. Indicates the kind of logon that occurred.","[Detailed Authentication Information] Logon Process. Provides detailed information about this specific logon request.","[Detailed Authentication Information] Authentication Package. Provides detailed information about this specific logon request.","[Network Information] Workstation Name. Indicates where a remote logon request originated.","[New Logon] Logon GUID. Is a unique identifier that can be used to correlate this event with a KDC event.","[Detailed Authentication Information] Transited Services. Indicate which intermediate services have participated in this logon request.","[Detailed Authentication Information] Package Name (NTLM only). Indicates which sub-protocol was used among the NTLM protocols.","[Detailed Authentication Information] Key Length. Indicates the length of the generated session key. This will be 0 if no session key was requested.","[Process Information] Process ID.","[Process Information] Process Name.","[Network Information] Source Network Address. Indicates where a remote logon request originated.","[Network Information] Source Port. Indicates where a remote logon request originated.","[Logon Information] Impersonation Level. Indicates the extent to which a process in the logon session can impersonate.","[Logon Information] Restricted Admin Mode.","[Logon Information] Remote Credential Guard.","[New Logon] Network Account Name. Indicates the account for whom the new logon was created, i.e. the account that was logged on.","[New Logon] Network Account Domain. Indicates the account for whom the new logon was created, i.e. the account that was logged on.","[Logon Information] Virtual Account.","[New Logon] Linked Logon ID. Indicates the account for whom the new logon was created, i.e. the account that was logged on.","[Logon Information] Elevated Token.","[Account For Which Logon Failed] Security ID.","[Account For Which Logon Failed] Account Name.","[Account For Which Logon Failed] Account Domain.","[Failure Information] Status.","[Failure Information] Failure Reason.","[Failure Information] Sub Status.","[Subject] Logon Type. Indicates the account on the local system which requested the logon.","[Process Information] Caller Process ID. Indicates which account and process on the system requested the logon.","[Process Information] Caller Process Name. Indicates which account and process on the system requested the logon.","[Subject] Security ID.","[Subject] Account Name.","[Subject] Account Domain.","[Subject] Logon ID.","[Object] Object Server.","[Object] Object Type.","[Object] Object Name.","[Operation] Operation Type.","[Object] Handle ID.","[Operation] Accesses.","[Operation] Access Mask.","[Operation] Properties.","[Additional Information] Parameter 1.","[Additional Information] Parameter 2.","[Task Information] Task Name.","[Task Information] Task Content.","[Task Information] Task New Content.","[Audit Policy Change] Category.","[Audit Policy Change] Subcategory.","[Audit Policy Change] Subcategory GUID.","[Audit Policy Change] Changes.","[Member] Account Name.","[Member] Security ID.","[Group] Group Name.","[Group] Group Domain.","[Group] Security ID.","[Additional Information] Privileges.","[Target Account] Account Name.","[Target Account] Account Domain.","[Target Account] Security ID.","[Changed Attributes] SAM Account Name.","[Changed Attributes] Display Name.","[Changed Attributes] User Principal Name.","[Changed Attributes] Home Directory.","[Changed Attributes] Home Drive.","[Changed Attributes] Script Path.","[Changed Attributes] Profile Path.","[Changed Attributes] User Workstations.","[Changed Attributes] Password Last Set.","[Changed Attributes] Account Expires.","[Changed Attributes] Primary Group ID.","[Changed Attributes] AllowedToDelegateTo.","[Changed Attributes] Old UAC Value.","[Changed Attributes] New UAC Value.","[Changed Attributes] User Account Control.","[Changed Attributes] User Parameters.","[Changed Attributes] SID History.","[Changed Attributes] Logon Hours.","[Target Account] Old Account Name.","[Target Account] New Account Name.","[Operation] Correlation ID","[Operation] Application Correlation ID","[Subject] Security ID","[Subject] Account Name","[Subject] Account Domain","[Subject] Logon ID","[Directory Service] Name","[Directory Service] Type","[Object] DN","[Object] GUID","[Object] Class","[Attribute] LDAP Display Name","[Attribute] Syntax (OID)","[Attribute] Value","[Operation] Type","Custom tag mapped to event, i.e. ATT&CK technique ID","Time in UTC when event was created","Process GUID of the process that loaded the image","Process ID used by the OS to identify the process that loaded the image","File path of the process that loaded the image","Full path of the image loaded","Version of the image loaded","Description of the image loaded","Product name that the loaded image belongs to","Company name that the loaded image belongs to","Original file name from the PE header, useful for detecting renamed modules","Hash of the file contents using the algorithms specified in the HashType field","Is the image loaded signed","The signer","Status of the signature (i.e. valid)","Name of the account that loaded the image.","Process GUID of the source process that created a thread in another process","Process ID used by the OS to identify the source process that created a thread in another process","File path of the source process that created a thread in another process","Process GUID of the target process","Process ID used by the OS to identify the target process","File path of the target process","ID of the new thread created in the target process","New thread start address","Module where the new thread starts execution, resolved from the thread start address","Exported function where the new thread starts, if the start address matches a known export","Name of the account of the source process that created a thread in another process.","Name of the account of the target process","[Subject] Domain Name.","Part number of the current script block fragment (large scripts are split across multiple events)","Total number of script block fragments for the complete script","Content of the executed PowerShell script block","ScriptBlock ID.","Full path to the executed script file","[Creator Subject] Security ID.","[Creator Subject] Account Name.","[Creator Subject] Account Domain.","[Creator Subject] Logon ID.","[Process Information] New Process ID.","[Process Information] New Process Name.","[Process Information] Token Elevation Type.","[Process Information] Creator Process ID.","[Process Information] Process Command Line.","[Target Subject] Security ID.","[Target Subject] Account Name.","[Target Subject] Account Domain.","[Target Subject] Logon ID.","[Process Information] Creator Process Name.","[Process Information] Mandatory Label.","[Computer Account That Was Changed] Account Name.","[Computer Account That Was Changed] Account Domain.","[Computer Account That Was Changed] Security ID.","[Changed Attributes] DNS Host Name.","[Network Information] Object Type","[Network Information] Source Address","[Network Information] Source Port","[Share Information] Share Name","[Share Information] Share Path","[Share Information] Relative Target Name","[Access Request Information] Access Mask","[Access Request Information] Accesses","Process GUID of the process that got spawned/created (child)","Process ID used by the OS to identify the created process (child)","File path of the process being spawned/created. Considered also the child or source process","Version of the image associated with the main process (child)","Description of the image associated with the main process (child)","Product name the image associated with the main process (child) belongs to","Company name the image associated with the main process (child) belongs to","Original file name from the PE header, useful for detecting renamed executables","Arguments which were passed to the executable associated with the main process","The path without the name of the image associated with the process","Name of the account who created the process (child). It usually contains domain name and user name (parsed to show only username without the domain)","Logon GUID of the user who created the new process. Value that can help you correlate this event with others that contain the same Logon GUID (Sysmon Events)","Logon ID of the user who created the new process. Value that can help you correlate this event with others that contain the same Logon ID","ID of the session the user belongs to","Integrity label assigned to a process","Hashes captured by Sysmon driver","Process GUID of the parent process that spawned/created this process","Process ID of the process that spawned/created the main process (child)","File path that spawned/created the main process","Arguments which were passed to the executable associated with the parent process","Name of the account who created the process that spawned/created the main process (child)","Process ID of the source process that opened another process","ID of the specific thread inside of the source process that opened another process","File path of the source process that opened another process","The access flags (bitmask) associated with the process rights requested for the target process","Stack trace of where OpenProcess is called, including the DLL and relative virtual address of each function in the call stack","Name of the account of the source process that opened another process.","The type of pipe event (CreatePipe)","Process GUID of the process that created the pipe","Process ID used by the OS to identify the process that created the pipe","Name of the pipe created","File path of the process that created the pipe","The name of the account that created the named pipe.","[Subject] Logon GUID.","[Account Whose Credentials Were Used] Account Name.","[Account Whose Credentials Were Used] Account Domain.","[Account Whose Credentials Were Used] Logon GUID.","[Target Server] Target Server Name.","[Target Server] Additional Information.","[Network Information] Network Address.","[Network Information] Port.","[Access Request Information] Transaction ID.","[Access Request Information] Accesses.","[Access Request Information] Access Reasons.","[Access Request Information] Privileges Used for Access Check.","[Access Request Information] Restricted SID Count.","[Access Request Information] Access Mask.","[Object] Resource Attributes.","[New Computer Account] Account Name.","[New Computer Account] Account Domain.","[New Computer Account] Security ID.","[Attributes] SAM Account Name.","[Attributes] Display Name.","[Attributes] User Principal Name.","[Attributes] Home Directory.","[Attributes] Home Drive.","[Attributes] Script Path.","[Attributes] Profile Path.","[Attributes] User Workstations.","[Attributes] Password Last Set.","[Attributes] Account Expires.","[Attributes] Primary Group ID.","[Attributes] AllowedToDelegateTo.","[Attributes] Old UAC Value.","[Attributes] New UAC Value.","[Attributes] User Account Control.","[Attributes] User Parameters.","[Attributes] SID History.","[Attributes] Logon Hours.","[Attributes] DNS Host Name.","[Account Information] Account Name.","[Account Information] Supplied Realm Name.","[Account Information] User ID.","[Service Information] Service Name.","[Service Information] Service ID.","[Additional Information] Ticket Options.","[Additional Information] Result Code.","[Additional Information] Ticket Encryption Type.","[Additional Information] Pre-Authentication Type.","[Network Information] Client Address.","[Network Information] Client Port.","[Certificate Information] Certificate Issuer Name.","[Certificate Information] Certificate Serial Number.","[Certificate Information] Certificate Thumbprint.","[Account Information] Account Domain.","[Service Information] Service Name. Indicates the resource to which access was requested.","[Additional Information] Failure Code.","[Account Information] Logon GUID.","[Additional Information] Transited Services.","[Account Information] Security ID.","[Additional Information] Ticket Options. Was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.","Authentication Package.","Logon Account.","Source Workstation.","Error Code.","WMI event type","WMI consumer-to-filter binding operation","User that created the WMI consumer-to-filter binding","Consumer created to bind","Filter created to bind","Name of the installed service","Full path to the executable run when the service is started","[Subject] Privileges.","[Object] Object Handle.","[Requested Operation] Desired Access.","[Requested Operation] Privileges.","[New Right] User Right.","[Group] Account Name.","[Group] Account Domain.","Process GUID of the process that conducted reading operations from the drive","Process ID used by the OS to identify the process that conducted reading operations from the drive","File path of the process that conducted reading operations from the drive","Target device","Name of the account of the process that conducted reading operations from the drive","Process GUID of the process that created the named file stream","Process ID used by the OS to identify the process that created the named file stream","File path of the process that created the named file stream","Name of the file","File download time","Content of the named file stream (e.g., Zone.Identifier)","2 from.","[Service Information] Service File Name.","[Service Information] Service Type.","[Service Information] Service Start Type.","[Service Information] Service Account.","[Target Account] Logon ID.","Enabled Privileges","Disabled Privileges","[New Account] Account Name.","[New Account] Account Domain.","[New Account] Security ID.","[Additional Information] Privileges","[Attributes] Allowed To Delegate To.","[Deleted Group] Group Name","[Deleted Group] Group Domain","[Deleted Group] Security ID","[Deleted Group] Group Name.","[Deleted Group] Group Domain.","[Deleted Group] Security ID.","[Target Computer] Account Name.","[Target Computer] Account Domain.","[Target Computer] Security ID.","[Application Information] Process ID","[Application Information] Application Name","[Network Information] Direction","[Network Information] Destination Address","[Network Information] Destination Port","[Network Information] Protocol","[Network Information] Interface Index","[Filter Information] Filter Origin","[Filter Information] Filter Run-Time ID","[Filter Information] Layer Name","[Filter Information] Layer Run-Time ID","[Filter Information] Remote User ID","[Filter Information] Remote Machine ID","[Filter Information] Original Profile","[Filter Information] Current Profile","[Filter Information] Is Loopback","[Filter Information] Has Remote Dynamic Keyword Address","Process GUID of the process that made the network connection","Process ID used by the OS to identify the process that made the network connection","File path of the process that made the network connection","Name of the account who made the network connection. It usually contains domain name and user name","Protocol being used for the network connection","Indicates whether the process initiated the TCP connection","Is the source IP an IPv6","Source IP address that made the network connection","Name of the host that made the network connection","Source port number","Name of the source port being used (i.e. netbios-dgm)","Is the destination IP an IPv6","Destination IP address","Name of the host that received the network connection","Destination port number","Name of the destination port","Process GUID of the process that created the file","Process ID used by the OS to identify the process that created the file","File path of the process that created the file","File creation time","Name of the account who created the file","Registry event. Either Create or Delete","Process GUID of the process that created or deleted a registry key","Process ID used by the OS to identify the process that created or deleted a registry key","File path of the process that created or deleted a registry key","Complete path of the registry key","The name of the account that created or deleted a registry key or value","Registry value modification event","Process GUID of the process that modified a registry value","Process ID used by the OS to identify the process that modified a registry value","File path of the process that modified a registry value","Details added to the registry key","The name of the account that modified a registry value.","The type of pipe event (ConnectPipe)","Process GUID of the process that connected the pipe","Process ID used by the OS to identify the process that connected the pipe","Name of the pipe connected","File path of the process that connected the pipe","The name of the account that made a named pipe connection.","WMI consumer operation (e.g., Created, Deleted)","User that created the WMI consumer","Name of the consumer created","Type of WMI consumer","Destination or command executed by the WMI consumer","Process GUID of the process that executed the DNS query","Process ID of the process that executed the DNS query","DNS query name","DNS query status","DNS query results","The full path related to the process that executed the DNS query","The name of the account that executes a DNS Query.","Process GUID of the process that deleted the file","Process ID used by the OS to identify the process that deleted the file","Name of the account who deleted the file.","File path of the process that deleted the file","Full path name of the deleted file","Hashes captured by the Sysmon driver of the deleted file","Whether the deleted file is a PE executable","States if the file was archived when deleted","Successfully added the following uri(s) to be processed.","[Subject] Logon Process Name.","[Object] Object Value Name.","[Object] Operation Type.","[Change Information] Old Value Type.","[Change Information] Old Value.","[Change Information] New Value Type.","[Change Information] New Value.","[Access Request Information] Properties.","[Source Account] Account Name.","[Source Account] Security ID.","[Additional Information] SID List.","[Additional Information] Caller Workstation.","[Additional Information] Status Code.","Process GUID of the process that changed the file creation time","Process ID used by the OS to identify the process changing the file creation time","File path of the process that changed the file creation time","Full path name of the file","New creation time of the file","Previous creation time of the file","Name of the account who changed the file creation time of a file","Full path of the driver loaded","Whether the loaded driver is signed","Name of the Sysmon config file being updated","Hash (SHA1) of the Sysmon config file being updated","[New Logon] Event in sequence. Indicates the account for whom the new logon was created, i.e. the account that was logged on.","of","[New Logon] Group Membership. Indicates the account for whom the new logon was created, i.e. the account that was logged on.","[Permissions Change] Original Security Descriptor.","[Permissions Change] New Security Descriptor.","[Process] Process ID.","[Process] Process Name.","[Service] Server.","[Service] Service Name.","[Service Request Information] Privileges.","[Key Information] Key Identifier","[Key Information] Recovery Server","[Key Information] Recovery Key ID","[Status Information] Status Code","[Key Information] Key Identifier.","[Key Information] Recovery Server.","[Key Information] Recovery Key ID.","[Status Information] Status Code.","[Subject] Read Operation","[Subject] Logon Type.","[Task Information] Task Name","[Task Information] Task Content","[Other Information] ProcessCreationTime","[Other Information] ClientProcessId","[Other Information] ParentProcessId","[Other Information] FQDN","v","(Schema V","[Additional Information] Domain Controller","[Template Information] Template Content","[Template Information] Security Descriptor","[Event Source] Source Name.","[Event Source] Event Source ID.","Profile Changed","[Added Rule] Rule ID","[Added Rule] Rule Name","[Provider Information] ID","[Provider Information] Name","[Filter Information] ID","[Filter Information] Name","[Filter Information] Type","[Filter Information] Run-Time ID","[Layer Information] ID","[Layer Information] Name","[Layer Information] Run-Time ID","[Layer Information] Weight","[Additional Information] Conditions","[Additional Information] Filter Action","[Additional Information] Callout ID","[Additional Information] Callout Name","[Process Information] Process ID","[Change Information] Change Type","[Additional Information] Weight","[Callout Information] ID","[Callout Information] Name","[Provider Information] Provider ID","[Provider Information] Provider Name","[Provider Context] ID","[Provider Context] Name","[Provider Context] Type","Sysmon service state (i.e. stopped)","Sysmon version","Sysmon config schema version","WMI event filter operation","User that created the WMI filter","Event namespace where the WMI class is registered","WMI filter name being created","WMI filter query","GUID uniquely identifying the new firewall rule","Name of the firewall rule as it appears in Windows Firewall","Path to the application this rule applies to, if application-specific","Name of the service this rule applies to, if service-specific","Direction of the rule: 1 for inbound, 2 for outbound","Firewall action: 3 for allow, 2 for block","Firewall profiles (Private/Domain/Public) this rule applies to","Whether the rule is enabled: 0 for disabled, 1 for enabled","Security options: 0 for none, 1 for require authentication","SID of the account that added the firewall rule","Full image path of the process that added the firewall rule","GUID of the deleted firewall rule","SID of the account that deleted the firewall rule","Full image path of the process that deleted the firewall rule","Application popup.","[New Logon] Security ID.","[New Logon] Account Name.","[New Logon] Account Domain.","[New Logon] Logon ID.","[New Logon] Logon GUID.","[New Logon] Event in sequence.","[New Logon] Group Membership.","Transfer job.","Owner.","Context","Previous Time","New Time","[Process Information] Name.","[Trusted Domain] Domain Name.","[Trusted Domain] Domain ID.","[Trust Information] Trust Type.","[Trust Information] Trust Direction.","[Trust Information] Trust Attributes.","[Trust Information] SID Filtering.","[New Group] Group Name.","[New Group] Group Domain.","[New Group] Security ID.","[Group] Group Name","[Group] Group Domain","[Group] Security ID","[Attributes] SAM Account Name","[Attributes] SID History","Change Type","[Subject] Change Type.","[Target Account] Account Name","[Target Account] Account Domain","[Target Account] Security ID","[User] Account Name.","[User] Account Domain.","[User] Security ID.","[Subject] Session ID","[Subject] Session ID.","[Subject] User Name.","[Subject] Domain.","[Additional Information] Client Address.","Request ID","Requester","Attributes","Disposition","SKI","Subject","[Operation] Tree Delete","Device ID","Device Name","Class ID","Class Name","Vendor IDs","Compatible IDs","Location Information","Process GUID of the process that terminated","Process ID used by the OS to identify the process that terminated","File path of the process that terminated","Name of the account that terminated the process.","Finished resolving action lists. DeploymentRequest action lists.","[Process Information] Transaction ID.","[Account That Was Locked Out] Account Name","[Additional Information] Caller Computer Name","[Account That Was Locked Out] Security ID","[Account That Was Locked Out] Account Name.","[Additional Information] Caller Computer Name.","[Account That Was Locked Out] Security ID.","[Modified Rule] Rule ID","[Modified Rule] Rule Name","[Deleted Rule] Rule ID","[Deleted Rule] Rule Name","[Subject] Logon GUID","[New Logon] Security ID","[New Logon] Account Name","[New Logon] Account Domain","[New Logon] Logon ID","[New Logon] Logon GUID","[New Logon] Special Groups Assigned","Registry event. Registry key and value renamed","Process GUID of the process that renamed a registry value and key","Process ID used by the OS to identify the process that renamed a registry value and key","File path of the process that renamed a registry value and key","New name of the registry key","## SOAP Request.","[Credentials Which Were Replayed] Account Name.","[Credentials Which Were Replayed] Account Domain.","[Detailed Authentication Information] Request Type.","[Detailed Authentication Information] Logon Process.","[Detailed Authentication Information] Authentication Package.","[Network Information] Workstation Name.","[Detailed Authentication Information] Transited Services.","[Credentials Which Were Replayed] Account Name","[Credentials Which Were Replayed] Account Domain","[Detailed Authentication Information] Request Type","[Detailed Authentication Information] Logon Process","[Detailed Authentication Information] Authentication Package","[Network Information] Workstation Name","[Detailed Authentication Information] Transited Services","[Process Information] Process Name","[Protected Data] Key Identifier.","[Protected Data] Data Description.","[Protected Data] Protected Data Flags.","[Protected Data] Protection Algorithms.","Change Type.","[Domain] Domain Name.","[Domain] Domain ID.","[Changed Attributes] Min. Password Age.","[Changed Attributes] Max. Password Age.","[Changed Attributes] Force Logoff.","[Changed Attributes] Lockout Threshold.","[Changed Attributes] Lockout Observation Window.","[Changed Attributes] Lockout Duration.","[Changed Attributes] Password Properties.","[Changed Attributes] Min. Password Length.","[Changed Attributes] Password History Length.","[Changed Attributes] Machine Account Quota.","[Changed Attributes] Mixed Domain Mode.","[Changed Attributes] Domain Behavior Version.","[Changed Attributes] OEM Information.","[Security ID] Account Name.","[Security ID] Account Domain.","[Security ID] Logon ID.","[Security ID] Account Name","[Security ID] Account Domain","[Security ID] Logon ID","[Session] Session Name.","[Additional Information] Client Name.","[Auditing Settings] Original Security Descriptor.","[Auditing Settings] New Security Descriptor.","Changed Profile","[New Setting] Type","[New Setting] Value","[Subject] BackupFileName","Hardware IDs","[Process Information] Exit Status.","[Account Information] Account Name","[Account Information] Account Domain","[Service Information] Service Name","[Service Information] Service ID","[Additional Information] Ticket Options","[Additional Information] Ticket Encryption Type","[Network Information] Client Address","[Network Information] Client Port","Number of Elements.","Policy ID.","Hardware Requirements.","Domain Joined.","Azure AD Joined.","ClipSVC service is starting.  Caller.","ClipSVC was restarted while there is a pending rearm reboot required.  Caller.","License install failed for license type.","Result code.","User Id (if available).","Package.","Package (if available).","UserId (if available).","Clip service has been rearmed.  Result code.","2 has been archived successfully.  PFM if available.","3 has been archived successfully.  PFM if available.","1'. Result.","1 returned error.","WamExtension process token operation completed with error.","Fix information.","2, Status.","5. (Error.","App Readiness service has been notified of new apps. (Source.","1, tasks.","1' failed. (Error.","A exception was caught.","Failed to start system service.","with error.","Determining packages to be installed during logon for user.","The following packages will be installed.","Unable to determine packages to be installed during logon with error.","1 package due to the following error.","3 extension due to the following error.","3 extension.","3. The specific error text for this failure is.","2. Result.","1 contains packages.","1, Option.","ServerSideRPCPreRegisterAllInboxPackages result.","ServerSideRPCCleanupWCIReparsePoints result.","1 add PackageUser row, Bundle.","1 due to the package not being found in StateRepository. Error.","Deletion of registry key.","failed with error.","1 finished with result.","2 completed with result.","The Windows Biometric Service successfully created a Biometric Unit for sensor.","Reason for unavailability.","The operation failed with error.","The following DMA (Direct Memory Access) capable devices are not declared as protected from external access, which can block security features such as BitLocker automatic device encryption","Job cancelled. User.","2. Program.","Args.","The initialization of the peer helper modules failed with the following error.","Successful auto update of third-party root list with effective date.","Successful auto update of disallowed certificate list with effective date.","Successful auto update of pin rules with effective date.","GUID.","User Storage Area.","Credential Key Identifier.","[Cryptographic Parameters] Provider Name.","[Failure Information] Return Code.","[Cryptographic Parameters] Key Name.","[Cryptographic Parameters] Algorithm Name.","[Cryptographic Parameters] Flags.","ModificationType.","ServerThreadId.","Return Code.","Name.","Binding status.","Client instance binding attempts.","Client overall binding attempts.","Instances across lifetime.","Remote calls to the SAM database are being restricted using the default security descriptor.","Activity id.","SAM name of the computer account for which GPO processing was started","SAM name of the user account for which GPO processing was started","[Domain Controller details] Domain Controller Name.","[Domain Controller details] Domain Controller IP Address.","[Computer details] Computer role.","[Computer details] Network name.","[Account details] Account Name.","[Account details] Account Domain Name.","[Account details] DC Name.","[Account details] DC Domain Name.","List of applicable Group Policy objects","XML string containing information about the applicable Group Policy objects","The following Group Policy objects were not applicable because they were filtered out","1 Parameter.","Error.","Number of Group Policy objects that were processed","Hypervisor initial page allocation NUMA policy.","1 attempted. Execution state.","1 failed. Error code.","Build.","Boot Policy Migration used an authenticated variable.  Status.","Measured Boot library encountered a failure and entered insecure state. InitState.","Windows boot environment failed to initialize TPM device. StatusCode.","1 failed with status.","Virtualization-based security (policies.","2 with status.","Initialized VolumeCacheMap for device guid.","[Global Periodic Cache Information] Period Duration (microseconds).","[Global Periodic Cache Information] Event Samples.","[Global Periodic Cache Information] Total Number of Mapped VACBs.","[Global Periodic Cache Information] Total Partition Samples.","[Global Periodic Cache Information] Total Volume Samples.","[Global Periodic Cache Information] Total Pages Yet to Write.","[Global Periodic Cache Information] Total Dirty Pages.","[Global Periodic Cache Information] Total Available Pages.","[Global Periodic Cache Information] Total Number of Worker Threads.","[Global Periodic Cache Information] Total Number of Active Worker Threads.","[Global Periodic Cache Information] Total Average Available Pages.","[Global Periodic Cache Information] Total Average Dirty Pages.","[Global Periodic Cache Information] CopyRead Calls.","[Global Periodic Cache Information] AsyncCopyRead Calls.","[Global Periodic Cache Information] CopyWriteCalls.","[Global Periodic Cache Information] SetValidData Calls.","[Global Periodic Cache Information] FlushCache Calls.","[Global Periodic Cache Information] Number of NUMA Nodes.","[Volume Periodic Cache Information] Device GUID.","[Volume Periodic Cache Information] Period Duration (microseconds).","[Volume Periodic Cache Information] Total Dirty Pages.","[Volume Periodic Cache Information] Maximum Dirty Pages.","[Volume Periodic Cache Information] Total Dirty Page Threshold.","[Volume Periodic Cache Information] Top Dirty Page Threshold.","[Volume Periodic Cache Information] Bottom Dirty Page Threshold.","[Volume Periodic Cache Information] Dirty Page Samples.","[Volume Periodic Cache Information] Total Lazy Writer Calls.","[Volume Periodic Cache Information] Total Lazy Writer Latency.","[Volume Periodic Cache Information] Total Lazy Writer Pages Flushed.","[Volume Periodic Cache Information] Lazy Writer Average Pages Per Second.","[Volume Periodic Cache Information] Total Pages Queued to Disk.","[Volume Periodic Cache Information] Maximum Pages Queued to Disk.","[Volume Periodic Cache Information] Pages Queued to Disk Samples.","[Volume Periodic Cache Information] Total Metadata Pages Queued to Disk.","[Volume Periodic Cache Information] Maximum Metadata Pages Queued to Disk.","[Volume Periodic Cache Information] Metadata Pages Queued to Disk Samples.","[Volume Periodic Cache Information] Read Total Bytes.","[Volume Periodic Cache Information] Read Paged-In Total Bytes.","[Volume Periodic Cache Information] Read-Ahead Total Bytes.","[Volume Periodic Cache Information] ).","[Volume Periodic Cache Information] Total Writes.","[Volume Periodic Cache Information] Total Hard-Throttle Writes.","[Volume Periodic Cache Information] Total Soft-Throttle Writes.","[Volume Periodic Cache Information] Total Synchronous Read IO Count.","[Volume Periodic Cache Information] Total Synchronous Non-Blocking Read IO Count.","[Volume Periodic Cache Information] Total Failed Synchronous Non-Blocking Read IO Count.","[Volume Periodic Cache Information] Synchronous Read IO Maximum Latency (us).","[Volume Periodic Cache Information] Synchronous Read IO Non-Blocking Maximum Latency (us).","[Volume Periodic Cache Information] Total Synchronous Write IO Count.","[Volume Periodic Cache Information] Total Synchronous Non-Blocking Write IO Count.","[Volume Periodic Cache Information] Total Failed Synchronous Non-Blocking Write IO Count.","[Volume Periodic Cache Information] Synchronous Write IO Maximum Latency (us).","[Volume Periodic Cache Information] Synchronous Write IO Non-Blockinig Maximum Latency (us).","[Volume Periodic Cache Information] Total Asynchronous Read IO Count.","[Volume Periodic Cache Information] Asynchronous Read IO Maximum Latency (us).","[Volume Periodic Cache Read Latency Information] Device GUID.","[Volume Periodic Cache Read Latency Information] Period Duration (microseconds).","[Volume Periodic Cache Write Latency Information] Device GUID.","[Volume Periodic Cache Write Latency Information] Period Duration (microseconds).","Crash dump initialization failed. NT status.","1\" failed to start with the following error.","Time Delta.","Change Reason.","RTC time.","Current time zone bias.","RTC time is in UTC.","System time was based on RTC time.","Reason.","Leap seconds enabled.","New leap second count.","Old leap second count.","Status.","Parent Device.","Service.","Problem Status.","Vetoed By.","Count of devices removed.","Driver.","Total run time in milliseconds.","Action.","Event Code.","Connectivity state in standby.","Idle state type.","Nominal Frequency (MHz).","Maximum performance percentage.","Minimum performance percentage.","Minimum throttle percentage.","Performance state type.","Shim(s) source.","Shim GUID(s).","Flags source.","1 returned the following error code.","4 environment received the following error code from the Microsoft Account server.","## SOAP Response.","MUI resource cache builder has been called with the following parameters.","2 Family.","ChangeReason.","Entered State.","Transitioning to State.","Desc.","Network Category.","IPv4 Error Code.","IPv6 Error Code.","Volume name.","Device manufacturer.","Device model.","Device revision.","Total mount duration.","Volume restart applied.","Duration (micro seconds).","Capacity tier name.","Media type.","Runs cached.","Longest run cached.","Most populated bin's minimum length.","Most populated bin's maximum length.","[Summary of disk space usage, since last event] Volume guid.","[Summary of disk space usage, since last event] Volume name.","[Summary of disk space usage, since last event] Is boot volume.","[Summary of disk space usage, since last event] Elapsed seconds.","[Summary of disk space usage, since last event] Change in available space.","[Summary of disk space usage, since last event] Available clusters were between.","[Summary of disk space usage, since last event] Reserved clusters were between.","[Summary of disk space usage, since last event] Txf abort reserved clusters were between.","[Summary of disk space usage, since last event] Pagefile size.","[Summary of disk space usage, since last event] Volume size.","[Summary of disk space usage, since last event] Bytes per cluster.","[Summary of disk space usage, since last event] Slab size.","[Summary of disk space usage, since last event] Slabs in use.","Volume Id.","IO Type.","Latency.","Device GUID.","Device serial number.","Bus type.","Adapter serial number.","High latency IO count.","Failed writes.","Failed reads.","Bad clusters relocated.","[VCB exclusive resource acquires] Volume Id.","[VCB exclusive resource acquires] Volume name.","[VCB exclusive resource acquires] Is boot volume.","[VCB exclusive resource acquires] Device GUID.","[VCB exclusive resource acquires] Device manufacturer.","[VCB exclusive resource acquires] Device model.","[VCB exclusive resource acquires] Device revision.","[VCB exclusive resource acquires] Device serial number.","[VCB exclusive resource acquires] Bus type.","[VCB exclusive resource acquires] Adapter serial number.","[VCB exclusive resource acquires] Interval duration.","[VCB exclusive resource acquires] Acquire count.","[VCB exclusive resource acquires] Max wait duration.","[VCB exclusive resource acquires] Avg wait duration.","[VCB exclusive resource acquires] Max hold duration.","[VCB exclusive resource acquires] Avg hold duration.","[VCB exclusive resource acquires] Max combined duration.","[VCB exclusive resource acquires] Avg combined duration.","[NTFS metadata statistics for volume] Volume Id.","[NTFS metadata statistics for volume] Volume name.","[NTFS metadata statistics for volume] UserFileReads.","[NTFS metadata statistics for volume] UserFileReadBytes.","[NTFS metadata statistics for volume] UserDiskReads.","[NTFS metadata statistics for volume] UserFileWrites.","[NTFS metadata statistics for volume] UserFileWriteBytes.","[NTFS metadata statistics for volume] UserDiskWrites.","[NTFS metadata statistics for volume] MetaDataReads.","[NTFS metadata statistics for volume] MetaDataReadBytes.","[NTFS metadata statistics for volume] MetaDataDiskReads.","[NTFS metadata statistics for volume] MetaDataWrites.","[NTFS metadata statistics for volume] MetaDataWriteBytes.","[NTFS metadata statistics for volume] MetaDataDiskWrites.","[NTFS metadata statistics for volume] MftReads.","[NTFS metadata statistics for volume] MftReadBytes.","[NTFS metadata statistics for volume] MftWrites.","[NTFS metadata statistics for volume] MftWriteBytes.","[NTFS metadata statistics for volume] Mft2Writes.","[NTFS metadata statistics for volume] Mft2WriteBytes.","[NTFS metadata statistics for volume] RootIndexReads.","[NTFS metadata statistics for volume] RootIndexReadBytes.","[NTFS metadata statistics for volume] RootIndexWrites.","[NTFS metadata statistics for volume] RootIndexWriteBytes.","[NTFS metadata statistics for volume] BitmapReads.","[NTFS metadata statistics for volume] BitmapReadBytes.","[NTFS metadata statistics for volume] BitmapWrites.","[NTFS metadata statistics for volume] BitmapWriteBytes.","[NTFS metadata statistics for volume] MftBitmapReads.","[NTFS metadata statistics for volume] MftBitmapReadBytes.","[NTFS metadata statistics for volume] MftBitmapWrites.","[NTFS metadata statistics for volume] MftBitmapWriteBytes.","[NTFS metadata statistics for volume] UserIndexReads.","[NTFS metadata statistics for volume] UserIndexReadBytes.","[NTFS metadata statistics for volume] UserIndexWrites.","[NTFS metadata statistics for volume] UserIndexWriteBytes.","[NTFS metadata statistics for volume] LogFileReads.","[NTFS metadata statistics for volume] LogFileReadBytes.","[NTFS metadata statistics for volume] LogFileWrites.","[NTFS metadata statistics for volume] LogFileWriteBytes.","[NTFS metadata statistics for volume] LogFileFull.","[LogFileFullReasons] LF_LOG_SPACE.","[LogFileFullReasons] LF_DIRTY_PAGES.","[LogFileFullReasons] LF_OPEN_ATTRIBUTES.","[LogFileFullReasons] LF_TRANSACTION_DRAIN.","[LogFileFullReasons] LF_FASTIO_CALLBACK.","[LogFileFullReasons] LF_DEALLOCATED_CLUSTERS.","[LogFileFullReasons] LF_DEALLOCATED_CLUSTERS_MEM.","[LogFileFullReasons] LF_RECORD_STACK_CHECK.","[LogFileFullReasons] LF_DISMOUNT.","[LogFileFullReasons] LF_COMPRESSION.","[LogFileFullReasons] LF_SNAPSHOT.","[LogFileFullReasons] LF_MOUNT.","[LogFileFullReasons] LF_SHUTDOWN.","[LogFileFullReasons] LF_RECURSIVE_COMPRESSION.","[LogFileFullReasons] LF_TESTING.","[LogFileFullReasons] DiskResourceFailure.","[LogFileFullReasons] VolumeTrimTime (ms).","[LogFileFullReasons] VolumeTrimSize (KB).","[LogFileFullReasons] AvgVolumeTrimTime (ms).","[LogFileFullReasons] AvgVolumeTrimSize (KB).","[LogFileFullReasons] VolumeTrimSkippedCount.","[LogFileFullReasons] VolumeTrimSkippedSize (KB).","[LogFileFullReasons] FileLevelTrimCount.","[LogFileFullReasons] FileLevelTrimTime (ms).","[LogFileFullReasons] FileLevelTrimSize (KB).","[LogFileFullReasons] AvgFileLevelTrimTime (ms).","[LogFileFullReasons] AvgFileLevelTrimSize (KB).","[LogFileFullReasons] NtfsFillStatInfoFromMftRecordCalledCount.","[LogFileFullReasons] NtfsFillStatInfoFromMftRecordBailedBecauseOfAttributeListCount.","[LogFileFullReasons] NtfsFillStatInfoFromMftRecordBailedBecauseOfNonResReparsePointCount.","Operation.","Request Type.","[Stage Durations] Stage 1. Verify input and calculate new volume size (ms).","[Stage Durations] Stage 2. Set boundary and allocate/deallocate cluster (ms).","[Stage Durations] Stage 3. Update bitmap (ms).","[IO latency summary] Volume Id.","[IO latency summary] Volume name.","[IO latency summary] Is boot volume.","[IO latency summary] Device GUID.","[IO latency summary] Device manufacturer.","[IO latency summary] Device model.","[IO latency summary] Device revision.","[IO latency summary] Device serial number.","[IO latency summary] Bus type.","[IO latency summary] Adapter serial number.","[IO latency summary] Interval duration.","[IO latency summary] IO type.","[IO latency summary] Max Acceptable IO Latency.","[IO latency summary] High Latency IOs.","[IO latency summary] IO count.","[IO latency summary] Avg IOPS.","[IO latency summary] Avg latency.","[IO latency summary] Max latency.","[File-Level Trim Summary] Volume Id.","[File-Level Trim Summary] Volume name.","[File-Level Trim Summary] Is boot volume.","[File-Level Trim Summary] Period duration (us).","[File-Level Trim Summary] Operation count.","[File-Level Trim Summary] Reposted operation count.","[File-Level Trim Summary] Failed operation count.","[File-Level Trim Summary] Operation range count.","[File-Level Trim Summary] Operation byte count.","[File-Level Trim Summary] Unaligned range count.","[File-Level Trim Summary] Bytes in unaligned ranges.","[File-Level Trim Summary] Operation trim extent count.","[File-Level Trim Summary] Non-blocking aligned trim byte count.","[File-Level Trim Summary] Reclaimed byte count.","Top failure status codes and instance counts","Process.","Started invocation of ScriptBlock ID.","Completed invocation of ScriptBlock ID.","Windows PowerShell has started an IPC listening thread on process.","in AppDomain.","2. Justification.","ProvXML data","1' ID.","The Windows Push Notification Platform has encountered an error in File.","The Windows Push Notification Platform is required to connect on startup, ValidChannelsExist.","Cloud Notifications must be enabled in GP and MDM to receive push notifications. GroupPolicyValue.","A Power event was fired.","Windows Push Notification Service was disconnected due to error.","WNP Transport Layer sent command.","5 bytes of payload.","WNP Transport Layer received command.","seconds; type.","WNP Keep Alive Detector starting KA measurement with value.","; Min Limit.","5 bytes of payload only. However, full payload including header is.","The channel table has added a valid channel mapping.","An application was registered with the following parameters.","An application was unregistered with the following parameters.","[Summary of ReadyBoot Performance] Io Read Bytes.","[Summary of ReadyBoot Performance] Cache Hit Bytes.","[Summary of ReadyBoot Performance] Boot Prefetch Bytes.","[Summary of ReadyBoot Performance] Cache Hit Percentage.","[Summary of ReadyBoot Performance] Io Read Count.","[Summary of ReadyBoot Performance] Cache Hit Count.","[Summary of ReadyBoot Performance] Boot Prefetch Read Count.","[Summary of ReadyBoot Performance] Boot Prefetch Time (us).","[Summary of ReadyBoot Performance] Sync Prefetch IO Bytes.","[Summary of ReadyBoot Performance] Sync Prefetch IO Count.","[Summary of ReadyBoot Performance] Sync Prefetch Duration (us).","[Summary of ReadyBoot Performance] Post Sync Phase Pend Count.","[Summary of ReadyBoot Performance] Flags.","Result.","6 (Unique Id.","Old ReadyBoost State.","New ReadyBoost State.","Old Hybrid Drive State.","New Hybrid Drive State.","ReadyBoot has updated the system volume unique ID.","The server has initiated a multi-transport request to the client, for tunnel.","The multi-transport connection finished for tunnel.","1 seconds (Idle1.","1 of the RDP graphics protocol, client mode.","List of applicable GPOs","Authentication Package Name","Notification Package Name","Security Package Name","[Local Endpoint] Local Principal Name","[Remote Endpoint] Principal Name","[Local Endpoint] Network Address","[Local Endpoint] Keying Module Port","[Remote Endpoint] Network Address","[Remote Endpoint] Keying Module Port","[Additional Information] Keying Module Name","[Failure Information] Failure Point","[Failure Information] Failure Reason","[Additional Information] Authentication Method","[Failure Information] State.","[Additional Information] Role.","[Additional Information] Impersonation State","[Additional Information] Main Mode Filter ID","[Failure Information] Initiator Cookie","[Failure Information] Responder Cookie","[Local Endpoint] Local Principal Name.","[Remote Endpoint] Principal Name.","[Local Endpoint] Network Address.","[Local Endpoint] Keying Module Port.","[Additional Information] Keying Module Name.","[Failure Information] Failure Point.","[Additional Information] Authentication Method.","[Additional Information] Impersonation State.","[Additional Information] Main Mode Filter ID.","[Failure Information] Initiator Cookie.","[Failure Information] Responder Cookie.","[Link Information] File Name.","[Link Information] Link Name.","[Link Information] Transaction ID.","[Source Handle Information] Source Handle ID.","[Source Handle Information] Source Process ID.","[New Handle Information] Target Handle ID.","[New Handle Information] Target Process ID.","[New Token Information] Security ID.","[New Token Information] Account Name.","[New Token Information] Account Domain.","[New Token Information] Logon ID.","[Target Process] Target Process ID.","[Target Process] Target Process Name.","[Removed Right] User Right.","[Account Modified] Account Name.","[Access Granted] Access Right.","[Access Removed] Access Right.","[Changed Attributes] SAM Account Name","[Changed Attributes] SID History","[Member] Account Name","[Member] Security ID","Expiration time","[Additional Information] Target Account Name.","[Additional Information] Target Account Domain.","[General Settings] Load Options.","[General Settings] Advanced Options.","[General Settings] Configuration Access Policy.","[General Settings] System Event Logging.","[General Settings] Kernel Debugging.","[General Settings] VSM Launch Type.","[Signature Settings] Test Signing.","[Signature Settings] Flight Signing.","[Signature Settings] Disable Integrity Checks.","[HyperVisor Settings] HyperVisor Load Options.","[HyperVisor Settings] HyperVisor Launch Type.","[HyperVisor Settings] HyperVisor Debugging.","[Trust Information] Forest Root.","[Trust Information] Forest Root SID.","[Trust Information] Operation ID.","[Trust Information] Entry Type.","[Trust Information] Flags.","[Trust Information] Top Level Name.","[Trust Information] DNS Name.","[Trust Information] NetBIOS Name.","[Trust Information] Domain SID.","Serial Number","Reason","Next Update","Publish Base","Publish Delta","Base CRL","CRL Number","Key Container","Next Publish","Publish URLs","Name","Type","Flags","Data","Certificate Database Hash","Private Key Usage Count","CA Certificate Hash","CA Public Key Hash","Property","Index","Value","Table ID","Filter","Rows Deleted","Role separation enabled","[Template Change Information] New Template Content","[Template Change Information] Old Template Content","[Resource Attributes] Original Security Descriptor.","[Resource Attributes] New Security Descriptor.","Options","Group Policy Applied","Profile Used","Operational mode","Allow Remote Administration","Allow Unicast Responses to Multicast/Broadcast Traffic","[Security Logging] Log Dropped Packets","[Security Logging] Log Successful Connections","[Rule] Rule ID","[Rule] Rule Name","Profile","Reason for Rejection","[Rule] ID","[Rule] Name","New Active Profile","[Rule Information] ID","[Rule Information] Name","[Error Information] Reason","[Transaction Information] RM Transaction ID","[Transaction Information] New State","[Transaction Information] Resource Manager","Profiles","Application","[Added Connection Security Rule] ID","[Added Connection Security Rule] Name","[Deleted Connection Security Rule] ID","[Deleted Connection Security Rule] Name","[Process Information] Process Creation Time","[Cryptographic Parameters] Provider Name","[Cryptographic Parameters] Algorithm Name","[Cryptographic Parameters] Key Name","[Cryptographic Parameters] Key Type","[Key File Operation Information] File Path","[Key File Operation Information] Operation","[Key File Operation Information] Return Code","[Additional Information] Operation","[Additional Information] Return Code","[Cryptographic Operation] Operation","[Cryptographic Operation] Return Code","Property Name","New Value","[Share Information] Object Type","[Share Information] Old Remark","[Share Information] New Remark","[Share Information] Old MaxUsers","[Share Information] New Maxusers","[Share Information] Old ShareFlags","[Share Information] New ShareFlags","[Share Information] Old SD","[Share Information] New SD","Provider ID","Provider Name","Provider Type","Provider Context ID","Provider Context Name","Provider Context Type","Sub-layer ID","Sub-layer Name","Sub-layer Type","Weight","[Callout Information] Type","[Callout Information] Run-Time ID","[Provider Information] Type","[Sub-layer Information] Sub-layer ID","[Sub-layer Information] Sub-layer Name","[Sub-layer Information] Sub-layer Type","[Object] COM+ Catalog Collection","[Object] Object Name","[Object] Object Properties Modified","[Object] Object Details","1 times, all failed, URI.","1 seconds. AC state.","1 request failed, hresult.","4. Client id.","2. Client id.","Full command line for the command that was executed","GUID of the modified firewall rule","SID of the account that modified the firewall rule","Full image path of the process that modified the firewall rule","3}, Number of previous attempts.","4\" has begun resetting.  There will be a momentary disruption in network connectivity while the hardware resets. Reason.","Exe.","ResolverName.","[New Group] Group Name","[New Group] Group Domain","[New Group] Security ID","[Group] Account Name","[Group] Account Domain","File Name",".(statusFound.","2 transfer job that is associated with the following URL.","[Cryptographic Parameters] OperationType.","[Cryptographic Parameters] Key Type.","OBTAIN LEASE - AdapterName.","[Extended Error Information] ComputerName.","[Extended Error Information] ProcessName.","[Extended Error Information] ProcessId.","[Key Information] Recovery Reason.","[Key Information] Recovery Reason","Authentication Package","Logon Account","Source Workstation","Error Code","[Object] Object Server","[Object] Object Type","[Auditing Settings] Original Security Descriptor","[Auditing Settings] New Security Descriptor","Account Name","[Authentication Policy Information] Silo Name.","[Authentication Policy Information] PolicyName.","[Authentication Policy Information] Silo Name","Enable","[Policy For Account] Security ID.","[Policy Change Details] Category.","[Policy Change Details] Subcategory.","[Policy Change Details] Subcategory GUID.","[Policy Change Details] Changes.","[Policy For Account] Security ID","[Policy Change Details] Category","[Policy Change Details] Subcategory","[Policy Change Details] Subcategory GUID","[Policy Change Details] Changes","[Object] Old DN","[Object] New DN","[User] Security ID","[User] Account Name","[User] Account Domain","[User] Fully Qualified Account Name","[Client Machine] Security ID","[Client Machine] Account Name","[Client Machine] Fully Qualified Account Name","[Client Machine] Called Station Identifier","[Client Machine] Calling Station Identifier","[NAS] NAS IPv4 Address","[NAS] NAS IPv6 Address","[NAS] NAS Identifier","[NAS] NAS Port-Type","[NAS] NAS Port","[RADIUS Client] Client Friendly Name","[RADIUS Client] Client IP Address","[Authentication Details] Connection Request Policy Name","[Authentication Details] Network Policy Name","[Authentication Details] Authentication Provider","[Authentication Details] Authentication Server","[Authentication Details] Authentication Type","[Authentication Details] EAP Type","[Authentication Details] Account Session Identifier","[Authentication Details] Reason Code","[Authentication Details] Reason","[Authentication Details] Logging Results","Global (per-pattern) state changed. State.","1. Action ID.","Security identity of the LDAP caller","Firewall action taken: Allowed or Blocked","Distinguished Name of the LDAP entry being added","Comma-separated list of attribute:value pairs being added","Source IP address of the LDAP client","Source TCP port of the LDAP client","Distinguished Name of the LDAP entry being deleted","Distinguished Name of the LDAP entry being modified","Comma-separated list of attribute:value pairs being modified","Original Distinguished Name before the rename or move","New Distinguished Name (the new RDN or new superior)","Whether to delete the old RDN entry: True or False","Base Distinguished Name (search root)","LDAP search filter expression","Search scope: Base, One Level, or Subtree","Semicolon-separated list of requested attributes","Distinguished Name of the LDAP entry being compared","Name of the attribute to compare","Value to compare against","[Trust Information] TDO Domain SID.","[Trust Information] Filtered SIDs.","[Trust Information] Trust Direction","[Trust Information] Trust Attributes","[Trust Information] Trust Type","[Trust Information] TDO Domain SID","Filtered SIDs","[Account Information] Supplied Realm Name","[Additional Information] Failure Code","Full image path of the RPC server process that was protected","Process ID (PID) of the protected process","Full image path of the RPC server process that was unprotected","Process ID (PID) of the unprotected process","Name of the hooked RPCRT4 function that was called","Process ID (PID) of the RPC server process handling the call","Full image path of the RPC server process","RPC protocol sequence used by the client (e.g. ncacn_np, ncacn_ip_tcp)","RPC endpoint the server is listening on (e.g. \\PIPE\\wkssvc)","Client network address (IP or hostname for named pipe connections)","RPC interface UUID identifying the service being called","RPC operation number (function ordinal within the interface)","Authenticated client principal name (UNKNOWN if no authentication)","RPC authentication level (e.g. NONE, CONNECT, PKT_PRIVACY)","RPC authentication service (e.g. KERBEROS, NEGOTIATE, WINNT)","Client source port number","Server network address (defaults to 0.0.0.0 if not determinable)","Server destination port number","Windows Security Identifier (SID) of the authenticated caller","Http transport error. Status.","Enterprise STS Logon failure. Status.","Number of audit messages discarded","[Process Information] Invalid Use.","[Process Information] LPC Server Port Name.","[Process Information] PID.","Invalid Use","LPC Server Port Name","[Process Information] PID","[Process Information] Name","[Alert Information] Event ID","[Alert Information] Computer","[Alert Information] Number of Events","[Alert Information] Duration","Value of CrashOnAuditFail","Logon Type","Event in sequence","User Claims","Device Claims","[Local Endpoint] Principal Name.","[Remote Endpoint] Network Address.","[Remote Endpoint] Keying Module Port.","[Cryptographic Information] Cipher Algorithm.","[Cryptographic Information] Integrity Algorithm.","[Cryptographic Information] Diffie-Hellman Group.","[Security Association Information] Lifetime (minutes).","[Security Association Information] Quick Mode Limit.","[Security Association Information] Main Mode SA ID.","[Local Endpoint] Principal Name","[Cryptographic Information] Cipher Algorithm","[Cryptographic Information] Integrity Algorithm","[Cryptographic Information] Diffie-Hellman Group","[Security Association Information] Lifetime (minutes)","[Security Association Information] Quick Mode Limit","[Security Association Information] Main Mode SA ID","[Local Certificate] SHA Thumbprint.","[Local Certificate] Issuing CA.","[Local Certificate] Root CA.","[Remote Certificate] SHA thumbprint.","[Remote Certificate] Issuing CA.","[Remote Certificate] Root CA.","[Local Certificate] SHA Thumbprint","[Local Certificate] Issuing CA","[Local Certificate] Root CA","[Remote Certificate] SHA thumbprint","[Remote Certificate] Issuing CA","[Remote Certificate] Root CA","[Local Endpoint] Network Address mask.","[Local Endpoint] Port.","[Local Endpoint] Tunnel Endpoint.","[Remote Endpoint] Address Mask.","[Remote Endpoint] Port.","[Remote Endpoint] Tunnel Endpoint.","[Additional Information] Protocol.","[Remote Endpoint] Private Address.","[Additional Information] Mode.","[Failure Information] Message ID.","[Additional Information] Quick Mode Filter ID.","[Additional Information] Main Mode SA ID.","[Local Endpoint] Network Address mask","[Local Endpoint] Port","[Local Endpoint] Tunnel Endpoint","[Remote Endpoint] Address Mask","[Remote Endpoint] Port","[Remote Endpoint] Tunnel Endpoint","[Remote Endpoint] Private Address","[Failure Information] Message ID","[Additional Information] Quick Mode Filter ID","[Additional Information] Main Mode SA ID","[Additional Information] Virtual Interface Tunnel ID","[Additional Information] Traffic Selector ID","Local Network Address","Remote Network Address","Keying Module Name","Main Mode SA ID","[Object] Handle ID","[Access Request Information] Transaction ID","[Access Request Information] Privileges Used for Access Check","[Application Information] Application Name.","[Application Information] Application Instance ID.","[Subject] Client Name.","[Subject] Client Domain.","[Subject] Client Context ID.","[Application Information] Status.","[Application Information] Application Instance ID","[Subject] Client Name","[Subject] Client Domain","[Subject] Client Context ID","[Object] Scope Names.","[Access Request Information] Role.","[Access Request Information] Groups.","[Access Request Information] Operation Name.","[Object] Scope Names","[Access Request Information] Groups","[Access Request Information] Operation Name","[Access Request Information] (","[Subject] Client ID.","[Additional Information] Policy Store URL.","[Subject] Client ID","[Additional Information] Policy Store URL","[Subject] Ordinal.","[Domain Information] Domain Name.","[Domain Information] Domain ID.","[Domain Information] Domain Name","[Domain Information] Domain ID","Policy Source","[Audit Policy Change] Original Security Descriptor.","[Audit Policy Change] New Security Descriptor.","[Audit Policy Change] Original Security Descriptor","[Audit Policy Change] New Security Descriptor","[New Trust Information] Trust Type.","[New Trust Information] Trust Direction.","[New Trust Information] Trust Attributes.","[New Trust Information] SID Filtering.","[Trusted Domain] Domain Name","[Trusted Domain] Domain ID","[New Trust Information] Trust Type","[New Trust Information] Trust Direction","[New Trust Information] Trust Attributes","[New Trust Information] SID Filtering","Account UPN","Mapped Name","[Subject] Account Name. Is specified as a member of the application group, either explicitly or through nested group membership, the account will not be treated as a group member if it is listed as a non-member.","[Additional Information] Provided Account Name (unauthenticated).","[Additional Information] Caller Workstation","[Additional Information] Provided Account Name (unauthenticated)","[Additional Information] Status Code","Peer Name","Protocol Sequence","Security Error","[Current Central Access Policy results] Access Reasons.","[Proposed Central Access Policy results that differ from the current Central Access Policy results] Access Reasons.","[Current Central Access Policy results] Access Reasons","[Proposed Central Access Policy results that differ from the current Central Access Policy results] Access Reasons","[Object] CAPs Added.","[Object] CAPs Deleted.","[Object] CAPs Modified.","[Object] CAPs As-Is.","CAPs Added","CAPs Deleted","CAPs Modified","CAPs As-Is","[Device Information] Device Name.","[Authentication Policy Information] Policy Name.","[Authentication Policy Information] TGT Lifetime.","[Account Information] User ID","[Device Information] Device Name","[Additional Information] Result Code","[Additional Information] Pre-Authentication Type","[Certificate Information] Certificate Issuer Name","[Certificate Information] Certificate Serial Number","[Certificate Information] Certificate Thumbprint","[Authentication Policy Information] Policy Name","[Authentication Policy Information] TGT Lifetime","[Account Information] Logon GUID","[Additional Information] Transited Services","[Account Information] Security ID","[Additional Information] SID List","Target Type","Target Name","Forest Root","Top Level Name","DNS Name","NetBIOS Name","Security ID","New Flags","[Trust Information] Forest Root","[Trust Information] Forest Root SID","[Trust Information] Operation ID","[Trust Information] Entry Type","[Trust Information] Top Level Name","[Trust Information] DNS Name","[Trust Information] NetBIOS Name","[Trust Information] Domain SID","Certificate","Node","Entry","KRA Hashes","Certificate Hash","Valid From","Valid To","[Template Change Information] New Security Descriptor","[Template Change Information] Old Security Descriptor","New Value of CrashOnAuditFail","Old Blocked Ordinals","New Blocked Ordinals","Old Value","[Central Policy ID] Original Security Descriptor.","[Central Policy ID] New Security Descriptor.","[Central Policy ID] Original Security Descriptor","[Central Policy ID] New Security Descriptor","Destination DRA","Source DRA","Source Address","Naming Context","Status Code","Destination Address","Session ID","Start USN","End USN","Object","Attribute","Type of change","USN","[Ignored Rule] ID","[Ignored Rule] Name","[Partially Ignored Rule] ID","[Partially Ignored Rule] Name","[Error Information] Error","Inbound SA SPI","[Main Mode Local Endpoint] Principal Name","[Main Mode Remote Endpoint] Principal Name","[Main Mode Local Endpoint] Network Address","[Main Mode Local Endpoint] Keying Module Port","[Main Mode Remote Endpoint] Network Address","[Main Mode Remote Endpoint] Keying Module Port","[Main Mode Additional Information] Authentication Method","[Main Mode Cryptographic Information] Cipher Algorithm","[Main Mode Cryptographic Information] Integrity Algorithm","[Main Mode Cryptographic Information] Diffie-Hellman Group","[Main Mode Security Association] Lifetime (minutes)","[Main Mode Security Association] Quick Mode Limit","[Main Mode Additional Information] Role","[Main Mode Additional Information] Impersonation State","[Main Mode Additional Information] Main Mode Filter ID","[Main Mode Security Association] Main Mode SA ID","[Extended Mode Information] Local Principal Name","[Extended Mode Information] Remote Principal Name","[Extended Mode Information] Authentication Method","[Extended Mode Information] Impersonation State","[Extended Mode Information] Quick Mode Filter ID","[Extended Mode Local Endpoint] Principal Name","[Extended Mode Local Endpoint] Certificate SHA Thumbprint","[Extended Mode Local Endpoint] Certificate Issuing CA","[Extended Mode Local Endpoint] Certificate Root CA","[Extended Mode Remote Endpoint] Principal Name","[Extended Mode Remote Endpoint] Certificate SHA Thumbprint","[Extended Mode Remote Endpoint] Certificate Issuing CA","[Extended Mode Remote Endpoint] Certificate Root CA","[Extended Mode Additional Information] Impersonation State","[Extended Mode Additional Information] Quick Mode Filter ID","[Additional Information] Role","[Network Address] Keying Module Port","[Failure Information] State","[Object] Key Name","[Object] Virtual Key Name","[Added Authentication Set] ID","[Added Authentication Set] Name","[Modified Authentication Set] ID","[Modified Authentication Set] Name","[Deleted Authentication Set] ID","[Deleted Authentication Set] Name","[Modified Connection Security Rule] ID","[Modified Connection Security Rule] Name","[Added Crypto Set] ID","[Added Crypto Set] Name","[Modified Crypto Set] ID","[Modified Crypto Set] Name","[Deleted Crypto Set] ID","[Deleted Crypto Set] Name","[Deleted SA] ID","[Deleted SA] Name","Caller Process Name","Process Id","Publisher","[Object] File Name","[Object] Virtual File Name","Module","Return Code","[Failure Information] Reason","[Failure Information] Return Code","[Cryptographic Provider] Name","[Cryptographic Provider] Module","Operation","[Configuration Parameters] Scope","[Configuration Parameters] Context","[Change Information] Old Value","[Change Information] New Value","[Configuration Parameters] Interface","[Configuration Parameters] Function","[Configuration Parameters] Position","[Configuration Parameters] Provider","[Configuration Parameters] Property","CA Configuration ID","New Signing Certificate Hash","Base CRL Number","Base CRL This Update","Base CRL Hash","Delta CRL Number","Delta CRL Indicator","Delta CRL This Update","Delta CRL Hash","[Network Information] Type","[Network Information] Packets Discarded","[Network Information] EtherType","[Network Information] MediaType","[Network Information] InterfaceType","[Network Information] VlanTag","[SPN] SPN Name","[SPN] Error Code","[Server Information] Server Names","[Server Information] Configured Names","[Server Information] IP Addresses","[Credential Delegation Information] Security Package","[Credential Delegation Information] User's UPN","[Credential Delegation Information] Target Server","[Credential Delegation Information] Credential Type","[Remote Endpoint] Network Address Mask","[Remote Endpoint] Protocol","[Remote Endpoint] Keying Module Name","[Cryptographic Information] Integrity Algorithm - AH","[Cryptographic Information] Integrity Algorithm - ESP","[Cryptographic Information] Encryption Algorithm","[Security Association Information] Lifetime - seconds","[Security Association Information] Lifetime - data","[Security Association Information] Lifetime - packets","[Security Association Information] Mode","[Security Association Information] Role","[Security Association Information] Quick Mode Filter ID","[Security Association Information] Quick Mode SA ID","[Additional Information] Inbound SPI","[Additional Information] Outbound SPI","[Additional Information] Protocol","[Additional Information] Quick Mode SA ID","Policy","DN","Quick Mode Filter","[Network Information] Name (SSID)","[Network Information] Peer MAC Address","[Network Information] Local MAC Address","[Network Information] Interface GUID","[Additional Information] (","[Additional Information] Reason Code","[Additional Information] Error Code","[Additional Information] EAP Reason Code","[Additional Information] EAP Root Cause String","[Additional Information] EAP Error Code","[Interface] Name","[Interface] (","[Interface] Reason Code","[Interface] Error Code","[Subject] SID","[Subject] Name","[Subject] LogonId","[Network Information] Remote IP Address","[Network Information] Remote Port","[RPC Attributes] Interface UUID","[RPC Attributes] Protocol Sequence","[RPC Attributes] Authentication Service","[RPC Attributes] Authentication Level","[Client Machine] OS-Version","[Quarantine Information] Result","[Quarantine Information] Extended-Result","[Quarantine Information] Session Identifier","[Quarantine Information] Help URL","[Quarantine Information] System Health Validator Result(s)","[Quarantine Information] Quarantine Grace Time","IP address of the client that sent this response","IP address of the client that sent this data","IP address of the client that sent this message","Domain name of the hosted cache is","Domain name of the hosted cache","instance(s) of event id","BranchCache","Registered product","failed and Windows Firewall is now controlling the filtering for","SCP object GUID","Starting stopped external service. Name.","1 rejected by authentication service. Hresult.","Interface GUID of the wireless adapter","Name of the wireless adapter","Whether the connection was automatic (\"Automatic connection with a profile\") or manual (\"Connection to a secure network without a profile\")","SSID of the wireless network that was connected to","Security protocol used to connect (e.g. WEP, WPA2-Personal)","SSID of the wireless network that was disconnected from","Reason the wireless network was disconnected","Device HW profile FOUND: Instance.","Device HW profile ERROR: Instance.","1 mapped: PA.","1 PA.","[Failure Information] Failure Type.","[Attribute] Expiration Time","Error Instrument: ProcessName.","ERROR: Invalid bank number.","1: Interrupts mask set to.","(requested.","1: Interrupts queried active.","(raw.","1: Interrupts status cleared with mask.","SpbCx DDI: EvtSpbTargetConnect: SpbController.","SpbCx DDI: EvtSpbTargetDisconnect: SpbController.","SpbCx DDI: EvtSpbControllerLock: SpbController.","SpbCx DDI: EvtSpbControllerUnlock: SpbController.","SpbCx DDI: EvtSpbIoRead: SpbController.","SpbCx DDI: EvtSpbIoWrite: SpbController.","SpbCx DDI: EvtSpbIoSequence: SpbController.","SpbCx DDI: EvtSpbOtherInCallerContext: SpbController.","SpbCx DDI: EvtSpbOther: SpbController.","Request INFO: Addr.","Request ERROR: Addr.","Interrupt ISR: Status.","Interrupt DPC: HW_Status.","SW_Status.","Target ERROR: Invalid bus type (current.","Controller ERROR: Invalid capability (Type.","Controller INFO: Addr.","Controller ERROR: Addr.","Controller initialization failed - STATUS.","[Automatic restart sign on successfully configured the autologon credentials for] Account Name.","[Automatic restart sign on successfully configured the autologon credentials for] Account Domain.","[An error occurred while processing new Central Access Policies for this machine. Validation failed for the following Central Access Rule referenced by one or more of the Central Access Policies] Error.","[An error occurred while processing new Central Access Policies for this machine. Validation failed for the following Central Access Rule referenced by one or more of the Central Access Policies] Name.","[An error occurred while processing new Central Access Policies for this machine. Validation failed for the following Central Access Rule referenced by one or more of the Central Access Policies] Description.","Domain\\User","Threat name","Threat ID","Severity. Examples: Low, Moderate, High, or Severe","Category description, for example, any threat or malware type.","Action. Examples: Clean: The resource was cleaned. Quarantine: The resource was quarantined. Remove: The resource was deleted. Allow: The resource was allowed to execute/exist. User defined: User-defined action that's typically from this list of actions specified by the user. No action: No action Block: The resource was blocked from executing.","Definition version","Antimalware Engine version","File path","Result code associated with threat status. Standard HRESULT values.","Description of the error.","The time when the event occurred, for example when the history is purged. This parameter isn't used in threat events so that there's no confusion regarding whether it's remediation time or infection time. For such events, we specifically call them as Action Time or Detection Time.","Detection origin. Examples: Unknown, Local computer, Network share, Internet, Incoming traffic, or Outgoing traffic","Detection type. Examples: Heuristics, Generic, Concrete, or Dynamic signature","Detection source for example: User: user initiated System: system initiated Real-time: real-time component initiated IOAV: IE Downloads and Outlook Express Attachments initiated NIS: Network inspection system IEPROTECT: IE - IExtensionValidation; this source protects against malicious webpage controls. Early Launch Antimalware (ELAM). This source includes malware detected by the boot sequence. Remote attestation Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PowerShell, VBS), though it can be invoked by third parties as well. UAC","Process name (identified by PID)","Enumeration matching severity.","Name of the file.","Detection source for example: User: user initiated System: system initiated Real-time: real-time component initiated IOAV: IE Downloads and Outlook Express Attachments initiated NIS: Network inspection system IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls. Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence. Remote attestation Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PowerShell, VBS), though it can be invoked by third parties as well. UAC","Detection source for example: User: user initiated System: system initiated Real-time: real-time component initiated IOAV: IE Downloads and Outlook Express Attachments initiated NIS: Network inspection system IEPROTECT: IE - IExtensionValidation; this source protects against malicious webpage controls. Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence. Remote attestation Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PowerShell, VBS), though it can be invoked by third parties as well. UAC","Description of other actions","Action. Examples: Clean: The resource was cleaned. Quarantine: The resource was quarantined. Remove: The resource was deleted. Allow: The resource was allowed to execute/exist User defined: User-defined action that's typically from this list of actions specified by the user. No action: No action Block: The resource was blocked from executing","Description of additional actions","Detection source for example: User: user initiated System: system initiated Real-time: real-time component initiated IOAV: IE Downloads and Outlook Express Attachments initiated NIS: Network inspection system IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls. Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence Remote attestation Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PowerShell, VBS), though it can be invoked by third parties as well. UAC","Action. Examples: Clean: The resource was cleaned Quarantine: The resource was quarantined. Remove: The resource was deleted. Allow: The resource was allowed to execute/exist. User defined: User-defined action that's typically from this list of actions specified by the user. No action: No action Block: The resource was blocked from executing.","Product Name. Examples: Microsoft Defender Antivirus","Detection Time, time when CFA blocked an untrusted process","Device name, name of the device or disk that an untrusted process accessed for modification","Process path, the process path name that CFA blocked from accessing the device or disk for modification","Current platform version","Realtime protection state (Enabled or Disabled)","On Access state (Enabled or Disabled)","IE Downloads and Outlook Express Attachments state (Enabled or Disabled)","Behavior Monitoring state (Enabled or Disabled)","Antivirus signature age (in days). Calculated as the time starting from the Security Intelligence Update (SIU) release date, to the current date. Before a signature is updated for the first time, it'll display an age of 65535 days.","Antispyware signature age (in days). Timestamp reflecting the Security Intelligence Update (SIU) release date (not the local installation time). Before the timestamp is updated for the first time, its value is null.","Last quick scan age (in days)","Last full scan age (in days)","Last quick scan source (0 = scan didn't run, 1 = user initiated, 2 = system initiated)","Last full scan source (0 = scan didn't run, 1 = user initiated, 2 = system initiated)","For internal troubleshooting","Signature type. Examples: Antivirus, Antispyware, Antimalware, or Network Inspection System","Update type, either Full or Delta.","New version number","Previous version","Update source. Examples: Security intelligence update folder Internal security intelligence update server Microsoft Update Server File share Microsoft Malware Protection Center (MMPC)","Update stage. Examples: Search, Download, or Install","File share name for Universal Naming Convention (UNC), server name for Windows Server Update Services (WSUS)/Microsoft Update/ADL.","Engine type, either antimalware engine or Network Inspection System engine.","Dynamic signature type. Examples: Version, Timestamp, No limit, or Duration","Path","Version number","Timestamp","Persistence limit type. Examples: VDM version, Timestamp, or No limit","Persistence limit of the fastpath signature.","Feature. Examples: On Access, Internet Explorer downloads and Microsoft Outlook Express attachments, Behavior monitoring, or Network Inspection System.","The reason Microsoft Defender Antivirus real-time protection restarted a feature.","Feature. Examples: On Access, IE downloads and Outlook Express attachments, Behavior monitoring, or Network Inspection System","Old antivirus configuration value.","New antivirus configuration value.","Failure type. Examples: Crash or Hang","The reason Microsoft Defender Antivirus expires.","The date Microsoft Defender Antivirus expires.","un-published.","IAppVClient:.","[Publishing refresh status changed] Server.","[Publishing refresh status changed] Global.","User Id(if available).","Password expiration claims. Seconds.","Password expiration fields. Status.","Get device token. Resource.","CA cert hash (keyID).","Logon failure. Status.","Get user realm failure. Status.","Get credential keys failure. Status.","OAuth request retry. Correlation ID.","Refresh token failure. Status.","Can't decrypt OAuth response. Error.","AadCloudAPPlugin S2U logon failed. Status.","On-prem tgt error.","[DoGetToken Diagnostic Event] Result.","[DoGetToken Diagnostic Event] User Identity.","[DoGetToken Diagnostic Event] Credential Type.","[DoGetToken Diagnostic Event] Correlation ID.","[DoGetToken Diagnostic Event] Endpoint Uri.","[DoGetToken Diagnostic Event] HTTP Status.","[DoGetToken Diagnostic Event] HTTP Method.","[DoGetToken Diagnostic Event] ErrorCode.","[DoGetToken Diagnostic Event] Error Description.","[DoGetEnterpriseToken Diagnostic Event] Result.","[DoGetEnterpriseToken Diagnostic Event] User Identity.","[DoGetEnterpriseToken Diagnostic Event] Credential Type.","[DoGetEnterpriseToken Diagnostic Event] Correlation ID.","[DoGetEnterpriseToken Diagnostic Event] Endpoint Uri.","[DoGetEnterpriseToken Diagnostic Event] HTTP Status.","[DoGetEnterpriseToken Diagnostic Event] HTTP Method.","[DoGetEnterpriseToken Diagnostic Event] ErrorCode.","[DoGetEnterpriseToken Diagnostic Event] Error Description.","[DoRefreshToken Diagnostic Event] Result.","[DoRefreshToken Diagnostic Event] User Identity.","[DoRefreshToken Diagnostic Event] Credential Type.","[DoRefreshToken Diagnostic Event] Correlation ID.","[DoRefreshToken Diagnostic Event] Endpoint Uri.","[DoRefreshToken Diagnostic Event] HTTP Status.","[DoRefreshToken Diagnostic Event] HTTP Method.","[DoRefreshToken Diagnostic Event] ErrorCode.","[DoRefreshToken Diagnostic Event] Error Description.","[DoRefreshEnterpriseToken Diagnostic Event] Result.","[DoRefreshEnterpriseToken Diagnostic Event] User Identity.","[DoRefreshEnterpriseToken Diagnostic Event] Credential Type.","[DoRefreshEnterpriseToken Diagnostic Event] Correlation ID.","[DoRefreshEnterpriseToken Diagnostic Event] Endpoint Uri.","[DoRefreshEnterpriseToken Diagnostic Event] HTTP Status.","[DoRefreshEnterpriseToken Diagnostic Event] HTTP Method.","[DoRefreshEnterpriseToken Diagnostic Event] ErrorCode.","[DoRefreshEnterpriseToken Diagnostic Event] Error Description.","P2P certificate update error. Status.","CA certificate update error. Status.","1. Error code.","Vista+.","[An instance of the Steps Recorder ran with the following information] StartTime.","[An instance of the Steps Recorder ran with the following information] StopTime.","[An instance of the Steps Recorder ran with the following information] Action Count.","[An instance of the Steps Recorder ran with the following information] Missed Action Count.","[An instance of the Steps Recorder ran with the following information] Output file location.","Available memory (bytes).","IncrementBusyCount called. Source.","DecrementBusyCount called. Source.","Updated current dependency graph (Removal.","CheckTerminationBeforeSwitch: Should terminate.","EvaluateAndTerminatePid: PID.","Package Exemption Manager: ReferenceAdded.","1. KernelRequest Value.","RegisterForActivationStateChanges: Act.","Couldn't open process.","BM: Queued evaluate WorkItem.","BM: Evaluate returned WorkItem.","BM: TaskActivated WorkItem.","BM: TaskCompleted WorkItem.","BM: TaskCanceled WorkItem.","BM: Policy evaluate returned WorkItem.","BM: TaskActivating WorkItem.","BM: TerminateHost WorkItem.","BM: ActivateDeferredWorkItem WorkItem.","1 WorkItem.","BM: TaskWallClockActive WorkItem.","BM: TaskWallClockExpired WorkItem.","BM: Policy returned HRESULT.","BM: WorkItem.","BM: User Logon Session.","BM: User Logoff Session.","BM: Flushing ignored EvaluationState.","BM: ShellSuspendState changed, oldState.","BM: DPLKeyState changed, oldState.","BM: Canceling WorkItem.","BAM: Added Package.","BAM: Removed Package.","BAM: Added Application.","BAM: Removed Application.","FAM: NotifyTaskInstanceCompleted, TaskID.","FAM: NotifyTaskInstanceRunning, TaskID.","FAM: UiForeground:Memory.","MB, CPU.","FAM: CreateAgentLaunchRequest, TaskID.","FAM: CancelAgentRequest, TaskID.","FAM: AbortAgentRequestsInternal, hr.","FAM: CompleteAgent, TaskID.","FAM: PrioritizeAgentRequest, TaskID.","FAM: NotifyConsumer, Notification.","FAM: AcquireSharedResourceSet, ProductID.","1, Mem.","1' (Process.","Successfully created metadata file. Volume.","Automatic certificate enrollment for","failed to download certificates for","store from","Certificate enrollment for","could not access local resources or retrieve","certificate template information (","Opening Machine Store? Value.","[Information from] 2.","The mtstocom launching routine has started.","The mtstocom launching routine has completed.","The mtstocom migration utility is attempting to retry populating the packages collection because it failed its first attempt.","Application image succesfully dumped.","Application image dump failed.","MSMQ Workgroup configuration does not provide sender identity for a COM+ application that has security enabled. The usage is accepted.","MSMQ Message Authentication disabled for a COM+ application that has security enabled. The usage is accepted.","The COM+ sub system is suppressing duplicate event log entries for a duration of","seconds. The suppression timeout can be controlled by a REG_DWORD value named","under the following registry key: HKLM\\","The average call duration has exceeded the configured threshold.","A new CRM log file was created. This CRM log file is not secure because the application Identity is Interactive User or the file system is not NTFS.","A new CRM log file was created. This CRM log file is secure.","[SmsRouter:.","[Cryptographic Parameters] Protector Name.","[Protector Attributes] Flags.","[Cryptographic Parameters] Recipient Type.","Volume.","Minimum memory.","Reconciled containers.","Unreconciled containers.","Catchup references.","Catchup containers.","Reconciled references.","Cross-reconciled references.","; FileId.","Available memory.","Available cores.","Instances.","Error message.","Savings rate (percent).","Saved space (MB).","Volume used space (MB).","Volume free space (MB).","Optimized file count.","In-policy file count.","Job processed space (MB).","Freed up space (MB).","Read-only.","Unoptimized file count.","Readers per instance.","Chunk lookup count.","Inserted chunk count.","Inserted chunks logical data (MB).","Inserted chunks physical data (MB).","Committed stream count.","Committed stream entry count.","Committed stream logical data (MB).","Retrieved chunks physical data (MB).","Retrieved stream logical data (MB).","DataPort time (seconds).","Job elapsed time (seconds).","Ingress throughput (MB/second).","Update file list entries (Remove.","1 located: ProductId.","Missing updates.","Missing drivers.","Unpublished drivers.","Dfs received a referral request for \"","[Details] RPC Method.","[Details] Username.","[Details] Client SID.","[Details] Client Network Address.","[Details] Account name.","[Details] Account objectClass.","[Details] userAccountControl.","[Details] Caller address.","[Details] Caller SID.","Generic Monitor (","Begin IFunctionDiscovery::GetInstanceCollection().  Category.","End IFunctionDiscovery::GetInstanceCollection().  Category.","Begin IFunctionDiscovery::GetInstance().  FIID.","End IFunctionDiscovery::GetInstance().  FIID.","Begin IFunctionDiscovery::CreateInstanceCollectionQuery().  Category.","End IFunctionDiscovery::CreateInstanceCollectionQuery().  Category.","Begin IFunctionDiscovery::CreateInstanceQuery().  FIID.","End IFunctionDiscovery::CreateInstanceQuery().  FIID.","Begin IFunctionDiscovery::AddInstance().  Category.","End IFunctionDiscovery::AddInstance().  Category.","Begin IFunctionDiscovery::RemoveInstance().  Category.","End IFunctionDiscovery::RemoveInstance().  Category.","Begin IFunctionInstanceCollectionQuery::Execute().  Category.","End IFunctionInstanceCollectionQuery::Execute().  Category.","Begin IFunctionInstanceCollectionQuery2::Advise().  Category.","End IFunctionInstanceCollectionQuery2::Advise().  Category.","Begin IFunctionInstanceCollectionQuery2::Unadvise().  Category.","End IFunctionInstanceCollectionQuery2::Unadvise().  Category.","Begin IFunctionInstanceCollectionQuery2::Start().  Category.","End IFunctionInstanceCollectionQuery2::Start().  Category.","Begin IFunctionInstanceCollectionQuery2::Stop().  Category.","End IFunctionInstanceCollectionQuery2::Stop().  Category.","Begin IFunctionInstanceCollectionQuery2::QueryService().  Category.","End IFunctionInstanceCollectionQuery2::QueryService().  Category.","Begin IFunctionInstanceQuery::Execute().  Category.","End IFunctionInstanceQuery::Execute().  Category.","Begin IFunctionDiscoveryProvider::Initialize().  Category.","End IFunctionDiscoveryProvider::Initialize().  Category.","Begin IFunctionDiscoveryProvider::Query().  Category.","End IFunctionDiscoveryProvider::Query().  Category.","Begin IFunctionDiscoveryProvider::EndQuery().  Category.","End IFunctionDiscoveryProvider::EndQuery().  Category.","Begin IFunctionDiscoveryProvider::InstancePropertyStoreValidateAccess().  FIID.","End IFunctionDiscoveryProvider::InstancePropertyStoreValidateAccess().  FIID.","Begin IFunctionDiscoveryProvider::InstancePropertyStoreOpen().  FIID.","End IFunctionDiscoveryProvider::InstancePropertyStoreOpen().  FIID.","Begin IFunctionDiscoveryProvider::InstancePropertyStoreFlush().  FIID.","End IFunctionDiscoveryProvider::InstancePropertyStoreFlush().  FIID.","Begin IFunctionDiscoveryProvider::InstanceQueryService().  FIID.","End IFunctionDiscoveryProvider::InstanceQueryService().  FIID.","Begin IFunctionDiscoveryProvider::InstanceReleased().  FIID.","End IFunctionDiscoveryProvider::InstanceReleased().  FIID.","Begin IProviderPublishing::CreateInstance().  Category.","End IProviderPublishing::CreateInstance().  Category.","Begin IProviderPublishing::RemoveInstance().  Category.","End IProviderPublishing::RemoveInstance().  Category.","Begin asyncronous query.  Category.","Asynchronous query complete.  Category.","UNC Path. Contains logon scripts and/or files that control system security policies.","[A user signed into the device with the following information] Username.","[A user signed into the device with the following information] User SID.","[A user signed into the device with the following information] Credential Type.","[A user signed into the device with the following information] Deployment Type.","[A user is signing into the device with the following gesture information] Type.","[A user is signing into the device with the following gesture information] Subtype.","Exclude TPM 1.2.","[A user failed to sign into the device with the following information] Username.","[A user failed to sign into the device with the following information] User SID.","[A user failed to sign into the device with the following information] Credential Type.","[A user failed to sign into the device with the following information] Deployment Type.","[A user failed to sign into the device with the following information] Software Lockout Counter.","[A user failed to sign into the device with the following information] Authentication Error Status.","[A user failed to sign into the device with the following information] Authentication Error Substatus.","[Windows Hello for Business successfully added a user entry to the Username/SID cache with the following information] Username.","[Windows Hello for Business successfully added a user entry to the Username/SID cache with the following information] User SID.","[Windows Hello for Business successfully added a user entry to the Username/SID cache with the following information] Domain.","[Windows Hello for Business successfully added a user entry to the Username/SID cache with the following information] User-Entered.","[Windows Hello for Business successfully removed a user entry to the Username/SID cache with the following information] User SID.","[Windows Hello for Business found a user entry with a duplicate SID and successfully removed the unused username from the Username/SID cache] User SID.","[Windows Hello for Business found a user entry with a duplicate SID and successfully removed the unused username from the Username/SID cache] Username.","[Windows Hello for Business found a user entry with a duplicate SID and successfully removed the unused username from the Username/SID cache] Unused Username.","[Windows Hello for Business found a user entry with a duplicate username and successfully removed the unused SID from the Username/SID cache] Username.","[Windows Hello for Business found a user entry with a duplicate username and successfully removed the unused SID from the Username/SID cache] User SID.","[Windows Hello for Business found a user entry with a duplicate username and successfully removed the unused SID from the Username/SID cache] Unused User SID.","[Windows Hello for Business found a stale SID in the Username/SID cache] Username.","[Windows Hello for Business found a stale SID in the Username/SID cache] User SID.","[Windows Hello for Business found a stale SID in the Username/SID cache] Stale User SID.","[Windows Hello for Business found a stale username in the Username/SID cache] User SID.","[Windows Hello for Business found a stale username in the Username/SID cache] Username.","[Windows Hello for Business found a stale username in the Username/SID cache] Stale Username.","[Windows Hello for Business removed a stale SID from the Username/SID cache] Stale User SID.","[Windows Hello for Business removed a stale username from the Username/SID cache] User SID.","[Windows Hello for Business removed a stale username from the Username/SID cache] Stale Username.","[Windows Hello for Business PIN was changed by a user with the following information] User SID.","Core initialization failed.  Details.","Page initialization failed.  Details.","GetHomeGroupStatus failed.  Details.","GetSharingFlags failed.  Details.","PopulateSharedFolderList failed.  Details.","Retrieve file sharing failed.  Details.","Retrieve public folder failed.  Details.","Retrieve printer sharing failed.  Details.","Retrieve media sharing failed.  Details.","Commit network discovery failed.  Details.","Commit file sharing failed.  Details.","Commit public folder failed.  Details.","Commit printer sharing failed.  Details.","Commit media sharing failed.  Details.","Share folder failed.  Details.","Hot-add information: Current UxNumberOfProcessors.","Thread pool extension. Pool type.","Thread ready. Pool type.","Thread pool trim. Pool type.","Thread gone. Pool type.","QUIC Connection. QuicConnectionId.","QUIC Connection Callback. Connection.","QUIC Stream. QuicStreamId.","QUIC Stream Callback. Stream.","SSL handshake failed. Local IP.","SSL renegotiate timed out. Local IP.","HTTP 11 Required. Verb.","QUIC Registration Failed. Status.","1 is not supported (Min.","AMD PSP PCI device discovered. Segment.","NDK PnP event failed. PnPEvent.","VF adapter bind failed. FailureReason.","[Starting Teredo Offload with] LocalV6.","[Starting Teredo Offload with] RemoteV6.","[Starting Teredo Offload with] LocalV4.","[Starting Teredo Offload with] RemoteV4.","IPHTTPS: InterfaceName.","1, Prefix.","1, Metric.","Measured Boot Measurement Failure. Status.","TPM Measurement Failure. Status.","SMM isolation level decreased. Reason.","1 failed.","SMM isolation detected. Level.","Crash dump disable failed. NT status.","Crash dump load driver failed. NT status.","Crash dump reconfigured. NT status.","Dump disabled forcefully (ForceDumpDisabled.","Writing dump file ended. NT Status.","Sizing Workflow: Allocation. NT.","Driver Section.","Driver Rank.","Matching Device Id.","Outranked Drivers.","Device Updated.","[Timer tick distribution policy] Disabled.","[Timer tick distribution policy] Overridden.","Firmware S3 times. SuspendStart.","Memory/IO.","[Applied settings] AutoConfig Enabled.","[LAPS is using the following domain controller] DCName.","[LAPS was unable to bind over LDAP to the domain controller] DCName.","[LAPS was unable to bind over LDAP to the domain controller] Error code.","[The current policy is configured to backup the password to Azure Active Directory, but has a configured PasswordAgeDays value that is less than the required minimum] Configured value.","[The current policy is configured to backup the password to Azure Active Directory, but has a configured PasswordAgeDays value that is less than the required minimum] Minimum value.","Error: HRESULT.","Error Propagated: HRESULT.","1] [MeetingResponsesSyncSession] Setting placeholder meeting server id for successful response (request id.","1] [MeetingResponsesSyncSession] Deleting placeholder meeting for succesful response (request id.","1 (change type.","DavSyncProvider: Uploading change (item id.","DavSyncProvider: Uploaded change (item id.","Mms Mime: Invalid phone number.","NetworkHelper::HttpTransport: Callback error: Handle.","NetworkHelper::HttpTransport: Request Failure: Handle.","NetworkHelper::CrackUrl Failure. HR.",": Unknown status.","Http: Total bytes received.",": Total Body Bytes sent.","Http: HTTP Error.","Http: Content Lengtgh.","Receive WNF event; current mode.","[Allocation range] Metadata allocation.","[Allocation range] Requested tier.","[Allocation range] , actual tier.","[Allocation range] Requested allocation start.","[Allocation range] , count.","[Allocation range] Actual allocation start.","AutopilotSync: Using user SID.","Autopilot Provisioning change. Session Id.","MDM Alert sync session: FeatureName.","Diagnostic extraction failed. Error.","Starting. Video.","Stopping. Bytes Muxed.","Retrieving Max connections failed. MaxCon.","Security Configuration: Network Administration of Transactions =",", Network Clients =",", Inbound Distributed Transactions using Native MSDTC Protocol =",", Outbound Distributed Transactions using Native MSDTC Protocol =",", Transaction Internet Protocol (TIP) =",", XA Transactions =","MS DTC started with the following settings (OFF = 0 and ON = 1): Filtering Duplicate events =","Unable to translate the MS DTC error code to the appropriate MS DTC error message. The MS DTC error code was","NCA PerfTrack Scenario Event. MachineId.","Network connected device (Name.","GatewayIP.","GatewayMAC.","Host.","6 NBLs per indication (NumNbls.","2, IfIndex.","Interface (Luid.","Flow Context (Flow Id.","NduUpdateProcessStatsForContainerOrVmId succeeded: CurrentProcNumber.","1: VirtualIfLuid.","1. Slot types affected: Hardware Slot.","UNC Hardening Configuration.","4\\nRemote Address.","2. Error.","Device Name.","File Name.","Volume GUID.","Time (seconds).","Volume correlation Id.","WorkItem queued, WorkItem.","WorkItem queue failed, WorkItem.","WorkItem started, WorkItem.","WorkItem completed, WorkItem.","The system failed to flush data to the transaction log. Corruption may occur in VolumeId.","[NTLM Minimum Client Security Block] Calling process PID.","[NTLM Minimum Client Security Block] Calling Process Name.","[NTLM Minimum Client Security Block] Negotiated Security Flags.","[NTLM Minimum Client Security Block] Minimum Security Flags.","[NTLM Minimum Server Security Block] Calling process PID.","[NTLM Minimum Server Security Block] Calling Process Name.","[NTLM Minimum Server Security Block] Negotiated Security Flags.","[NTLM Minimum Server Security Block] Minimum Security Flags.","[Nwf] [Status].","[WorkerRequestHandler].","1: Status/Active.","Activators received acknowledgement: Status.","Notification started: Type.","Control notification: Type.","Invalid notification: Client.","Notification received: Client.","1, Message.","1, TransactionId.","PDC received monitor request ON/OFF.","PDC Suspend/Resume handler activated..","1, Console.","PDC Initialization - AoAc.","1: Transaction id.","Suspend/resume started: Type.","PDC state changed: new.","1 - PDC identifier.","1 - GUID.","[This NVDIMM may need to be replaced. It can be located using the following information] Slot number.","[This NVDIMM may need to be replaced. It can be located using the following information] Manufacturer.","[This NVDIMM may need to be replaced. It can be located using the following information] Model Number.","[This NVDIMM-N may need to be replaced. It can be located using the following information] Slot number.","[This NVDIMM-N may need to be replaced. It can be located using the following information] Manufacturer.","[This NVDIMM-N may need to be replaced. It can be located using the following information] Model Number.","[This NVDIMM-N may be located using the following information] Slot number.","[This NVDIMM-N may be located using the following information] Manufacturer.","[This NVDIMM-N may be located using the following information] Model Number.","[This NVDIMM-N can be located using the following information] Slot number.","[This NVDIMM-N can be located using the following information] Manufacturer.","[This NVDIMM-N can be located using the following information] Model Number.","CAD: Notifying Battery Driver    - Id.","CAD: Power Source Update Call    - Id.","CAD: Start Charging IOCTL Call   - Id.","CAD: Stop Charging IOCTL Call    - Id.","CAD: Source Change Notification  - Id.","Property owner's type name.","3 to client. DataType.","[Tracing ErrorRecord] Message.","[Tracing ErrorRecord] CategoryInfo.Category.","[Tracing ErrorRecord] CategoryInfo.Reason.","[Tracing ErrorRecord] CategoryInfo.TargetName.","[Tracing ErrorRecord] FullyQualifiedErrorId.","[Exception Details] Message.","[Exception Details] Stack Trace.","[Tracing Job] Id.","[Tracing Job] InstanceId.","[Tracing Job] Name.","[Tracing Job] Location.","[Tracing Job] State.","[Tracing Job] Command.","CanRunTask failed.  Details.","The process '","' exited with exit code",". The creation time for the exiting process was 0x","' was terminated by the process '","' with termination code","[Sqlite][Informational] Status.","[Sqlite][Other] Status.","[Sqlite][Warning] Status.","[Sqlite][Error] Status.","1 :Number of packets.","Developer volume.","[Summary of disk space usage, since last event] Volume correlation ID.","[Summary of disk space usage, since last event] Device name.","[Summary of disk space usage, since last event] Space ID.","[Summary of disk space usage, since last event] Available clusters.","[Summary of disk space usage, since last event] Reserved clusters.","[IO latency summary common data for volume] Volume Id.","[IO latency summary common data for volume] Volume name.","[IO latency summary] Version.","[IO latency summary] Tier index.","Tier index.","Process Id.","Process name.","[IO latency summary] Developer volume.","[IO latency summary] Device Name.","[IO latency summary] Vendor ID.","[IO latency summary] Product ID.","[IO latency summary] Product Revision.","[Stream Snapshot Periodic Operation Latencies (Part 1)] Volume GUID.","[Stream Snapshot Periodic Operation Latencies (Part 1)] Device Name.","[Stream Snapshot Periodic Operation Latencies (Part 2)] Volume GUID.","[Stream Snapshot Periodic Operation Latencies (Part 2)] Device Name.","[Make sure that] Connection name.","[Make sure that] Connection URL.","[Make sure that] Error code.","[You have successfully set up the following connection] Connection name.","[You have successfully set up the following connection] Connection URL.","[The connection has been successfully removed] Connection name.","[The connection has been successfully removed] Connection URL.","ms, heartbeats sent.","ms, heartbeat last sent.","1 PhotoSequence photo available (start time.","1 is receiving the close frame. Code.","1.CompleteDelivery is pending with: outstanding read operations.","1', certificate error count.","1 - Line.","Current network cost: Internet available.","1: Current response transfer stats: Elapsed Time [sec].","Events (masked).","P-State Requested.","P-State Completed.","P-State Active Percentage.","P-State Active Duration.","P-State Sample Duration.","P-State Current Frequency.","P-State Requested Frequency.","The Windows Search Service started.","The Windows Search service is creating the new search index {Reason","The Windows Search Service has successfully created the new search index.","Windows Search Service indexed data for user '","Security Descriptor","Certificate Serial Number","Issuer CA Name","Revocation Status","[Network Information] Source vSwitch Port","[Network Information] Destination vSwitch Port","[Network Information] vSwitchId","Process Name","Failed test code","[CheckCompliance end] elapse.","[ProxyServer] ServerName.","[ProxyServer] ServerPort.","[ProxyServer] ServerVdir.","[ProxyServer] Error Code.","[ProxyServer] Status Code.","[AuthProxy] Proxy.","[AuthProxy] ProxyBypass.","[AuthProxy] Epoch.","[AuthProxy] Supported Schemes.","[AuthProxy] First Scheme.","[Digest Credential] Initialized.","[Digest Credential] DomainAndUserName.","[Digest Credential] Epoch.","[Basic Credential] Initialized.","[Basic Credential] DomainAndUserName.","[Basic Credential] Epoch.","DesiredFlags.","[A Kerberos error message was received] Client Time.","[A Kerberos error message was received] Server Time.","[A Kerberos error message was received] Error Code.","[A Kerberos error message was received] Extended Error.","[A Kerberos error message was received] Client Realm.","[A Kerberos error message was received] Client Name.","[A Kerberos error message was received] Server Realm.","[A Kerberos error message was received] Server Name.","[A Kerberos error message was received] Target Name.","[A Kerberos error message was received] Error Text.","Arguments.","[Client Information] Method name.","[Client Information] Method opnum.","[Client Information] Client address.","[Client Information] Client identity.","1 of event log channel.","Windows Servicing started a process of changing package",") state from","Windows Servicing is setting package",") state to","Windows Servicing successfully set package","The computer has rebooted from a bugcheck. The bugcheck was",". A dump was saved in",". Report Id","The dump file at location","was deleted because the disk volume had less than","The computer has rebooted from a bugcheck. Potentially related driver","The WinRM service is not listening for","requests because there was a failure binding to the URL (","The WS-Management client is not listening for pushed events because there was a failure binding to the URL (","The WinRM service is not listening for HTTPS requests because there was a failure binding to the URL (","The error code received from HTTP.sys is","The error code received from HTTP.sys was","Unexpected error received from LogonUser","Request processing failed because the WinRM service cannot load data or event source: DLL=\"","failed with error=\"","The SSL configuration for IP","and port","The error code is","The WinRM service has received an unsecure HTTP connection from","The WinRM service is not listening for HTTP requests because there was a failure binding to the URL (","IP Filter","The IP Range","The error code was","The WinRM service cannot migrate the listener with IP address","The WinRM service cannot migrate the listener with Address","and Transport","because the IP address","because the MAC address",", Port",". A listener that has Address=","and Transport=","Listener transport","Listener address","The WinRM service had a failure (","The WSMan IIS module failed to read configuration. The error received was","The WinRM service failed to create the following SPNs","The error received was","The WinRM service received an error while trying to unloading a data or event source: DLL=\"","The WinRM service is listening on the default","(Compatibility) port","Winrm set winrm/config/service @{","ID number of the relevant scan.","Scan type. Examples: Antivirus, Antispyware, or Antimalware","Scan parameters. Examples: Full scan, Quick scan, or Custom scan","Resources (such as files/directories/BHO) that were scanned.","The duration of a scan.","Category description. Examples: Any threat or malware type.","Detection source for example: User: user initiated System: system initiated Real-time: real-time component initiated IOAV: IE Downloads and Outlook Express Attachments initiated NIS: Network inspection system IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls. Early Launch Antimalware (ELAM). This source includes malware detected by the boot sequence. Remote attestation Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PowerShell, VBS), though it can be invoked by third parties as well. UAC.","}, {URL.","}, {hr.","3 as the HTTP proxy server.  This may indicate a problem with the proxy server or with the client's network configuration.  If this error occurs frequently, then an administrator should investigate. Details: {Job.","}, {owner.","}, {jobid.","}, {xferId.","}, {proxyServer.","}, {urlHttpVersion.","}, {urlRange.","The average call duration has exceeded 10 minutes. If this is not the expected behavior, please see article 910904 in the Microsoft Knowledge Base at http://support.microsoft.com for details on how to use the COM+ AutoDump feature to automatically generate dump files and/or terminate the process if the problem occurs again.","12\", DaylightDate.wYear.","[Displaying verbose messages from Powershell DSC resource] ResourceID.","[Displaying debug messages from Powershell DSC resource] ResourceID.","Class name.","Resource ID.","Flags.","[DSC Engine Error] Error Message.","Integrated Monitor (","HTTP error response sent. Url.","1 milliseconds. Reading SrkPolicy status.","Idle power management features on processor","Performance power management features on processor","Throttle power management features on processor","Processor","The speed of processor","is being limited by system firmware. The processor has been in this reduced performance state for","The Transaction (UOW=","2.  You may need to update your operating system for this application to work correctly. (Package Version.","NtfsAllocateAttribute MaxAlloc for Mft's AttrList IC.","!I64x!, Flags.","Purge failed: Scb.","NtfsCreateNonresidentWithValue Create Mft's NonResident Attribute List IC.","MakeRoomForAttribute Moving Mft's attribute IC.","MoveAttributeToOwnRecord Moving Mft's $BITMAP IC.","NtfsConsolidateAllFileRecords: Invalid Vcb. Thread.","NtfsConsolidateAllFileRecords: Volume is locked. Thread.","6!I64x!, AllocateAll.","1!I64x! clusters, Scb.","!08x!; Vcb's DeallocatedClustersCount old.","Entering: Scb.","Exiting: ExtentsDescriptorIndex.","Dsm: TotalNumberOfRanges.","Updating ExtentsDescriptor Index and StartOffset from Locals: ExtentsDescriptorIndex.","Return. IrpContext.","Raising STATUS_SUCCESS from NtfsCommonCleanup.","NtfsCommonCreate: Volume is locked. Thread.","NtfsCommonVolumeOpen: Invalid create disposition for volume open. Thread.","NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount. Thread.","NtfsCommonVolumeOpen: Thread.","NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.Thread.","NtfsCommonVolumeOpen: Conlicting file objects. Thread.","NtfsHandlePagingFile: Paging file already open, paging files can only be opened once. Thread.","NtfsHandlePagingFile: Cannot open system file as paging file. Thread.","NtfsHandlePagingFile: Persisted paging file already exists. Thread.","NtfsOpenFcbById: Invalid system file access. Thread.","NtfsOpenExistingPrefixFcb: Can not directly open txf directory. Thread.","NtfsOpenExistingPrefixFcb: Invalid system file access. Thread.","NtfsOpenFile: Unsafe to acquire parent directory after acquiring a txf-system file. Thread.","NtfsOpenFile: Invalid system file access. Thread.","NtfsOpenFile: Deny open when txf rm is active. Thread.","NtfsCreateNewFile: Deny creation in system directory (except root). Thread.","NtfsCreateNewFile: Unable to create Ea for the file. Thread.","NtfsCreateNewFile: Unable to create in the $txf directory. Thread.","NtfsOpenSubdirectory: Denying access to $Txf file when the RM is active. Thread.","NtfsOpenAttributeInExistingFile: Denying access due to caller being Ea blind. Thread.","NtfsOpenAttributeInExistingFile: Fail to find $INDEX_ROOT attribute. Thread.","NtfsOpenAttributeInExistingFile: Denying access for volume root directory. Thread.","NtfsCreateNewFile: Not allowed to create streams on system files. Thread.","NtfsOverwriteAttr: Cannot overwrite hidden or system attribute for a non-paging file. Thread.","NtfsOverwriteAttr: Denying access due to user being Ea blind. Thread.","NtfsOverwriteAttr: Deny access due to encryption happening on the stream. Thread.","NtfsCheckValidAttributeAccess: Supersede or overwrite is not allowed on this type of named attribute. Thread.","NtfsCheckValidAttributeAccess: Only read attributes access is supported on this attribute. Thread.","NtfsCheckValidAttributeAccess: Deny access for protected system attributes. Thread.","NtfsOpenAttributeCheck: File already has user writable references. Thread.","NtfsOpenAttributeCheck: Deny access for online encryption backup data stream. Thread.","NtfsOpenAttributeCheck: File was granted write access but has image section. Thread.","NtfsOpenAttribute: Denying write access on disallowed writes. Thread.","6!I64x!, Scb.","NtfsOpenAttribute: File already has user writable references. Thread.","NtfsOpenAttribute: Open for exclusive read access is not allowed. Thread.","NtfsCheckExistingFile: Desired access conflicts with read-only state. Thread.","NtfsOpenExistingEncryptedStream: No encryption driver found. Thread.","NtfsOpenExistingEncryptedStream: Opening for read/write access not allowed on compressed file. Thread.","NtfsEncryptionCreateCallback: Encrytion engine fail to encrypt all streams for file with open handle. Thread.","NtfsFindStartingNode: Opening not allowed for txf name when RM is active. Thread.","NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation. Thread.","NtfsReCheckShareAccess: Does not meet allow open requirement. Thread.","NtfsCommonDeviceControl: IOCTL_DISK_COPY_DATA is not allowed on unlocked volume. Thread.","NtfsVolumeDasdIo: Data section blocking flush. Thread.","Writing to $Bitmap. Vcb.","NTFS: Posting hotfix on file object.","NTFS:     Freeing Bad Vcn.","NTFS:     Retiring Bad Lcn.","NtfsDefragFileInternal: Defrag is denied. Thread.","NtfsDefragFile: Defrag is denied without manage volume access. Thread.","NtfsEncryptDecryptOnline: Defrag is denied. Thread.","NtfsCommonQueryInformation: File information query not allowed as file was opened by ID without traversal privilege. Thread.","NtfsQueryCaseSensitiveInfo: Case sensitive info query not allowed without read attributes access. Thread.","NtfsQueryNameInfo: Name info query not allowed as file was opened without traverse privilege. Thread.","NtfsQueryLinksInfo: Link info query not allowed as file was opened without traverse privilege. Thread.","NtfsSetCaseSensitiveInfo: Cannot mark root directory of a volume case-sensitive. Thread.","NtfsRemoveSupersededTarget: Can not do a superseding rename over a system file. Thread.","NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles. Thread.","6!I64x!, Lcb.","NtfsRemoveSupersededTarget: Can not do a superseding rename over a file opened by ID. Thread.","NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles via either part of the long/short pair. Thread.","NtfsSetRenameInfo: Can not rename a file marked for deletion. Thread.","NtfsSetRenameInfo: Can not rename a txf directory. Thread.","NtfsSetRenameInfo: Can not rename into a system directory. Thread.","NtfsSetRenameInfo: Can not rename a file that is part of a TxF transaction. Thread.","NtfsSetRenameInfo: The file should not have in-memory directory descendents. Thread.","NtfsSetRenameInfo: Child Scb mismatch. Thread.","NtfsSetLinkInfo: Set link info is not allowed on txf directory. Thread.","NtfsSetLinkInfo: Set link info is not allowed on a file in a TxF transaction. Thread.","6!I64x!, FileName.","NtfsSetLinkInfo: Set link info failed due to caller not having FILE_WRITE_ATTRIBUTES access. Thread.","NtfsSetLinkInfo: Creating a link in system directory is not allowed. Thread.","NtfsSetLinkInfo: Creating a link in $txf is not allowed if the RM is running. Thread.","6!I64x!, NewLinkName.","NtfsSetShortNameInfo: Can not set a short name on a deleted file. Thread.","NtfsSetShortNameInfo: Can not set a short name on a file under the $TxF directory. Thread.","NtfsCheckScbForLinkRemoval: Existing handles are not allowed if Txf transaction is doing the rename. Thread.","NtfsCheckScbForLinkRemoval: Not all open handles for the stream are by-id opens. Thread.","6!I64x!, ByID opens.","NtfsStreamRename: Deny access due to encryption happening on source stream. Thread.","NtfsProcessTreeForRename: Deny access due to number of batch oplocks has grown. Thread.","6!I64x!, Previous batch oplock count.","NtfsFlushVolumeFlushSingleFcb: Thread.","NtfsFlushVolume: Thread.","NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on BitmapScb Scb.","NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on MftScb Scb.","NtfsLockVolumeInternal: Cannot lock the volume. Thread.","NtfsLockVolumeInternal: Volume is already locked.Thread.","NtfsLockVolumeInternal: Failed to flush system files on the volume. Thread.","NtfsLockVolumeInternal: Failed to flush system files on the volume.Thread.","NtfsLockVolumeInternal: Outstanding user files open after flush and retry. Thread.","NtfsLockVolume: Cannot lock volume due to caller does not have manage volume privilege. Thread.","NtfsLockVolume: Cannot lock volume due to active secondary RMs on the volume. Thread.","NtfsUnlockVolume: Cannot unlock volume due to caller does not have manage volume privilege. Thread.","NtfsDismountVolume: IC.","NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open for write access. Thread.","NtfsDismountVolume: Cannot dismount volume due to volume being locked. Thread.","NtfsMarkVolumeDirty: Cannot mark volume dirty due to caller not having manage volume privilege. Thread.","NtfsGetVolumeBitmap: Cannot get volume bitmap due to caller not having manage volume privilege. Thread.","NtfsGetBootAreaInfo: Cannot get boot area info due to caller not having manage volume privilege. Thread.","NtfsGetRetrievalPointers: Cannot get retrieval pointers due to caller not having manage volume privilege. Thread.","NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to caller not having manage volume privilege. Thread.","NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to caller not having manage volume privilege or this is not a volume open. Thread.","NtfsCreateUsnJournal: Cannot create Usn journal due to caller not having manage volume privilege. Thread.","NtfsUsnTrackModifiedRanges: Cannot enable range tracking due to caller not having manage volume privilege. Thread.","NtfsEnumerateUsnData: Cannot enumerate Usn data due to caller not having manage volume privilege. Thread.","NtfsFindFilesOwnedBySid: Caller not having manage volume privilege, backup access or can bypass traverse checks. Thread.","NtfsFindFilesOwnedBySid: Caller not having manage volume privilege or backup access and is not admin. Thread.","NtfsSetSparse: Caller does not have appropriate write access to the stream. Thread.","NtfsSetSparse: Cannot desparse encrypted file without write data access. Thread.","NtfsZeroRange: User mode caller not allowed. Thread.","NtfsReadRawEncrypted: Caller does not have backup access or read data access. Thread.","NtfsWriteRawEncrypted: Caller does not have write data access or restore access. Thread.","NtfsWriteRawEncrypted: Caller not having manage volume privilege. Thread.","NtfsLookupStreamFromCluster: Caller not having manage volume privilege. Thread.","NtfsChangeVolumeSize: Caller not having manage volume privilege. Thread.","NtfsMarkHandle: Caller does not have a valid volume handle or manage volume access or is not kernel model caller. Thread.","NtfsMarkHandle: Caller not having manage volume privilege. Thread.","NtfsMarkHandle: Cannot deny defrag. Thread.","NtfsMarkHandle: Cannot deny Frs consolidation. Thread.","NtfsMarkHandle: Cannot filter metadata. Thread.","NtfsMarkHandle: Mark handle is not allowed on system files. Thread.","NtfsMarkHandle: File already has user writable references. Thread.","NtfsMarkHandle: File was granted write access previously but no oplocks were broken. Thread.","NtfsPrefetchFile: Caller not having manage volume privilege. Thread.","NtfsSetZeroOnDeallocate: Only allowed on regular user files opened for write. Thread.","NtfsSetShortNameBehavior: Caller not having manage volume privilege. Thread.","NtfsQueryPagefileEncryption: Caller not having manage volume privilege. Thread.","NtfsResetVolsnapBehaviorForVolume: Volsnap hints are disabled by registry. Thread.","NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege. Thread.","NtfsCorruptionHandling: Caller not having manage volume privilege. Thread.","NtfsGlobalCorruptionHandling: Caller does not have manage volume privilege. Thread.","NtfsScrubData: Caller not having manage volume privilege. Thread.","Scrub not supported for Txf file, Scb.","!#I64x! Failed.","!#I64x! FileOffset.","!#I64x!, SectorAlignedVdl.","2!#I64x! FileOffset.","!#I64x! Status.","!#I64x! BytesRepaired.","FSCTL_REPAIR_COPIES not supported for Txf file, Scb.","NtfsQueryCachedRuns: Caller not having manage volume privilege. Thread.","NtfsQueryStorageClasses: Caller not having manage volume privilege. Thread.","NtfsQueryRegionInfo: Caller not having manage volume privilege. Thread.","NtfsUnloadFile: Caller not having manage volume privilege. Thread.","NtfsCheckForSection: File already has image section. Thread.","NtfsShuffleFile: User mode caller is not allowed. Thread.","7!I64x!, Ccb FullFileName.","NtfsShuffleFile: Denying access due to volume is locked. Thread.","!I64x!, Ccb FullFileName.","NtfsShuffleFile: Defrag is denied. Thread.","NtfsShuffleFile: Denying access due to conflicting with read-only state. Thread.","NtfsRearrangeFile: User mode caller is not allowed. Thread.","6!I64x!, Ccb FullFileName.","NtfsRearrangeFile: Denying access due to volume is locked. Thread.","NtfsRearrangeFile: Defrag is denied. Thread.","NtfsSparseOverAllocate: Caller does not have appropriate write access. Thread.","!I64x!, FullFileName.","NtfsInitiateFileMetadataOptimization: Only allowed on regular user files/directories opened for write. Thread.","!I64x!, Scb AttributeTypeCode.","NtfsQueryFileMetadataOptimization: Only allowed on regular user files/directories opened for read. Thread.","NtfsCleanVolumeMetadata: Caller not having manage volume privilege. Thread.","NtfsEncryptionKeyCtl: Caller does not have SE_TCB_PRIVILEGE. Thread.","NtfsFindPrefixHashEntry: {Hash table.","NtfsFindPrefixHashEntry: {Lcb.","NtfsInsertHashEntry: {Hash table.","NtfsRemoveHashEntry: {Hash table.","NtfsAddToMatchingDeallocatedClusters( ExtentsWithoutDanglingMdl ) failed.","NtfsAddToMatchingDeallocatedClusters( ExtentsWithDanglingMdl ) failed.","Valid NTFS boot sector. Vcb.","Not an NTFS boot sector. Vcb.","NtfsMountVolume: Vcb.","NtfsMountVolume: IC.","Mounting DAX partition. Vcb.","DAX volume mounted without DAX support because storage is not DAX capable. Vcb.","Source.","[Modified By] Security ID","[Modified By] Account Name","[Modified By] Account Domain","[Modified By] Logon ID","Client Network Address","RPC Method Name","[TGT Details] Client.","[TGT Details] Server.","[TGT Details] Flags.","An attempt to retrieve firewall filter with key","has failed with error","DetectionLocation","Status","An attempt to delete firewall filter with key","The host name pattern \"","The WinRM service has terminated","unauthenticated connections over the past"],"_rt":["Potential Access Token Abuse","Admin User Remote Logon","DiagTrackEoP Default Login Username","Successful Overpass the Hash Attempt","Pass the Hash Activity 2","RDP Login from Localhost","External Remote RDP Logon from Public IP","External Remote SMB Logon from Public IP","Outgoing Logon with New Credentials","Potential Privilege Escalation via Local Kerberos Relay over LDAP","RottenPotato Like Attack Pattern","Successful Account Login Via WMI","Hacktool Ruler","Metasploit SMB Authentication","Multiple Logon Failure Followed by Logon Success","Potential Computer Account NTLM Relay Activity","Potential Kerberos Relay Attack against a Computer Account","Potential NTLM Relay Attack against a Computer Account","Potential Pass-the-Hash (PtH) Attempt","Remote Windows Service Installed","Account Password Reset Remotely","Potential Account Takeover - Mixed Logon Types","Process Creation via Secondary Logon","Service Creation via Local Kerberos Authentication","Potential Account Takeover - Logon from New Source IP","Detect Password Spray Attack Behavior From Source","Detect Password Spray Attack Behavior On User","Unusual Number of Remote Endpoint Authentication Events","Windows AD Replication Request Initiated by User Account","Windows AD Replication Request Initiated from Unsanctioned Location","Windows AD Short Lived Domain Controller SPN Attribute","Windows Kerberos Local Successful Logon","Windows Local Administrator Credential Stuffing","Windows Rapid Authentication On Multiple Hosts","Windows RDP Login Session Was Established","Windows Identify PowerShell Web Access IIS Pool","Failed Logon From Public IP","Account Tampering - Suspicious Failed Logon Reasons","Privileged Accounts Brute Force","Multiple Logon Failure from the same Source Address","Detect Password Spray Attempts","Windows Multiple Users Failed To Authenticate From Process","Windows Multiple Users Remotely Failed To Authenticate From Host","Windows Unusual Count Of Users Failed To Authenticate From Process","Windows Unusual Count Of Users Remotely Failed To Auth From Host","AD Object WriteDAC Access","Active Directory Replication from Non Machine Account","Potential AD User Enumeration From Non-Machine Account","Mimikatz DC Sync","DPAPI Domain Backup Key Extraction","Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation","WMI Persistence - Security","FirstTime Seen Account Performing DCSync","Potential Credential Access via DCSync","Potential Kerberos Coercion via DNS-Based SPN Spoofing","Access to a Sensitive LDAP Attribute","Suspicious Access to LDAP Attributes","Windows AD Abnormal Object Access Activity","Windows AD Privileged Object Access Activity","Windows Kerberos Coercion via DNS","Suspicious Scheduled Task Creation","Remote Scheduled Task Creation via RPC","A scheduled task was created","Temporarily Scheduled Task Creation","Randomly Generated Scheduled Task Name","Schedule Task with HTTP Command Arguments","Schedule Task with Rundll32 Command Trigger","Short Lived Scheduled Task","Windows Hidden Schedule Task Settings","Windows Scheduled Task with Suspicious Command","Windows Scheduled Task with Suspicious Name","Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr","WinEvent Scheduled Task Created to Spawn Shell","WinEvent Scheduled Task Created Within Public Path","Suspicious Scheduled Task Update","Unusual Scheduled Task Update","Windows Event Auditing Disabled","Important Windows Event Auditing Disabled","Sensitive Audit Policy Sub-Category Disabled","Windows AD Domain Controller Audit Policy Disabled","Windows Important Audit Policy Disabled","A Member Was Added to a Security-Enabled Global Group","Active Directory Group Modification by SYSTEM","User Added to Privileged Group in Active Directory","Windows AD add Self to Group","Windows AD Privileged Group Modification","Windows Increase in User Modification Activity","Active Directory User Backdoors","Weak Encryption Enabled and Kerberoast","Addition of SID History to Active Directory Object","Kerberos Pre-authentication Disabled for User","Account Configured with Never-Expiring Password","KRBTGT Delegation Backdoor","Kerberos Pre-Authentication Flag Disabled in UserAccountControl","Windows AD Cross Domain SID History Addition","Windows AD Privileged Account SID History Addition","Windows AD Same Domain SID History Addition","New or Renamed User Account with '$' Character","Potential Privileged Escalation via SamAccountName Spoofing","Suspicious Computer Account Name Change","Suspicious Ticket Granting Ticket Request","Powerview Add-DomainObjectAcl DCSync AD Extend Right","Windows Default Domain GPO Modification","Persistence and Execution at Scale via GPO Scheduled Task","Possible DC Shadow Attack","Group Policy Abuse for Privilege Addition","Startup/Logon Script Added to Group Policy Object","Suspicious LDAP-Attributes Used","Possible Shadow Credentials Added","Potential Active Directory Replication Account Backdoor","Potential Shadow Credentials added to AD Object","User account exposed to Kerberoasting","AdminSDHolder Backdoor","AdminSDHolder SDProp Exclusion Added","Delegated Managed Service Account Modification by an Unusual User","Modification of the msPKIAccountCredentials","Startup/Logon Script added to Group Policy Object","Scheduled Task Execution at Scale via GPO","Windows AD AdminSDHolder ACL Modified","Windows AD Dangerous Deny ACL Modification","Windows AD Dangerous Group ACL Modification","Windows AD Dangerous User ACL Modification","Windows AD DCShadow Privileges ACL Addition","Windows AD Domain Replication ACL Addition","Windows AD Domain Root ACL Deletion","Windows AD Domain Root ACL Modification","Windows AD GPO Deleted","Windows AD GPO Disabled","Windows AD GPO New CSE Addition","Windows AD Hidden OU Creation","Windows AD Object Owner Updated","Windows AD Self DACL Assignment","Windows AD ServicePrincipalName Added To Domain Account","Windows AD Short Lived Domain Account ServicePrincipalName","Windows AD SID History Attribute Modified","Windows AD Suspicious Attribute Modification","Windows Default Group Policy Object Modified","Windows Group Policy Object Created","Windows Short Lived DNS Record","Potential ADIDNS Poisoning via Wildcard Record Creation","Potential WPAD Spoofing via DNS Record Creation","Creation of a DNS-Named Record","dMSA Account Creation by an Unusual User","Windows AD Short Lived Server Object","Clfs.SYS Loaded By Process Located In a Potential Suspicious Location","DLL Loaded From Suspicious Location Via Cmspt.EXE","Amsi.DLL Loaded Via LOLBIN Process","Potential Azure Browser SSO Abuse","Suspicious Renamed Comsvcs DLL Loaded By Rundll32","CredUI.DLL Loaded By Uncommon Process","Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded","PCRE.NET Package Image Load","Load Of RstrtMgr.DLL By A Suspicious Process","Load Of RstrtMgr.DLL By An Uncommon Process","Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE","PowerShell Core DLL Loaded By Non PowerShell Process","Time Travel Debugging Utility Usage - Image","Unsigned .node File Loaded","Suspicious Volume Shadow Copy VSS_PS.dll Load","Suspicious Volume Shadow Copy Vssapi.dll Load","Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load","HackTool - SharpEvtMute DLL Load","HackTool - SILENTTRINITY Stager DLL Load","Potential DCOM InternetExplorer.Application DLL Hijack - Image Load","Unsigned Image Loaded Into LSASS Process","DotNET Assembly DLL Loaded Via Office Application","CLR DLL Loaded Via Office Applications","GAC DLL Loaded Via Office Applications","Microsoft Excel Add-In Loaded From Uncommon Location","Microsoft VBA For Outlook Addin Loaded Via Outlook","PowerShell Core DLL Loaded Via Office Application","VBA DLL Loaded Via Office Application","Remote DLL Load Via Rundll32.EXE","WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load","Potential 7za.DLL Sideloading","Abusable DLL Potential Sideloading From Suspicious Location","Potential Antivirus Software DLL Sideloading","Potential appverifUI.DLL Sideloading","Aruba Network Service Potential DLL Sideloading","Potential AVKkid.DLL Sideloading","Potential CCleanerDU.DLL Sideloading","Potential CCleanerReactivator.DLL Sideloading","Potential Chrome Frame Helper DLL Sideloading","Potential DLL Sideloading Via ClassicExplorer32.dll","Potential DLL Sideloading Via comctl32.dll","Potential DLL Sideloading Using Coregen.exe","System Control Panel Item Loaded From Uncommon Location","Potential DLL Sideloading Of DBGCORE.DLL","Potential DLL Sideloading Of DBGHELP.DLL","Potential DLL Sideloading Of DbgModel.DLL","Potential EACore.DLL Sideloading","Potential Edputil.DLL Sideloading","Potential System DLL Sideloading From Non System Locations","Potential Goopdate.DLL Sideloading","Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE","Potential Iviewers.DLL Sideloading","Potential JLI.dll Side-Loading","Potential DLL Sideloading Via JsSchHlp","Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE","Potential Libvlc.DLL Sideloading","Potential Mfdetours.DLL Sideloading","Unsigned Mfdetours.DLL Sideloading","Potential DLL Sideloading Of MpSvc.DLL","Potential DLL Sideloading Of MsCorSvc.DLL","Potential DLL Sideloading Of Non-Existent DLLs From System Folders","Microsoft Office DLL Sideload","Potential Python DLL SideLoading","Potential Rcdll.DLL Sideloading","Potential RjvPlatform.DLL Sideloading From Default Location","Potential RjvPlatform.DLL Sideloading From Non-Default Location","Potential RoboForm.DLL Sideloading","DLL Sideloading Of ShellChromeAPI.DLL","Potential ShellDispatch.DLL Sideloading","Potential SmadHook.DLL Sideloading","Potential SolidPDFCreator.DLL Sideloading","Third Party Software DLL Sideloading","Fax Service DLL Search Order Hijack","Potential Vivaldi_elf.DLL Sideloading","VMGuestLib DLL Sideload","VMMap Signed Dbghelp.DLL Potential Sideloading","VMMap Unsigned Dbghelp.DLL Potential Sideloading","Potential DLL Sideloading Via VMware Xfer","Potential Waveedit.DLL Sideloading","Potential Wazuh Security Platform DLL Sideloading","Potential Mpclient.DLL Sideloading","Potential WWlib.DLL Sideloading","BaaUpdate.exe Suspicious DLL Load","Unsigned Module Loaded by ClickOnce Application","DLL Load By System Process From Suspicious Locations","Python Image Load By Non-Python Process","DotNet CLR DLL Loaded By Scripting Applications","Unsigned DLL Loaded by Windows Utility","Suspicious Unsigned Thor Scanner Execution","UAC Bypass Using Iscsicpl - ImageLoad","UAC Bypass With Fake DLL","MMC Loading Script Engines DLLs","Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location","Trusted Path Bypass via Windows Directory Spoofing","WMI Persistence - Command Line Event Consumer","WMIC Loading Scripting Libraries","Wmiprvse Wbemcomn DLL Hijack","Suspicious WSMAN Provider Image Loads","Potential Credential Access via Renamed COM+ Services DLL","CMLUA Or CMSTPLUA UAC Bypass","Loading Of Dynwrapx Module","MS Scripting Process Loading Ldap Module","MS Scripting Process Loading WMI Module","MSI Module Loaded by Non-System Binary","Spoolsv Suspicious Loaded Modules","Sunburst Correlation DLL and Network Event","UAC Bypass MMC Load Unsigned Dll","UAC Bypass With Colorui COM Object","Wbemprox COM Object Execution","Windows BitDefender Submission Wizard DLL Sideloading","Windows Credentials Access via VaultCli Module","Windows DLL Module Loaded in Temp Dir","Windows DLL Search Order Hijacking Hunt with Sysmon","Windows DLL Side-Loading In Calc","Windows Executable in Loaded Modules","Windows Gather Victim Identity SAM Info","Windows Hijack Execution Flow Version Dll Side Load","Windows Input Capture Using Credential UI Dll","Windows InstallUtil Credential Theft","Windows Known Abused DLL Loaded Suspiciously","Windows Known GraphicalProton Loaded Modules","Windows MMC Loaded Script Engine DLL","Windows NetSupport RMM DLL Loaded By Uncommon Process","Windows Office Product Loaded MSHTML Module","Windows Office Product Loading Taskschd DLL","Windows Office Product Loading VBE7 DLL","Windows Remote Access Software BRC4 Loaded Dll","Windows Scheduled Task DLL Module Loaded","Windows SpeechRuntime COM Hijacking DLL Load","Windows SqlWriter SQLDumper DLL Sideload","Windows Unsigned DLL Side-Loading","Windows Unsigned DLL Side-Loading In Same Process Path","Windows Unsigned MS DLL Side-Loading","Windows Unusual Process Load Mozilla NSS-Mozglue Module","HackTool - CACTUSTORCH Remote Thread Creation","HackTool - Potential CobaltStrike Process Injection","Remote Thread Created In KeePass.EXE","Remote Thread Creation In Mstsc.Exe From Suspicious Location","Potential Credential Dumping Attempt Via PowerShell Remote Thread","Remote Thread Creation Via PowerShell In Uncommon Target","Password Dumper Remote Thread in LSASS","Rare Remote Thread Creation By Uncommon Source Image","Remote Thread Creation By Uncommon Source Image","Remote Thread Creation In Uncommon Target Image","Remote Thread Creation Ttdinject.exe Proxy","Process Injection by the Microsoft Build Engine","Create Remote Thread In Shell Application","Create Remote Thread into LSASS","Powershell Remote Thread To Known Windows Process","Rundll32 Create Remote Thread To A Process","Rundll32 CreateRemoteThread In Browser","Windows Process Injection Of Wermgr to Known Browser","Windows Process Injection Remote Thread","Windows Process Injection With Public Source Path","Security Eventlog Cleared","Windows Event Logs Cleared","Windows Event Log Cleared","AADInternals PowerShell Cmdlets Execution - PsScript","Access to Browser Login Data","Potential Active Directory Enumeration Using AD Module - PsScript","Powershell Add Name Resolution Policy Table Rule","Add Windows Capability Via PowerShell Script","PowerShell ADRecon Execution","AMSI Bypass Pattern Assembly GetType","Potential AMSI Bypass Script Using NULL Bits","Silence.EDA Detection","Get-ADUser Enumeration Using UserAccountControl Flags","Potential Data Exfiltration Via Audio File","Automated Collection Command PowerShell","Windows Screen Capture with CopyFromScreen","Clear PowerShell History - PowerShell","Clearing Windows Console History","Powershell Create Scheduled Task","Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell","Powershell Install a DLL in System Directory","Registry-Free Process Scope COR_PROFILER","PowerShell Create Local User","DMSA Service Account Created in Specific OUs - PowerShell","Create Volume Shadow Copy with Powershell","Powershell Detect Virtualization Environment","DirectorySearcher Powershell Exploitation","Manipulation of User Computer or Group Security Principals Across AD","Disable Powershell Command History","Disable-WindowsOptionalFeature Command PowerShell","Potential In-Memory Execution Using Reflection.Assembly","Potential COM Objects Download Cradles Usage - PS Script","DSInternals Suspicious PowerShell Cmdlets - ScriptBlock","Dump Credentials from Windows Credential Manager With PowerShell","Enable Windows Remote Management","Potential Suspicious Windows Feature Enabled","Enumerate Credentials from Windows Credential Manager With PowerShell","Disable of ETW Trace - Powershell","Certificate Exported Via PowerShell - ScriptBlock","Suspicious FromBase64String Usage On Gzip Archive - Ps Script","Service Registry Permissions Weakness Check","Active Directory Computers Enumeration With Get-AdComputer","Active Directory Group Enumeration With Get-AdGroup","Suspicious Get-ADReplAccount","Automated Collection Bookmarks Using Get-ChildItem PowerShell","Security Software Discovery Via Powershell Script","HackTool - Rubeus Execution - ScriptBlock","HackTool - WinPwn Execution - ScriptBlock","PowerShell Hotfix Enumeration","PowerShell ICMP Exfiltration","Import PowerShell Modules From Suspicious Directories","Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript","Execute Invoke-command on Remote Host","Powershell DNSExfiltration","Invoke-Obfuscation CLIP+ Launcher - PowerShell","Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell","Invoke-Obfuscation STDIN+ Launcher - Powershell","Invoke-Obfuscation VAR+ Launcher - PowerShell","Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell","Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell","Invoke-Obfuscation Via Stdin - Powershell","Invoke-Obfuscation Via Use Clip - Powershell","Invoke-Obfuscation Via Use MSHTA - PowerShell","Invoke-Obfuscation Via Use Rundll32 - PowerShell","Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell","Powershell Keylogging","Powershell LocalAccount Manipulation","Suspicious PowerShell Mailbox Export to Share - PS","Malicious PowerShell Commandlets - ScriptBlock","Malicious PowerShell Keywords","Live Memory Dump Using Powershell","DMSA Link Attributes Modified","Modify Group Policy Settings - ScriptBlockLogging","Powershell MsXml COM Object","Malicious Nishang PowerShell Commandlets","NTFS Alternate Data Stream","Code Executed Via Office Add-in XLL File","Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock","Potential Invoke-Mimikatz PowerShell Script","Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock","PowerShell Web Access Installation - PsScript","PowerView PowerShell Cmdlets - ScriptBlock","PowerShell Credential Prompt","PSAsyncShell - Asynchronous TCP Reverse Shell","PowerShell PSAttack","PowerShell Remote Session Creation","Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock","Suspicious Kerberos Ticket Request via PowerShell Script - ScriptBlock","PowerShell Script With File Hostname Resolving Capabilities","Root Certificate Installed - PowerShell","Suspicious Invoke-Item From Mount-DiskImage","PowerShell Script With File Upload Capabilities","Powershell Sensitive File Discovery","PowerShell Script Change Permission Via Set-Acl - PsScript","PowerShell Set-Acl On Windows Folder - PsScript","Change PowerShell Policies to an Insecure Level - PowerShell","PowerShell ShellCode","Malicious ShellIntel PowerShell Commandlets","Detected Windows Software Discovery - PowerShell","Powershell Store File In Alternate Data Stream","Potential Persistence Via Security Descriptors - ScriptBlock","AD Groups Or Users Enumeration Using PowerShell - ScriptBlock","Potential PowerShell Obfuscation Using Character Join","Suspicious Eventlog Clear","Powershell Directory Enumeration","Suspicious PowerShell Download - Powershell Script","Powershell Execute Batch Script","Extracting Information with PowerShell","Troubleshooting Pack Cmdlet Execution","Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy","Suspicious PowerShell Get Current User","Suspicious GPO Discovery With Get-GPO","Suspicious Process Discovery With Get-Process","PowerShell Get-Process LSASS in ScriptBlock","Suspicious GetTypeFromCLSID ShellExecute","Suspicious Hyper-V Cmdlets","Suspicious PowerShell Invocations - Generic","Suspicious PowerShell Invocations - Specific","Change User Agents with WebRequest","Suspicious IO.FileStream","Potential Keylogger Activity","Potential Suspicious PowerShell Keywords","Suspicious Get Local Groups Information - PowerShell","Powershell Local Email Collection","Suspicious Mount-DiskImage","PowerShell Deleted Mounted Share","Suspicious Connection to Remote Account","Suspicious New-PSDrive to Admin Share","Suspicious TCP Tunnel Via PowerShell Script","Recon Information for Export with PowerShell","Remove Account From Domain Admin Group","Suspicious Service DACL Modification Via Set-Service Cmdlet - PS","Potential PowerShell Obfuscation Using Alias Cmdlets","Suspicious Get Information for SMB Share","Suspicious SSL Connection","Suspicious Start-Process PassThru","Suspicious Unblock-File","Replace Desktop Wallpaper by Powershell","Powershell Suspicious Win32_PnPEntity","Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script","Suspicious PowerShell WindowStyle Option","PowerShell Write-EventLog Usage","Zip A Folder With PowerShell For Staging In Temp - PowerShell Script","SyncAppvPublishingServer Execution to Bypass Powershell Restriction","Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging","Tamper Windows Defender - ScriptBlockLogging","Testing Usage of Uncommonly Used Port","Powershell Timestomp","User Discovery And Export Via Get-ADUser Cmdlet - PowerShell","Potential Persistence Via PowerShell User Profile Using Add-Content","Abuse of Service Permissions to Hide Services Via Set-Service - PS","Registry Modification Attempt Via VBScript - PowerShell","Veeam Backup Servers Credential Dumping Script Execution","Usage Of Web Request Commands And Cmdlets - ScriptBlock","Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript","PowerShell WMI Win32_Product Install MSI","Potential WinAPI Calls Via PowerShell Scripts","Windows Defender Exclusions Added - PowerShell","Windows Firewall Profile Disabled","Winlogon Helper DLL","Powershell WMI Persistence","WMIC Unquoted Services Path Lookup - PowerShell","WMImplant Hack Tool","Suspicious X509Enrollment - Ps Script","Powershell XML Execute Command","Potential PowerShell Obfuscation via Invalid Escape Sequences","Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion","Potential PowerShell Obfuscation via Character Array Reconstruction","Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation","Potential PowerShell Obfuscation via High Numeric Character Proportion","Potential Dynamic IEX Reconstruction via Environment Variables","Dynamic IEX Reconstruction via Method String Access","PowerShell Obfuscation via Negative Index String Reversal","Potential PowerShell Obfuscation via Reverse Keywords","Potential PowerShell Obfuscation via String Concatenation","Potential PowerShell Obfuscation via String Reordering","Potential PowerShell Obfuscation via Special Character Overuse","AdsiSearcher Account Discovery","Allow Inbound Traffic In Firewall Rule","Delete ShadowCopy With PowerShell","Detect Certify With PowerShell Script Block Logging","Detect Copy of ShadowCopy with Script Block Logging","Detect Empire with PowerShell Script Block Logging","Detect Mimikatz With PowerShell Script Block Logging","Disabled Kerberos Pre-Authentication Discovery With Get-ADUser","Disabled Kerberos Pre-Authentication Discovery With PowerView","Domain Group Discovery with Adsisearcher","Elevated Group Discovery with PowerView","Exchange PowerShell Module Usage","Get ADDefaultDomainPasswordPolicy with Powershell Script Block","Get ADUser with PowerShell Script Block","Get ADUserResultantPasswordPolicy with Powershell Script Block","Get DomainPolicy with Powershell Script Block","Get-DomainTrust with PowerShell Script Block","Get DomainUser with PowerShell Script Block","Get-ForestTrust with PowerShell Script Block","Get WMIObject Group Discovery with Script Block Logging","GetAdComputer with PowerShell Script Block","GetAdGroup with PowerShell Script Block","GetCurrent User with PowerShell Script Block","GetDomainComputer with PowerShell Script Block","GetDomainController with PowerShell Script Block","GetDomainGroup with PowerShell Script Block","GetLocalUser with PowerShell Script Block","GetNetTcpconnection with PowerShell Script Block","GetWmiObject Ds Computer with PowerShell Script Block","GetWmiObject Ds Group with PowerShell Script Block","GetWmiObject DS User with PowerShell Script Block","GetWmiObject User Account with PowerShell Script Block","Interactive Session on Remote Endpoint with PowerShell","Kerberos Pre-Authentication Flag Disabled with PowerShell","Mailsniper Invoke functions","PowerShell 4104 Hunting","Powershell COM Hijacking InprocServer32 Modification","Powershell Creating Thread Mutex","PowerShell Domain Enumeration","PowerShell Enable PowerShell Remoting","Powershell Enable SMB1Protocol Feature","Powershell Execute COM Object","Powershell Fileless Process Injection via GetProcAddress","Powershell Fileless Script Contains Base64 Encoded Content","Powershell Get LocalGroup Discovery with Script Block Logging","PowerShell Invoke CIMMethod CIMSession","PowerShell Invoke WmiExec Usage","Powershell Load Module in Meterpreter","PowerShell Loading DotNET into Memory via Reflection","Powershell Processing Stream Of Data","Powershell Remote Services Add TrustedHost","Powershell Remove Windows Defender Directory","PowerShell Script Block With URL Chain","PowerShell Start or Stop Service","Powershell Using memory As Backing Store","PowerShell WebRequest Using Memory Stream","Powershell Windows Defender Exclusion Commands","Recon AVProduct Through Pwh or WMI","Recon Using WMI Class","Remote Process Instantiation via DCOM and PowerShell Script Block","Remote Process Instantiation via WinRM and PowerShell Script Block","Remote Process Instantiation via WMI and PowerShell Script Block","Remote System Discovery with Adsisearcher","ServicePrincipalNames Discovery with PowerShell","Unloading AMSI via Reflection","User Discovery With Env Vars PowerShell Script Block","Windows Account Discovery for None Disable User Account","Windows Account Discovery for Sam Account Name","Windows Account Discovery With NetUser PreauthNotRequire","Windows Archive Collected Data via Powershell","Windows ClipBoard Data via Get-ClipBoard","Windows Domain Account Discovery Via Get-NetComputer","Windows Enable PowerShell Web Access","Windows ESX Admins Group Creation via PowerShell","Windows Exfiltration Over C2 Via Invoke RestMethod","Windows Exfiltration Over C2 Via Powershell UploadString","Windows File Share Discovery With Powerview","Windows Find Domain Organizational Units with GetDomainOU","Windows Find Interesting ACL with FindInterestingDomainAcl","Windows Forest Discovery with GetForestDomain","Windows Gather Victim Host Information Camera","Windows Get-AdComputer Unconstrained Delegation Discovery","Windows Get Local Admin with FindLocalAdminAccess","Windows Linked Policies In ADSI Discovery","Windows PowerShell Add Module to Global Assembly Cache","Windows Powershell Cryptography Namespace","Windows PowerShell Disable HTTP Logging","Windows PowerShell Export Certificate","Windows PowerShell Export PfxCertificate","Windows PowerShell Get CIMInstance Remote Computer","Windows Powershell History File Deletion","Windows PowerShell IIS Components WebGlobalModule Usage","Windows Powershell Import Applocker Policy","Windows PowerShell Invoke-RestMethod IP Information Collection","Windows PowerShell Invoke-Sqlcmd Execution","Windows Powershell Logoff User via Quser","Windows PowerShell MSIX Package Installation","Windows PowerShell ScheduleTask","Windows PowerShell Script Block With Malicious String","Windows PowerShell WMI Win32 ScheduledJob","Windows PowerSploit GPP Discovery","Windows PowerView AD Access Control List Enumeration","Windows PowerView Constrained Delegation Discovery","Windows PowerView Kerberos Service Ticket Request","Windows PowerView SPN Discovery","Windows PowerView Unconstrained Delegation Discovery","Windows Root Domain linked policies Discovery","Windows Screen Capture Via Powershell","WMI Recon Running Process Or Services","Uncommon Child Process Of AddinUtil.EXE","Uncommon Child Process Of Appvlp.EXE","Suspicious ArcSOC.exe Child Process","AspNetCompiler Execution","Suspicious Child Process of AspNetCompiler","Potentially Suspicious ASP.NET Compilation Via AspNetCompiler","Interactive AT Job","Audit Policy Tampering Via NT Resource Kit Auditpol","Suspicious BitLocker Access Agent Update Utility Execution","Suspicious Child Process Of BgInfo.EXE","Uncommon Child Process Of BgInfo.EXE","BitLockerTogo.EXE Execution","Potential Data Stealing Via Chromium Headless Debugging","Browser Execution In Headless Mode","File Download with Headless Browser","Chromium Browser Instance Executed With Custom Extension","Chromium Browser Headless Execution To Mockbin Like Site","Suspicious Chromium Browser Instance Executed With Custom Extension","File Download From Browser Process Via Inline URL","Browser Started with Remote Debugging","Suspicious Calculator Usage","Suspicious CodePage Switch Via CHCP","Cloudflared Portable Execution","Cloudflared Tunnel Connections Cleanup","Cloudflared Tunnel Execution","Curl Download And Execute Combination","Potential Dosfuscation Activity","Command Line Execution with Suspicious URL and AppData Strings","VolumeShadowCopy Symlink Creation Via Mklink","Cmd.EXE Missing Space Characters Execution Anomaly","NtdllPipe Like Activity Execution","Suspicious Ping/Del Command Combination","Copy From VolumeShadowCopy Via Cmd.EXE","Sticky Key Like Backdoor Execution","Persistence Via Sticky Key Backdoor","Potential Download/Upload Activity Using Type Command","Unusual Parent Process For Cmd.EXE","CMSTP Execution Process Creation","OpenEDR Spawning Command Shell","Suspicious High IntegrityLevel Conhost Legacy Option","Uncommon Child Process Of Conhost.EXE","Suspicious CustomShellHost Execution","Uncommon Child Process Of Defaultpack.EXE","PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'","Remote File Download Via Desktopimgdownldr Utility","Suspicious Desktopimgdownldr Command","DeviceCredentialDeployment Execution","Arbitrary MSI Download Via Devinit.EXE","Potentially Suspicious Child Process Of ClickOnce Application","System Information Discovery via Registry Queries","Potentially Suspicious Child Process Of DiskShadow.EXE","DLL Sideloading by VMware Xfer Utility","Dllhost.EXE Execution Anomaly","DNS Exfiltration and Tunneling Tools Execution","Unusual Child Process of dns.exe","Potential Discovery Activity Via Dnscmd.EXE","New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE","Potential Application Whitelisting Bypass via Dnx.EXE","Suspicious Kernel Dump Using Dtrace","Esentutl Gather Credentials","Potentially Suspicious Event Viewer Child Process","Potentially Suspicious Cabinet File Expansion","Explorer Process Tree Break","File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell","Recon Command Output Piped To Findstr.EXE","Uncommon FileSystem Load Attempt By Format.com","Arbitrary File Download Via GfxDownloadWrapper.EXE","Potentially Suspicious GoogleUpdate Child Process","Gpresult Display Group Policy Information","Arbitrary Binary Execution Using GUP Utility","Suspicious Child Process of Notepad++ Updater - GUP.Exe","Suspicious GUP Usage","HTML Help HH.EXE Suspicious Child Process","HackTool - ADCSPwn Execution","HackTool - F-Secure C3 Load by Rundll32","HackTool - Covenant PowerShell Launcher","HackTool - CrackMapExec Execution","HackTool - CrackMapExec Execution Patterns","HackTool - CrackMapExec Process Patterns","HackTool - DInjector PowerShell Cradle Execution","HackTool - Empire PowerShell Launch Parameters","HackTool - Empire PowerShell UAC Bypass","HackTool - WinRM Access Via Evil-WinRM","HackTool - Hashcat Password Cracker Execution","HackTool - HollowReaper Execution","HackTool - Htran/NATBypass Execution","HackTool - Hydra Password Bruteforce Execution","HackTool - Impacket Tools Execution","Invoke-Obfuscation CLIP+ Launcher","Invoke-Obfuscation Obfuscated IEX Invocation","Invoke-Obfuscation STDIN+ Launcher","Invoke-Obfuscation VAR+ Launcher","Invoke-Obfuscation COMPRESS OBFUSCATION","Invoke-Obfuscation Via Stdin","Invoke-Obfuscation Via Use Clip","Invoke-Obfuscation Via Use MSHTA","Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION","HackTool - LaZagne Execution","Potential Meterpreter/CobaltStrike Activity","HackTool - Mimikatz Execution","HackTool - NetExec Execution","HackTool - Default PowerSploit/Empire Scheduled Task Creation","HackTool - Pypykatz Credentials Dumping Activity","HackTool - Quarks PwDump Execution","HackTool - RedMimicry Winnti Playbook Execution","Potential SMB Relay Attack Tool Execution","HackTool - SharpWSUS/WSUSpendu Execution","HackTool - Sliver C2 Implant Activity Pattern","HackTool - SOAPHound Execution","HackTool - WinPwn Execution","HackTool - Wmiexec Default Powershell Command","HackTool - XORDump Execution","Suspicious ZipExec Execution","Suspicious Execution of Hostname","Suspicious HWP Sub Processes","Potential Fake Instance Of Hxtsr.EXE Executed","Suspicious IIS Module Registration","ImagingDevices Unusual Parent/Child Processes","InfDefaultInstall.exe .inf Execution","Suspicious Execution of InstallUtil Without Log","Suspicious Shells Spawn by Java Utility Keytool","Suspicious Child Process Of Manage Engine ServiceDesk","Java Running with Remote Debugging","Suspicious Processes Spawned by Java.EXE","Shell Process Spawned by Java.EXE","Kavremover Dropped Binary LOLBIN Usage","Attempts of Kerberos Coercion Via DNS SPN Spoofing","Uncommon Link.EXE Parent Process","Devtoolslauncher.exe Executes Specified Binary","Suspicious Diantz Alternate Data Stream Execution","Suspicious Diantz Download and Compress Into a CAB File","Suspicious Extrac32 Alternate Data Stream Execution","Launch-VsDevShell.PS1 Proxy Execution","Mavinject Inject DLL Into Running Process","Execute Files with Msdeploy.exe","OpenWith.exe Executes Specified Binary","Use of Pcalua For Execution","Indirect Command Execution By Program Compatibility Wizard","Execute Pcwrun.EXE To Leverage Follina","Execute Code with Pester.bat","PrintBrm ZIP Creation of Extraction","Pubprn.vbs Proxy Execution","REGISTER_APP.VBS Proxy Execution","Replace.exe Usage","Lolbin Runexehelper Use As Proxy","Suspicious Runscripthelper.exe","Use Of The SFTP.EXE Binary As A LOLBIN","Suspicious Driver Install by pnputil.exe","Suspicious GrpConv Execution","Dumping Process via Sqldumper.exe","SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code","Time Travel Debugging Utility Usage","UtilityFunctions.ps1 Proxy Dll","Visual Basic Command Line Compiler Usage","Potential Credential Dumping Via LSASS Process Clone","Potential Mftrace.EXE Abuse","MMC20 Lateral Movement","MMC Spawning Windows Shell","Potential Mpclient.DLL Sideloading Via Defender Binaries","MSDT Execution Via Answer File","Wscript Shell Run In CommandLine","Potential LethalHTA Technique Execution","Suspicious Msiexec Execute Arbitrary DLL","MsiExec Web Install","Suspicious Child Process Of SQL Server","Potential MSTSC Shadowing Activity","Msxsl.EXE Execution","Remote XSL Execution Via Msxsl.EXE","Potential Arbitrary Code Execution Via Node.EXE","Node Process Executions","Notepad Password Files Discovery","Network Reconnaissance Activity","Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)","Uncommon Child Process Spawned By Odbcconf.EXE","OneNote.EXE Execution of Malicious Embedded Scripts","Outlook EnableUnsafeClientMailRules Setting Enabled","Suspicious Execution From Outlook Temporary Folder","Suspicious Outlook Child Process","Suspicious Remote Child Process From Outlook","Suspicious Binary In User Directory Spawned From Office Application","Potentially Suspicious Execution Of PDQDeployRunner","Ping Hex IP","Potential RDP Tunneling Via Plink","Potential AMSI Bypass Via .NET Reflection","Potential AMSI Bypass Using NULL Bits","Audio Capture via PowerShell","Suspicious Obfuscated PowerShell Code","PowerShell Base64 Encoded FromBase64String Cmdlet","PowerShell Base64 Encoded IEX Cmdlet","Powershell Base64 Encoded MpPreference Cmdlet","PowerShell Base64 Encoded Reflective Assembly Load","Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call","Potential Process Execution Proxy Via CL_Invocation.ps1","Assembly Loading Via CL_LoadAssembly.ps1","Potential Script Proxy Execution Via CL_Mutexverifiers.ps1","Potential PowerShell Console History Access Attempt via History File","New Service Creation Using PowerShell","Gzip Archive Decode Via PowerShell","Powershell Defender Disable Scan Feature","Powershell Defender Exclusion","Disabled IE Security Features","Potential PowerShell Downgrade Attack","Potential COM Objects Download Cradles Usage - Process Creation","Obfuscated PowerShell OneLiner Execution","Potential DLL File Download Via PowerShell Invoke-WebRequest","PowerShell Download and Execution Cradles","DSInternals Suspicious PowerShell Cmdlets","Email Exifiltration Via Powershell","Potential Suspicious Windows Feature Enabled - ProcCreation","Suspicious Execution of Powershell with Base64","Powershell Inline Execution From A File","Certificate Exported Via PowerShell","Base64 Encoded PowerShell Command Detected","Suspicious FromBase64String Usage On Gzip Archive - Process Creation","PowerShell Get-Clipboard Cmdlet Via CLI","Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet","PowerShell Get-Process LSASS","Suspicious PowerShell IEX Execution Patterns","Root Certificate Installed From Susp Locations","Import PowerShell Modules From Suspicious Directories - ProcCreation","Suspicious PowerShell Invocations - Specific - ProcessCreation","Suspicious PowerShell Mailbox Export to Share","Malicious PowerShell Commandlets - ProcessCreation","MSExchange Transport Agent Installation","Potential PowerShell Obfuscation Via WCHAR/CHAR","Execution of Powershell Script in Public Folder","RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses","Tamper Windows Defender Remove-MpPreference","Run PowerShell Script from ADS","Run PowerShell Script from Redirected Input Stream","PowerShell SAM Copy","Deletion of Volume Shadow Copies via WMI with PowerShell","Suspicious PowerShell Download and Execute Pattern","Suspicious PowerShell Parameter Substring","PowerShell Script Run in AppData","Powershell Token Obfuscation - Process Creation","Suspicious X509Enrollment - Process Creation","Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet","Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution","Abusing Print Executable","Potential Provlaunch.EXE Binary Proxy Execution Abuse","Suspicious Provlaunch.EXE Child Process","Screen Capture Activity Via Psr.EXE","PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE","PUA - AdFind Suspicious Execution","PUA - AdvancedRun Suspicious Execution","PUA - Chisel Tunneling Tool Execution","PUA - CleanWipe Execution","PUA - DIT Snapshot Viewer","PUA - Netcat Suspicious Execution","PUA - Ngrok Execution","PUA - NirCmd Execution As LOCAL SYSTEM","PUA - Restic Backup Tool Execution","PUA - RunXCmd Execution","PUA - TruffleHog Execution","PUA - Adidnsdump Execution","Python Spawning Pretty TTY on Windows","Potentially Suspicious Usage Of Qemu","Query Usage To Exfil Data","QuickAssist Execution","Files Added To An Archive Using Rar.EXE","Rar Usage with Password and Compression Level","Suspicious RASdial Activity","Potential Persistence Attempt Via Run Keys Using Reg.EXE","Suspicious Reg Add BitLocker","Dropping Of Password Filter DLL","Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE","Security Service Disabled Via Reg.EXE","Enumeration for Credentials in Registry","RestrictedAdminMode Registry Value Tampering - ProcCreation","Suspicious Query of MachineGUID","Enable LM Hash Storage - ProcCreation","Suspicious ScreenSave Change by Reg.exe","Changing Existing Service ImagePath Value Via Reg.EXE","Detected Windows Software Discovery","Disabled Volume Snapshots","Write Protect For Storage Disabled","Regedit as Trusted Installer","DLL Execution Via Register-cimprovider.exe","Enumeration for 3rd Party Creds From CLI","IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI","Suspicious Debugger Registration Cmdline","Potential Persistence Via Logon Scripts - CommandLine","Potential Credential Dumping Attempt Using New NetworkProvider - CLI","Python Function Execution Security Warning Disabled In Excel","Potential Privilege Escalation via Service Permissions Weakness","Potential Provisioning Registry Key Abuse For Binary Proxy Execution","Potential PowerShell Execution Policy Tampering - ProcCreation","Hiding User Account Via SpecialAccounts Registry Key - CommandLine","Persistence Via TypedPaths - CommandLine","Potential Regsvr32 Commandline Flag Anomaly","Potentially Suspicious Child Process Of Regsvr32","Scripting/CommandLine Process Spawned Regsvr32","Remote Access Tool - AnyDesk Piped Password Via CLI","Remote Access Tool - AnyDesk Silent Installation","Remote Access Tool - Potential MeshAgent Execution - Windows","Remote Access Tool - MeshAgent Command Execution via MeshCentral","Remote Access Tool - ScreenConnect Installation Execution","Remote Access Tool - ScreenConnect Server Web Shell Execution","Remote Access Tool - Simple Help Execution","Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server","Remote Access Tool - Team Viewer Session Started On Windows Host","Discovery of a System Time","Potential Renamed Rundll32 Execution","Suspicious Rundll32 Invoking Inline VBScript","Mshtml.DLL RunHTMLApplication Suspicious Usage","Rundll32 Execution Without CommandLine Parameters","Suspicious Process Start Locations","Suspicious Usage Of ShellExec_RunDLL","ShimCache Flush","Suspicious Rundll32 Activity Invoking Sys File","Rundll32 Execution Without Parameters","Possible Privilege Escalation via Weak Service Permissions","New Service Creation Using Sc.EXE","New Kernel Driver Via SC.EXE","Suspicious Service Path Modification","Potential Persistence Attempt Via Existing Service Tampering","Suspicious Schtasks Execution AppData Folder","Suspicious Modification Of Scheduled Tasks","Scheduled Task Creation Via Schtasks.EXE","Suspicious Scheduled Task Creation Involving Temp Folder","Scheduled Task Creation with Curl and PowerShell Execution Combo","Delete Important Scheduled Task","Delete All Scheduled Tasks","Disable Important Scheduled Task","Suspicious Scheduled Task Name As GUID","Suspicious Command Patterns In Scheduled Task Creation","Schtasks Creation Or Modification With SYSTEM Privileges","Script Event Consumer Spawning Process","Sdclt Child Processes","Sdiagnhost Calling Suspicious Child Process","Suspicious Serv-U Process Pattern","Uncommon Child Process Of Setres.EXE","Suspicious Execution of Shutdown","Suspicious Execution of Shutdown to Log Out","Uncommon Sigverif.EXE Child Process","Uncommon Child Processes Of SndVol.exe","Audio Capture via SoundRecorder","Suspicious Speech Runtime Binary Child Process","Suspicious Splwow64 Without Params","Veeam Backup Database Suspicious Query","VeeamBackup Database Credentials Dump Via Sqlcmd.EXE","Arbitrary File Download Via Squirrel.EXE","Process Proxy Execution Via Squirrel.EXE","Port Forwarding Activity Via SSH.EXE","Potential RDP Tunneling Via SSH","Potential Amazon SSM Agent Hijacking","Execution via stordiag.exe","Start of NT Virtual DOS Machine","User Added to Local Administrators Group","User Added To Highly Privileged Group","User Added to Remote Desktop Users Group","Execute From Alternate Data Streams","Potentially Suspicious Windows App Activity","Arbitrary Shell Command Execution Via Settingcontent-Ms","Phishing Pattern ISO in Archive","Potential Suspicious Browser Launch From Document Reader Process","Potential Commandline Obfuscation Using Escape Characters","Suspicious ClickFix/FileFix Execution Pattern","Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix","Potential Command Line Path Traversal Evasion Attempt","Potential Crypto Mining Activity","Potential Data Exfiltration Activity Via CommandLine Tools","Raccine Uninstall","Suspicious Double Extension File Execution","Suspicious Download from Office Domain","DumpStack.log Defender Evasion","Suspicious Electron Application Child Processes","Hidden Powershell in Link File Pattern","Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1","Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2","Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3","Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4","ETW Logging Tamper In .NET Processes Via CommandLine","ETW Trace Evasion Activity","Potentially Suspicious Execution From Parent Process In Public Folder","Process Execution From A Potentially Suspicious Folder","Suspicious FileFix Execution Pattern","Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS","Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI","Writing Of Malicious Files To The Fonts Folder","Potential Homoglyph Attack Using Lookalike Characters","Execution Of Non-Existing File","Base64 MZ Header In CommandLine","Potential WinAPI Calls Via CommandLine","Potentially Suspicious JWT Token Search Via CLI","LSASS Dump Keyword In CommandLine","Potential File Download Via MS-AppInstaller Protocol Handler","Suspicious Network Command","Suspicious Scan Loop Network","Potential Network Sniffing Activity Using Network Tools","Process Launched Without Image Name","Execution of Suspicious File Type Extension","Non-privileged Usage of Reg or Powershell","Suspicious Process Patterns NTDS.DIT Exfil","Potentially Suspicious Call To Win32_NTEventlogFile Class","Use NTFS Short Name in Command Line","Use NTFS Short Name in Image","Obfuscated IP Download Activity","Obfuscated IP Via CLI","Suspicious Process Parents","Suspicious RunAs-Like Flag Combination","Windows Processes Suspicious Parent Directory","Suspicious Program Names","Suspicious Process Execution From Fake Recycle.Bin Folder","Suspicious Redirection to Local Admin Share","Potential Remote Desktop Tunneling","Potential Defense Evasion Via Right-to-Left Override","Suspicious Script Execution From Temp Folder","Script Interpreter Spawning Credential Scanner - Windows","Sensitive File Access Via Volume Shadow Copy Backup","Suspicious New Service Creation","Suspicious Service Binary Directory","Process Creation Using Sysnative Folder","System File Execution Location Anomaly","Suspicious SYSVOL Domain Group Policy Access","Tasks Folder Evasion","Malicious PE Execution by Microsoft Visual Studio Debugger","Suspicious Velociraptor Child Process","Weak or Abused Passwords In CLI","Usage Of Web Request Commands And Cmdlets","WhoAmI as Parameter","Execution via WorkFolders.exe","Suspect Svchost Activity","Uncommon Svchost Command Line Parameter","Uncommon Svchost Parent Process","Potential Execution of Sysinternals Tools","Procdump Execution","Potential SysInternals ProcDump Evasion","Potential LSASS Process Dump Via Procdump","PsExec/PAExec Escalation to LOCAL SYSTEM","Potential PsExec Remote Execution","PsExec Service Child Process Execution as LOCAL SYSTEM","Potential Privilege Escalation To LOCAL SYSTEM","Sysprep on AppData Folder","Suspicious Recursive Takeown","Tap Installer Execution","Taskkill Symantec Endpoint Protection","Taskmgr as LOCAL_SYSTEM","New Process Created Via Taskmgr.EXE","Potentially Suspicious Command Targeting Teams Sensitive Files","Suspicious TSCON Start as SYSTEM","Suspicious RDP Redirect Using TSCON","UAC Bypass Using ChangePK and SLUI","UAC Bypass Tools Using ComputerDefaults","UAC Bypass Using Consent and Comctl32 - Process","UAC Bypass Using DismHost","UAC Bypass Using Event Viewer RecentViews","Bypass UAC via Fodhelper.exe","UAC Bypass Using IEInstal - Process","UAC Bypass Using MSConfig Token Modification - Process","UAC Bypass Using PkgMgr and DISM","Potential UAC Bypass Via Sdclt.EXE","TrustedPath UAC Bypass Pattern","UAC Bypass WSReset","Suspicious UltraVNC Execution","Uninstall Crowdstrike Falcon Sensor","Uncommon Userinit Child Process","Registry Modification Attempt Via VBScript","Virtualbox Driver Installation or Starting of VMs","Suspicious VBoxDrvInst.exe Parameters","Potentially Suspicious Child Process Of VsCode","Visual Studio Code Tunnel Service Installation","Suspicious Vsls-Agent Command With AgentExtensionPath Load","Wab Execution From Non Default Location","Wab/Wabmig Unusual Parent Or Child Processes","Potentially Suspicious WebDAV LNK Execution","Chopper Webshell Process Pattern","Webshell Hacking Activity Patterns","Webshell Tool Reconnaissance Activity","Suspicious Child Process Of Wermgr.EXE","Suspicious Execution Location Of Wermgr.EXE","Suspicious WindowsTerminal Child Processes","AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl","Remote PowerShell Session Host Process (WinRM)","Suspicious Processes Spawned by WinRM","Potential Lateral Movement via Windows Remote Shell","Compress Data and Lock With Password for Exfiltration With WINZIP","WMI Backdoor Exchange Transport Agent","WMI Persistence - Script Event Consumer","New ActiveScriptEventConsumer Created Via Wmic.EXE","Suspicious Process Created Via Wmic.EXE","Potential Tampering With Security Products Via WMIC","WmiPrvSE Spawned A Process","Suspicious WmiPrvSE Child Process","UEFI Persistence Via Wpbbin - ProcessCreation","Potential Dropper Script Execution Via WScript/CScript","Cscript/Wscript Potentially Suspicious Child Process","WSL Child Process Anomaly","WSL Kali-Linux Usage","Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths","Wusa.EXE Executed By Parent Process Located In Suspicious Location","COM Object Execution via Xwizard.EXE","Potential LSASS Clone Creation via PssCaptureSnapShot","Spoolsv Writing a DLL","Suspicious WAV file in Appdata Folder","Windows Alternate DataStream - Process Execution","Windows BitLockerToGo Process Execution","Windows DISM Install PowerShell Web Access","Windows Explorer.exe Spawning PowerShell or Cmd","Windows Explorer LNK Exploit Process Launch With Padding","Windows File and Directory Enable ReadOnly Permissions","Windows File and Directory Permissions Enable Inheritance","Windows File and Directory Permissions Remove Inheritance","Windows LOLBAS Executed Outside Expected Path","Windows Office Product Dropped Cab or Inf File","Windows Remote Host Computer Management Access","Windows Remote Management Execute Shell","Windows Sqlservr Spawning Shell","Windows Svchost.exe Parent Process Anomaly","Windows TinyCC Shellcode Execution","Windows Unusual SysWOW64 Process Run System32 Executable","Important Scheduled Task Deleted/Disabled","User Added to Local Administrator Group","Detect New Local Admin account","Windows DnsAdmins New Member Added","Remote Computer Account DnsHostName Update","Detect Computer Changed with Anonymous Account","Windows AD Domain Controller Promotion","Remote Task Creation via ATSVC Named Pipe","DCERPC SMB Spoolss Named Pipe","DCOM InternetExplorer.Application Iertutil DLL Hijack - Security","Impacket PsExec Execution","Possible Impacket SecretDump Remote Activity","First Time Seen Remote Named Pipe","Windows Network Access Suspicious desktop.ini Action","Possible PetitPotam Coerce Authentication Attempt","Protected Storage Service Access","SMB Create Remote File Admin Share","Suspicious PsExec Execution","Suspicious Access to Sensitive File Extensions","Remote Service Activity via SVCCTL Named Pipe","Transferring Files with Credential Data via Network Shares","T1047 Wmiprvse Wbemcomn DLL Hijack","Potential Machine Account Relay Attack via SMB","Suspicious Remote Registry Access via SeBackupPrivilege","Executable File Written in Administrative SMB Share","High Frequency Copy Of Files In Network Share","PetitPotam Network Share Access Request","Windows Administrative Shares Accessed On Multiple Hosts","7Zip Compressing Dump Files","Compress Data and Lock With Password for Exfiltration With 7-ZIP","Potential DLL Injection Via AccCheckConsole","Suspicious AddinUtil.EXE CommandLine Execution","Uncommon AddinUtil.EXE CommandLine Execution","AddinUtil.EXE Execution From Uncommon Directory","Potential Adplus.EXE Abuse","AgentExecutor PowerShell Execution","Suspicious AgentExecutor PowerShell Execution","Windows AMSI Related Registry Tampering Via CommandLine","Uncommon  Assistive Technology Applications Execution Via AtBroker.EXE","Hiding Files with Attrib.exe","Set Suspicious Files as System Files Using Attrib.EXE","Audit Policy Tampering Via Auditpol","Suspicious Autorun Registry Modified via WMI","Indirect Inline Command Execution Via Bash.EXE","Indirect Command Execution From Script File Via Bash.EXE","Boot Configuration Tampering Via Bcdedit.EXE","Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE","Data Export From MSSQL Table Via BCP.EXE","File Download Via Bitsadmin","Suspicious Download From Direct IP Via Bitsadmin","Suspicious Download From File-Sharing Website Via Bitsadmin","File With Suspicious Extension Downloaded Via Bitsadmin","File Download Via Bitsadmin To A Suspicious Target Folder","Monitoring For Persistence Via BITS","Tor Client/Browser Execution","Potential Binary Proxy Execution Via Cdb.EXE","New Root Certificate Installed Via CertMgr.EXE","File Download via CertOC.EXE","File Download From IP Based URL Via CertOC.EXE","DLL Loaded via CertOC.EXE","Suspicious DLL Loaded via CertOC.EXE","Suspicious CertReq Command to Download","New Root Certificate Installed Via Certutil.EXE","File Decoded From Base64/Hex Via Certutil.EXE","Suspicious Download Via Certutil.EXE","Suspicious File Downloaded From Direct IP Via Certutil.EXE","Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE","File Encoded To Base64 Via Certutil.EXE","Suspicious File Encoded To Base64 Via Certutil.EXE","File In Suspicious Location Encoded To Base64 Via Certutil.EXE","Certificate Exported Via Certutil.EXE","Potential NTLM Coercion Via Certutil.EXE","Console CodePage Lookup Via CHCP","Deleted Data Overwritten Via Cipher.EXE","Process Access via TrolleyExpress Exclusion","Data Copied To Clipboard Via Clip.EXE","Cloudflared Quick Tunnel Execution","Change Default File Association Via Assoc","Change Default File Association To Executable Via Assoc","Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE","File Deletion Via Del","Greedy File Deletion Using Del","File And SubFolder Enumeration Via Dir Command","Cmd Launched with Hidden Start Flags to Suspicious Targets","Potential Privilege Escalation Using Symlink Between Osk and Cmd","Suspicious File Execution From Internet Hosted WebDav Share","Potential CommandLine Path Traversal Via Cmd.EXE","Potentially Suspicious Ping/Copy Command Combination","Potentially Suspicious CMD Shell Output Redirect","Directory Removal Via Rmdir","Read Contents From Stdin Via Cmd.EXE","New Generic Credentials Added Via Cmdkey.EXE","Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE","Potential Arbitrary File Download Via Cmdl32.EXE","Arbitrary File Download Via ConfigSecurityPolicy.EXE","Powershell Executed From Headless ConHost Process","Conhost.exe CommandLine Path Traversal","Potentially Suspicious Child Processes Spawned by ConHost","Conhost Spawned By Uncommon Parent Process","Control Panel Items","New DMSA Service Account Created in Specific OUs","CreateDump Process Dump","Windows Credential Guard Registry Tampering Via CommandLine","Dynamic .NET Compilation Via Csc.EXE","Csc.EXE Execution Form Potentially Suspicious Parent","Suspicious Csi.exe Usage","Suspicious Use of CSharp Interactive Console","Active Directory Structure Export Via Csvde.EXE","Potential Cookies Session Hijacking","Curl Web Request With Potential Custom User-Agent","File Download From IP URL Via Curl.EXE","Suspicious File Download From IP Via Curl.EXE","Suspicious File Download From File Sharing Domain Via Curl.EXE","Insecure Transfer Via Curl.EXE","Insecure Proxy/DOH Transfer Via Curl.EXE","Local File Read Using Curl.EXE","Suspicious Curl.EXE Download","ManageEngine Endpoint Central Dctask64.EXE Potential Abuse","Windows Defender Context Menu Removed","Devcon Execution Disabling VMware VMCI Device","Potential DLL Sideloading Via DeviceEnroller.EXE","DirLister Execution","Diskshadow Script Mode - Uncommon Script Extension Execution","Diskshadow Script Mode - Execution From Potential Suspicious Location","PowerShell Web Access Feature Enabled Via DISM","Dism Remove Online Package","Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE","Binary Proxy Execution Via Dotnet-Trace.EXE","Process Memory Dump Via Dotnet-Dump","Potential Recon Activity Using DriverQuery.EXE","DriverQuery.EXE Execution","Potentially Over Permissive Permissions Granted Using Dsacls.EXE","Potential Password Spraying Attempt Using Dsacls.EXE","Domain Trust Discovery Via Dsquery","Potential Windows Defender AV Bypass Via Dump64.EXE Rename","DumpMinitool Execution","Suspicious DumpMinitool Execution","New Capture Session Launched Via DXCap.EXE","Copying Sensitive Files with Credential Data","Esentutl Steals Browser Information","Security Event Logging Disabled via MiniNt Registry Key - Process","Explorer NOUACCHECK Flag","Remote File Download Via Findstr.EXE","Findstr GPP Passwords","Findstr Launching .lnk File","LSASS Process Reconnaissance Via Findstr.EXE","Permission Misconfiguration Reconnaissance Via Findstr.EXE","Security Tools Keyword Lookup Via Findstr.EXE","Insensitive Subfolder Search Via Findstr.EXE","Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE","Finger.EXE Execution","Filter Driver Unloaded Via Fltmc.EXE","Sysmon Driver Unloaded Via Fltmc.EXE","Forfiles.EXE Child Process Masquerading","Forfiles Command Execution","Use of FSharp Interpreters","Fsutil Drive Enumeration","Potentially Suspicious NTFS Symlink Behavior Modification","Fsutil Suspicious Invocation","Potential Arbitrary Command Execution Via FTP.EXE","Suspicious Git Clone","Github Self-Hosted Runner Execution","File Decryption Using Gpg4win","File Encryption Using Gpg4win","Portable Gpg.EXE Execution","File Encryption/Decryption Via Gpg4win From Suspicious Locations","File Download Using Notepad++ GUP Utility","HH.EXE Execution","Remote CHM File Download/Execution Via HH.EXE","Suspicious HH.EXE Execution","HackTool - Bloodhound/Sharphound Execution","HackTool - Certify Execution","HackTool - Certipy Execution","Operator Bloopers Cobalt Strike Commands","Operator Bloopers Cobalt Strike Modules","CobaltStrike Load by Rundll32","Potential CobaltStrike Process Patterns","HackTool - CoercedPotato Execution","HackTool - CrackMapExec PowerShell Obfuscation","HackTool - CreateMiniDump Execution","HackTool - Doppelanger LSASS Dumper Execution","HackTool - Dumpert Process Dumper Execution","Hacktool - EDR-Freeze Execution","HackTool - EDRSilencer Execution","Hacktool Execution - Imphash","Hacktool Execution - PE Metadata","HackTool - GMER Rootkit Detector and Remover Execution","HackTool - HandleKatz LSASS Dumper Execution","HackTool - Potential Impacket Lateral Movement Activity","HackTool - Impersonate Execution","HackTool - Inveigh Execution","HackTool - Jlaive In-Memory Assembly Execution","HackTool - Koadic Execution","HackTool - KrbRelay Execution","HackTool - RemoteKrbRelay Execution","HackTool - KrbRelayUp Execution","HackTool - LocalPotato Execution","HackTool - PCHunter Execution","HackTool - PowerTool Execution","HackTool - PurpleSharp Execution","HackTool - Rubeus Execution","HackTool - SafetyKatz Execution","HackTool - SecurityXploded Execution","HackTool - PPID Spoofing SelectMyParent Tool Execution","HackTool - SharpChisel Execution","HackTool - SharpDPAPI Execution","HackTool - SharpImpersonation Execution","HackTool - SharpLDAPmonitor Execution","HackTool - SharPersist Execution","HackTool - SharpEvtMute Execution","HackTool - SharpLdapWhoami Execution","HackTool - SharpMove Tool Execution","HKTL - SharpSuccessor Privilege Escalation Tool Execution","HackTool - SharpUp PrivEsc Tool Execution","HackTool - SharpView Execution","HackTool - SILENTTRINITY Stager Execution","HackTool - Stracciatella Execution","HackTool - SysmonEOP Execution","HackTool - TruffleSnout Execution","HackTool - UACMe Akagi Execution","HackTool - Windows Credential Editor (WCE) Execution","HackTool - winPEAS Execution","HackTool - WSASS Execution","Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine","Use Icacls to Hide File to Everyone","File Download And Execution Via IEExec.EXE","Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location","Disable Windows IIS HTTP Logging","Microsoft IIS Service Account Password Dumped","IIS Native-Code Module Command Line Installation","Suspicious IIS URL GlobalRules Rewrite Via AppCmd","Microsoft IIS Connection Strings Decryption","IIS WebServer Log Deletion via CommandLine Utilities","C# IL Code Compilation Via Ilasm.EXE","Arbitrary File Download Via IMEWDBLD.EXE","File Download Via InstallUtil.EXE","Suspicious SysAidServer Child","JScript Compiler Execution","Windows Kernel Debugger Execution","Potentially Suspicious Child Process of KeyScrambler.exe","Computer Password Change Via Ksetup.EXE","Logged-On User Password Change Via Ksetup.EXE","Active Directory Structure Export Via Ldifde.EXE","Import LDAP Data Interchange Format File Via Ldifde.EXE","Rebuild Performance Counter Values Via Lodctr.EXE","Suspicious Windows Trace ETW Session Tamper Via Logman.EXE","LOLBAS Data Exfiltration by DataSvcUtil.exe","Suspicious Extrac32 Execution","Potential Reconnaissance Activity Via GatherNetworkInfo.VBS","Gpscript Execution","Ie4uinit Lolbin Use From Invalid Path","Potential Manage-bde.wsf Abuse To Proxy Execution","MpiExec Lolbin","Use of OpenConsole","Code Execution via Pcwutl.dll","Execute Code with Pester.bat as Parent","DLL Execution via Rasautou.exe","Use of Remote.exe","Use of Scriptrunner.exe","Using SettingSyncHost.exe as LOLBin","SyncAppvPublishingServer Execute Arbitrary PowerShell Code","Potential DLL Injection Or Execution Using Tracker.exe","Use of TTDInject.exe","Lolbin Unregmp2.exe Use As Proxy","Use of VisualUiaVerifyNative.exe","Use of VSIISExeLauncher.exe","Use of Wfc.exe","Potential Register_App.Vbs LOLScript Abuse","LSA PPL Protection Setting Modification via CommandLine","Windows Default Domain GPO Modification via GPME","MMC Executing Files with Reversed Extensions Using RTLO Abuse","CodePage Modification Via MODE.COM To Russian Language","Potential Suspicious Mofcomp Execution","File Download Via Windows Defender MpCmpRun.EXE","Windows Defender Definition Files Removed","Suspicious Msbuild Execution By Uncommon Parent Process","Potential Arbitrary Command Execution Using Msdt.EXE","Suspicious Cabinet File Execution Via Msdt.EXE","Suspicious MSDT Parent Process","Arbitrary File Download Via MSEDGE_PROXY.EXE","Remotely Hosted HTA File Executed Via Mshta.EXE","Suspicious JavaScript Execution Via Mshta.EXE","Suspicious MSHTA Child Process","MSHTA Execution with Suspicious File Extensions","Suspicious Mshta.EXE Execution Patterns","DllUnregisterServer Function Call Via Msiexec.EXE","Suspicious MsiExec Embedding Parent","Msiexec Quiet Installation","Suspicious Msiexec Quiet Install From Remote Location","Potential MsiExec Masquerading","Windows MSIX Package Support Framework AI_STUBS Execution","Arbitrary File Download Via MSOHTMED.EXE","Arbitrary File Download Via MSPUB.EXE","Potential Process Injection Via Msra.EXE","Detection of PowerShell Execution via Sqlps.exe","SQL Client Tools PowerShell Session Detection","Suspicious Child Process Of Veeam Dabatase","New Remote Desktop Connection Initiated Via Mstsc.EXE","Mstsc.EXE Execution With Local RDP File","Suspicious Mstsc.EXE Execution With Local RDP File","Mstsc.EXE Execution From Uncommon Parent","Suspicious Group And Account Reconnaissance Activity Using Net.EXE","Unmount Share Via Net.EXE","Start Windows Service Via Net.EXE","Stop Windows Service Via Net.EXE","Windows Admin Share Mount Via Net.EXE","Windows Internet Hosted WebDav Share Mount Via Net.EXE","Windows Share Mount Via Net.EXE","System Network Connections Discovery Via Net.EXE","Password Provided In Command Line Of Net.EXE","New User Created Via Net.EXE","New User Created Via Net.EXE With Never Expire Option","Suspicious Manipulation Of Default Accounts Via Net.EXE","Share And Session Enumeration Using Net.EXE","New Firewall Rule Added Via Netsh.EXE","Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE","RDP Connection Allowed Via Netsh.EXE","Firewall Rule Deleted Via Netsh.EXE","Firewall Disabled via Netsh.EXE","Netsh Allow Group Policy on Microsoft Defender Firewall","Firewall Configuration Discovery Via Netsh.EXE","Firewall Rule Update Via Netsh.EXE","Potential Persistence Via Netsh Helper DLL","New Network Trace Capture Started Via Netsh.EXE","New Port Forwarding Rule Added Via Netsh.EXE","RDP Port Forwarding Rule Added Via Netsh.EXE","Harvesting Of Wifi Credentials Via Netsh.EXE","Nltest.EXE Execution","Potential Recon Activity Via Nltest.EXE","Nslookup PowerShell Download Cradle - ProcessCreation","Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)","Driver/DLL Installation Via Odbcconf.EXE","Suspicious Driver/DLL Installation Via Odbcconf.EXE","Odbcconf.EXE Suspicious DLL Location","New DLL Registered Via Odbcconf.EXE","Potentially Suspicious DLL Registered Via Odbcconf.EXE","Response File Execution Via Odbcconf.EXE","Suspicious Response File Execution Via Odbcconf.EXE","Potential Arbitrary File Download Using Office Application","Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp","Potentially Suspicious Office Document Executed From Trusted Location","Suspicious Microsoft OneNote Child Process","Suspicious Microsoft Office Child Process","Potential Arbitrary DLL Load Using Winword","Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution","PDQ Deploy Remote Adminstartion Tool Execution","Perl Inline Command Execution","Php Inline Command Execution","PktMon.EXE Execution","Suspicious Plink Port Forwarding","Suspicious Powercfg Execution To Change Lock Screen Timeout","AADInternals PowerShell Cmdlets Execution - ProccessCreation","Potential Active Directory Enumeration Using AD Module - ProcCreation","Add Windows Capability Via PowerShell Cmdlet","Suspicious Encoded PowerShell Command Line","Suspicious PowerShell Encoded Command Patterns","Malicious Base64 Encoded PowerShell Keywords in Command Lines","PowerShell Base64 Encoded Invoke Keyword","PowerShell Base64 Encoded WMI Classes","ConvertTo-SecureString Cmdlet Usage Via CommandLine","Potential PowerShell Obfuscation Via Reversed Commands","Potential PowerShell Command Line Obfuscation","Obfuscated PowerShell MSI Install via WindowsInstaller COM","PowerShell MSI Install via WindowsInstaller COM From Remote Location","Computer Discovery And Export Via Get-ADComputer Cmdlet","PowerShell Execution With Potential Decryption Capabilities","Disable Windows Defender AV Security Monitoring","Windows Firewall Disabled via PowerShell","PowerShell Download Pattern","Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE","Potential Encoded PowerShell Patterns In CommandLine","Abuse of Service Permissions to Hide Services Via Set-Service","Unsigned AppX Installation Attempt Using Add-AppxPackage","Suspicious Invoke-WebRequest Execution With DirectIP","Suspicious Invoke-WebRequest Execution","Suspicious Kerberos Ticket Request via CLI","Non Interactive PowerShell Process Spawned","Potential Powershell ReverseShell Connection","Suspicious PowerShell Invocation From Script Engines","Suspicious Service DACL Modification Via Set-Service Cmdlet","PowerShell Script Change Permission Via Set-Acl","PowerShell Set-Acl On Windows Folder","Change PowerShell Policies to an Insecure Level","Service StartupType Change Via PowerShell Set-Service","Exchange PowerShell Snap-Ins Usage","Stop Windows Service Via PowerShell Stop-Service","Suspicious PowerShell Parent Process","Suspicious Uninstall of Windows Defender Feature via PowerShell","User Discovery And Export Via Get-ADUser Cmdlet","Net WebClient Casing Anomalies","Suspicious XOR Encoded PowerShell Command","Arbitrary File Download Via PresentationHost.EXE","XBAP Execution From Uncommon Locations Via PresentationHost.EXE","File Download Using ProtocolHandler.exe","PUA - 3Proxy Execution","PUA - AdFind.EXE Execution","PUA - Advanced IP Scanner Execution","PUA - Advanced Port Scanner Execution","PUA - AdvancedRun Execution","PUA - Crassus Execution","PUA - CsExec Execution","PUA - DefenderCheck Execution","PUA - Fast Reverse Proxy (FRP) Execution","PUA- IOX Tunneling Tool Execution","PUA - Kernel Driver Utility (KDU) Execution","PUA - Mouse Lock Execution","PUA - SoftPerfect Netscan Execution","PUA - Nimgrab Execution","PUA - NimScan Execution","PUA - NirCmd Execution","PUA - Nmap/Zenmap Execution","PUA - NPS Tunneling Tool Execution","PUA - NSudo Execution","PUA - PingCastle Execution","PUA - PingCastle Execution From Potentially Suspicious Parent","PUA - Process Hacker Execution","PUA - Radmin Viewer Utility Execution","PUA - Potential PE Metadata Tamper Using Rcedit","PUA - Rclone Execution","PUA - Seatbelt Execution","PUA - System Informer Execution","PUA - WebBrowserPassView Execution","PUA - Wsudo Suspicious Execution","Python One-Liners with Base64 Decoding","Python Inline Command Execution","Suspicious Greedy Compression Using Rar.EXE","RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class","Process Memory Dump via RdrLeakDiag.EXE","Windows Recovery Environment Disabled Via Reagentc","Add SafeBoot Keys Via Reg Utility","RunMRU Registry Key Deletion","SafeBoot Registry Key Deleted Via Reg.EXE","Service Registry Key Deleted Via Reg.EXE","Potentially Suspicious Desktop Background Change Using Reg.EXE","Direct Autorun Keys Modification","Disabling Windows Defender WMI Autologger Session via Reg.exe","Dumping of Sensitive Hives Via Reg.EXE","Windows Recall Feature Enabled Via Reg.EXE","Potential Suspicious Registry File Imported Via Reg.EXE","Modify Group Policy Settings","Potential Configuration And Service Reconnaissance Via Reg.EXE","Potential Tampering With RDP Related Registry Keys Via Reg.EXE","Reg Add Suspicious Paths","System Language Discovery via Reg.Exe","Suspicious Windows Defender Registry Key Tampering Via Reg.EXE","RegAsm.EXE Execution Without CommandLine Flags or Files","Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension","Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location","Exports Critical Registry Keys To a File","Exports Registry Key To a File","Imports Registry Key From a File","Imports Registry Key From an ADS","Suspicious Registry Modification From ADS Via Regini.EXE","Registry Modification Via Regini.EXE","Registry Export of Third-Party Credentials","Potentially Suspicious Regsvr32 HTTP IP Pattern","Potentially Suspicious Regsvr32 HTTP/FTP Pattern","Suspicious Regsvr32 Execution From Remote Share","Regsvr32 Execution From Potential Suspicious Location","Regsvr32 Execution From Highly Suspicious Location","Regsvr32 DLL Execution With Suspicious File Extension","Regsvr32 DLL Execution With Uncommon Extension","Remote Access Tool - AnyDesk Execution","Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate","Remote Access Tool - Anydesk Execution From Suspicious Folder","Remote Access Tool - GoToAssist Execution","Remote Access Tool - LogMeIn Execution","Remote Access Tool - NetSupport Execution","Remote Access Tool - NetSupport Execution From Unusual Location","Remote Access Tool - Renamed MeshAgent Execution - Windows","Remote Access Tool - RURAT Execution From Unusual Location","Remote Access Tool - ScreenConnect Execution","Remote Access Tool - ScreenConnect Remote Command Execution","Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution","Remote Access Tool - UltraViewer Execution","Renamed AdFind Execution","Renamed AutoHotkey.EXE Execution","Renamed AutoIt Execution","Potential Defense Evasion Via Binary Rename","Potential Defense Evasion Via Rename Of Highly Relevant Binaries","Renamed BOINC Client Execution","Renamed BrowserCore.EXE Execution","Renamed Cloudflared.EXE Execution","Renamed CreateDump Utility Execution","Renamed CURL.EXE Execution","Renamed ZOHO Dctask64 Execution","Renamed FTP.EXE Execution","Renamed Gpg.EXE Execution","Renamed Jusched.EXE Execution","Renamed Mavinject.EXE Execution","Renamed MegaSync Execution","Renamed Msdt.EXE Execution","Renamed Microsoft Teams Execution","Renamed NetSupport RAT Execution","Renamed NirCmd.EXE Execution","Renamed Office Binary Execution","Renamed PAExec Execution","Renamed PingCastle Binary Execution","Renamed Plink Execution","Visual Studio NodejsTools PressAnyKey Renamed Execution","Renamed Remote Utilities RAT (RURAT) Execution","Renamed Schtasks Execution","Renamed SysInternals DebugView Execution","Renamed ProcDump Execution","Renamed PsExec Service Execution","Renamed Sysinternals Sdelete Execution","Renamed Vmnat.exe Execution","Renamed Whoami Execution","Capture Credentials with Rpcping.exe","Ruby Inline Command Execution","Potential Rundll32 Execution With DLL Stored In ADS","Suspicious Advpack Call Via Rundll32.EXE","Rundll32 InstallScreenSaver Execution","Suspicious Key Manager Access","Suspicious NTLM Authentication on the Printer Spooler Service","Potential Obfuscated Ordinal Call Via Rundll32","Rundll32 Spawned Via Explorer.EXE","Process Memory Dump Via Comsvcs.DLL","Rundll32 Registered COM Objects","Suspicious Rundll32 Setupapi.dll Activity","Shell32 DLL Execution in Suspicious Directory","Potential ShellDispatch.DLL Functionality Abuse","RunDLL32 Spawning Explorer","Potentially Suspicious Rundll32 Activity","Suspicious Control Panel DLL Load","Suspicious Rundll32 Execution With Image Extension","Suspicious ShellExec_RunDLL Call Via Ordinal","Potentially Suspicious Rundll32.EXE Execution of UDL File","Rundll32 UNC Path Execution","Rundll32 Execution With Uncommon DLL Extension","Suspicious Workstation Locking via Rundll32","WebDav Client Execution Via Rundll32.EXE","Suspicious WebDav Client Execution Via Rundll32.EXE","Run Once Task Execution as Configured in Registry","Service StartupType Change Via Sc.EXE","Interesting Service Enumeration Via Sc.EXE","Allow Service Access Using Security Descriptor Tampering Via Sc.EXE","Deny Service Access Using Security Descriptor Tampering Via Sc.EXE","Service DACL Abuse To Hide Services Via Sc.EXE","Service Security Descriptor Tampering Via Sc.EXE","Stop Windows Service Via Sc.EXE","Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE","Schtasks From Suspicious Folders","Uncommon One Time Only Scheduled Task At 00:00","Potential SSH Tunnel Persistence Install Using A Scheduled Task","Potential Persistence Via Microsoft Compatibility Appraiser","Potential Persistence Via Powershell Search Order Hijacking - Task","Scheduled Task Executing Payload from Registry","Scheduled Task Executing Encoded Payload from Registry","Suspicious Schtasks Schedule Types","Suspicious Schtasks Schedule Type With High Privileges","Suspicious Scheduled Task Creation via Masqueraded XML File","Scheduled Task Creation Masquerading as System Processes","Potential Shim Database Persistence via Sdbinst.EXE","Uncommon Extension Shim Database Installation Via Sdbinst.EXE","Potential Suspicious Activity Using SeCEdit","NodeJS Execution of JavaScript File","Potential SPN Enumeration Via Setspn.EXE","Setup16.EXE Execution With Custom .Lst File","Suspicious Spool Service Child Process","SQLite Chromium Profile Data DB Access","SQLite Firefox Profile Data DB Access","Program Executed Using Proxy/Local Command Via SSH.EXE","Abused Debug Privilege by Arbitrary Parent Processes","Always Install Elevated Windows Installer","Automated Collection Command Prompt","Bad Opsec Defaults Sacrificial Processes With Improper Arguments","Suspicious Child Process Created as System","Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image","Suspicious Usage of For Loop with Recursive Directory Search in CMD","Potential Browser Data Stealing","Copy From Or To Admin Share Or Sysvol Folder","Suspicious Copy From or To System Directory","LOL-Binary Copied From System Directory","Suspicious Parent Double Extension File Execution","Always Install Elevated MSI Spawned Cmd And Powershell","Potentially Suspicious Electron Application CommandLine","Elevated System Shell Spawned From Uncommon Parent Location","Suspicious Eventlog Clearing or Configuration Change Activity","Potentially Suspicious EventLog Recon Activity Using Log Query Utilities","Suspicious File Characteristics Due to Missing Fields","Potentially Suspicious Inline JavaScript Execution via NodeJS Binary","Suspicious LNK Command-Line Padding with Whitespace Characters","Local Accounts Discovery","LOLBIN Execution From Abnormal Drive","Use Short Name Path in Image","Potential PowerShell Execution Via DLL","Privilege Escalation via Named Pipe Impersonation","Private Keys Reconnaissance Via CommandLine Tools","Recon Information for Export with Command Prompt","Registry Modification of MS-settings Protocol Handler","Script Interpreter Execution From Suspicious Folder","Suspicious Windows Service Tampering","Shadow Copies Creation Using Operating Systems Utilities","Shadow Copies Deletion Using Operating Systems Utilities","Windows Shell/Scripting Processes Spawning Suspicious Programs","Suspicious SYSTEM User Process Creation","Malicious Windows Script Components File Execution by TAEF Detection","Suspicious Userinit Child Process","Suspicious Process Masquerading As SvcHost.EXE","Terminal Service Process Spawn","Permission Check Via Accesschk.EXE","Active Directory Database Snapshot Via ADExplorer","Suspicious Active Directory Database Snapshot Via ADExplorer","Potential Memory Dumping Activity Via LiveKD","Kernel Memory Dump Via LiveKD","Psexec Execution","PsExec Service Execution","Suspicious Use of PsLogList","Sysinternals PsService Execution","Sysinternals PsSuspend Execution","Sysinternals PsSuspend Suspicious Execution","Potential File Overwrite Via Sysinternals SDelete","Sysmon Configuration Update","Uninstall Sysinternals Sysmon","Potential Binary Impersonating Sysinternals Tools","Suspicious Execution of Systeminfo","Potential Signing Bypass Via Windows Developer Features","Compressed File Creation Via Tar.EXE","Compressed File Extraction Via Tar.EXE","Loaded Module Enumeration Via Tasklist.EXE","New Virtual Smart Card Created Via TpmVscMgr.EXE","Potential RDP Session Hijacking Activity","UAC Bypass Using Disk Cleanup","Bypass UAC via CMSTP","CMSTP UAC Bypass via COM Object Access","UAC Bypass via Windows Firewall Snap-In Hijack","UAC Bypass via ICMLuaUtil","UAC Bypass Using IDiagnostic Profile","UAC Bypass Using NTFS Reparse Point - Process","UAC Bypass Abusing Winsat Path Parsing - Process","UAC Bypass Using Windows Media Player - Process","Bypass UAC via WSReset.exe","Use of UltraVNC Remote Access Software","User Shell Folders Registry Modification via CommandLine","Windows Credential Manager Access via VaultCmd","Verclsid.exe Runs COM Object","Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script","Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script","VMToolsd Suspicious Child Process","Visual Studio Code Tunnel Execution","Visual Studio Code Tunnel Shell Execution","Renamed Visual Studio Code Tunnel Execution","Potential Binary Proxy Execution Via VSDiagnostics.EXE","Proxy Execution via Vshadow","Vulnerable Driver Blocklist Registry Tampering Via CommandLine","Use of W32tm as Timer","All Backups Deleted Via Wbadmin.EXE","Windows Backup Deleted Via Wbadmin.EXE","Sensitive File Dump Via Wbadmin.EXE","File Recovery From Backup Via Wbadmin.EXE","Sensitive File Recovery From Backup Via Wbadmin.EXE","Webshell Detection With Command Line Keywords","Suspicious Process By Web Server Process","Potential Credential Dumping Via WER","Potential ReflectDebugger Content Execution Via WerFault.EXE","PPL Tampering Via WerFaultSecure","Suspicious File Download From IP Via Wget.EXE","Suspicious File Download From File Sharing Domain Via Wget.EXE","Suspicious File Download From IP Via Wget.EXE - Paths","Suspicious Where Execution","Enumerate All Information With Whoami.EXE","Whoami.EXE Execution From Privileged Process","Group Membership Reconnaissance Via Whoami.EXE","Whoami.EXE Execution With Output Option","Whoami.EXE Execution Anomaly","Security Privileges Enumeration Via Whoami.EXE","Add New Download Source To Winget","Add Insecure Download Source To Winget","Add Potential Suspicious New Download Source To Winget","Install New Package Via Winget Local Manifest","Winrar Compressing Dump Files","Potentially Suspicious Child Process Of WinRAR.EXE","WinRAR Execution in Non-Standard Folder","Remote Code Execute via Winrm.vbs","Winrs Local Command Execution","Wlrmdr.EXE Uncommon Argument Or Child Process","Password Set to Never Expire via WMI","Potential Windows Defender Tampering Via Wmic.EXE","New Process Created Via Wmic.EXE","Computer System Reconnaissance Via Wmic.EXE","Hardware Model Reconnaissance Via Wmic.EXE","Local Groups Reconnaissance Via Wmic.EXE","Windows Hotfix Updates Reconnaissance Via Wmic.EXE","Process Reconnaissance Via Wmic.EXE","Potential Product Reconnaissance Via Wmic.EXE","Potential Product Class Reconnaissance Via Wmic.EXE","Service Reconnaissance Via Wmic.EXE","Uncommon System Information Discovery Via Wmic.EXE","Potential Unquoted Service Path Reconnaissance Via Wmic.EXE","System Disk And Volume Reconnaissance Via Wmic.EXE","WMIC Remote Command Execution","Service Started/Stopped Via Wmic.EXE","Potential Remote SquiblyTwo Technique Execution","Registry Manipulation via WMI Stdregprov","Suspicious WMIC Execution Via Office Process","Application Terminated Via Wmic.EXE","Application Removed Via Wmic.EXE","XSL Script Execution Via WMIC.EXE","Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell","Cscript/Wscript Uncommon Script Extension Execution","Installation of WSL Kali-Linux","Windows Binary Executed From WSL","Proxy Execution Via Wuauclt.EXE","Suspicious Windows Update Agent Empty Cmdline","Xwizard.EXE Execution From Non-Default Location","Suspicious Process Creation CallTrace","Detect Outlook exe writing a zip file","Detect Remote Access Software Usage FileInfo","DLLHost with no Command Line Arguments with Network","Excessive Usage Of SC Service Utility","GPUpdate with no Command Line Arguments with Network","MacOS - Re-opened Applications","Malicious PowerShell Process With Obfuscation Techniques","MS Exchange Mailbox Replication service writing Active Server Pages","Outbound Network Connection from Java Using Default Ports","Process Deleting Its Process File Path","Rundll32 with no Command Line Arguments with Network","SearchProtocolHost with no Command Line with Network","Suspicious Image Creation In Appdata Folder","Suspicious writes to windows Recycle Bin","Unknown Process Using The Kerberos Protocol","Web or Application Server Spawning a Shell","Web Servers Executing Suspicious Processes","Windows Account Access Removal via Logoff Exec","Windows Browser Process Launched with Unusual Flags","Windows ComputerDefaults Spawning a Process","Windows Credential Target Information Structure in Commandline","Windows Defacement Modify Transcodedwallpaper File","Windows Default RDP File Creation By Non MSTSC Process","Windows Default Rdp File Unhidden","Windows Deleted Registry By A Non Critical Process File Path","Windows Disable or Stop Browser Process","Windows Modify Registry Qakbot Binary Data Registry","Windows Office Product Dropped Uncommon File","Windows Phishing Outlook Drop Dll In FORM Dir","Windows Privilege Escalation Suspicious Process Elevation","Windows Privilege Escalation System Process Without System Parent","Windows Privilege Escalation User Process Spawn System Process","Windows Process Executed From Removable Media","Windows RDP Client Launched with Admin Session","Windows Renamed Powershell Execution","Windows Rundll32 Load DLL in Temp Dir","Windows Rundll32 WebDav With Network Connection","Windows UAC Bypass Suspicious Escalation Behavior","Windows Vulnerable 3CX Software","Windows WinLogon with Public Network Connection","Windows WMIC Shadowcopy Delete","CMSTP Execution Process Access","HackTool - CobaltStrike BOF Injection Pattern","HackTool - Generic Process Access","HackTool - HandleKatz Duplicating LSASS Handle","HackTool - LittleCorporal Generated Maldoc Injection","HackTool - SysmonEnte Execution","Lsass Memory Dump via Comsvcs DLL","LSASS Memory Access by Tool With Dump Keyword In Name","Potential Credential Dumping Activity Via LSASS","Credential Dumping Activity By Python Based Tool","Remote LSASS Process Access Through Windows Remote Management","Suspicious LSASS Access Via MalSecLogon","Potentially Suspicious GrantedAccess Flags On LSASS","Credential Dumping Attempt Via WerFault","LSASS Access From Potentially White-Listed Processes","Uncommon Process Access Rights For Target Image","Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs","Potential Direct Syscall of NtOpenProcess","Credential Dumping Attempt Via Svchost","Suspicious Svchost Process Access","Function Call From Undocumented COM Interface EditionUpgradeManager","UAC Bypass Using WOW64 Logger DLL Hijack","Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze","Suspicious LSASS Access via MalSecLogon","Potential Credential Access via DuplicateHandle in LSASS","Suspicious Lsass Process Access","Potential Credential Access via LSASS Memory Dump","Potential LSASS Memory Dump via PssCaptureSnapShot","Suspicious Process Access via Direct System Call","Access LSASS Memory for Dump Creation","Detect Credential Dumping through LSASS access","Rubeus Kerberos Ticket Exports Through Winlogon Access","Spoolsv Suspicious Process Access","Windows Access Token Manipulation Winlogon Duplicate Token Handle","Windows Access Token Winlogon Duplicate Handle In Uncommon Path","Windows Handle Duplication in Known UAC-Bypass Binaries","Windows Hunting System Account Targeting Lsass","Windows Non-System Account Targeting Lsass","Windows Possible Credential Dumping","Windows Process Injection into Commonly Abused Processes","Windows Process Injection into Notepad","Windows Terminating Lsass Process","Windows WMI Impersonate Token","ADFS Database Named Pipe Connection By Uncommon Tool","CobaltStrike Named Pipe","CobaltStrike Named Pipe Pattern Regex","CobaltStrike Named Pipe Patterns","HackTool - CoercedPotato Named Pipe Creation","HackTool - DiagTrackEoP Default Named Pipe","HackTool - EfsPotato Named Pipe Creation","HackTool - Credential Dumping Tools Named Pipe Created","HackTool - Koh Default Named Pipe","Alternate PowerShell Hosts Pipe","New PowerShell Instance Created","PUA - CSExec Default Named Pipe","PUA - PAExec Default Named Pipe","PUA - RemCom Default Named Pipe","WMI Event Consumer Created Named Pipe","Malicious Named Pipe Created","PsExec Tool Execution From Suspicious Locations - PipeName","Privilege Escalation via Rogue Named Pipe Impersonation","Trickbot Named Pipe","Windows Anonymous Pipe Activity","Windows App Layer Protocol Qakbot NamedPipe","Windows App Layer Protocol Wermgr Connect To NamedPipe","Windows Application Layer Protocol RMS Radmin Tool Namedpipe","Windows PUA Named Pipe","Windows RMM Named Pipe","Windows Suspicious C2 Named Pipe","Windows Suspicious Named Pipe","Suspicious Remote Logon with Explicit Credentials","Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials","Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials","Azure AD Health Monitoring Agent Registry Keys Access","Azure AD Health Service Agents Registry Keys Access","Processes Accessing the Microphone and Webcam","LSASS Access From Non System Account","WCE wceaux.dll Access","SAM Registry Hive Handle Request","SCM Database Handle Failure","Potential Secure Deletion with SDelete","Password Dumper Activity on LSASS","Potentially Suspicious AccessMask Requested From LSASS","SysKey Registry Keys Access","Windows Defender Exclusion Registry Key - Write Access Requested","LSASS Memory Dump Handle Access","ISO Image Mounted","Service Registry Key Read Access Request","File Access Of Signal Desktop Sensitive Data","Sysmon Channel Reference Deletion","Suspicious Teams Application Related ObjectAcess Event","ConnectWise ScreenConnect Path Traversal Windows SACL","Non Chrome Process Accessing Chrome Default Dir","Non Firefox Process Access Firefox Profile Dir","SAM Database File Access Attempt","Windows Credential Access From Browser Password Store","Windows Credentials from Password Stores Chrome Extension Access","Windows Credentials from Password Stores Chrome LocalState Access","Windows Credentials from Password Stores Chrome Login Data Access","Windows Hosts File Access","Windows Increase in Group or Object Modification Activity","Windows Non Discord App Access Discord LevelDB","Windows Product Key Registry Query","Windows Query Registry Browser List Application","Windows Query Registry UnInstall Program List","Windows Unsecured Outlook Credentials Access In Registry","Windows Unusual FileZilla XML Config Access","Windows Unusual Intelliform Storage Registry Access","Add or Remove Computer from DC","Windows Computer Account Created by Computer Account","Windows Computer Account With SPN","Potential AS-REP Roasting via Kerberos TGT Requests","PetitPotam Suspicious Kerberos TGT Request","Kerberos Manipulation","Kerberos TGT Request Using RC4 Encryption","Kerberos User Enumeration","Windows Computer Account Requesting Kerberos Ticket","Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos","Windows Multiple Invalid Users Fail To Authenticate Using Kerberos","Windows Steal Authentication Certificates - ESC1 Authentication","Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos","Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos","Kerberoasting Activity - Initial Query","Suspicious Kerberos RC4 Ticket Encryption","Kerberoasting spn request with RC4 encryption","Kerberos Service Ticket Request Using RC4 Encryption","Suspicious Kerberos Service Ticket Request","Unusual Number of Computer Service Tickets Requested","Unusual Number of Kerberos Service Tickets Requested","Windows Large Number of Computer Service Tickets Requested","Windows Multiple Users Failed To Authenticate Using Kerberos","Windows Unusual Count Of Users Failed To Auth Using Kerberos","Windows Multiple Invalid Users Failed To Authenticate Using NTLM","Windows Multiple Users Failed To Authenticate From Host Using NTLM","Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM","Windows Unusual Count Of Users Failed To Authenticate Using NTLM","Access To ADMIN$ Network Share","Network Share Discovery Via Dir Command","WMI Event Subscription","Suspicious Encoded Scripts in a WMI Consumer","Suspicious Scripting in a WMI Consumer","WMI Permanent Event Subscription - Sysmon","CobaltStrike Service Installations - System","smbexec.py Service Installation","Invoke-Obfuscation CLIP+ Launcher - System","Invoke-Obfuscation Obfuscated IEX Invocation - System","Invoke-Obfuscation STDIN+ Launcher - System","Invoke-Obfuscation VAR+ Launcher - System","Invoke-Obfuscation COMPRESS OBFUSCATION - System","Invoke-Obfuscation RUNDLL LAUNCHER - System","Invoke-Obfuscation Via Stdin - System","Invoke-Obfuscation Via Use Clip - System","Invoke-Obfuscation Via Use MSHTA - System","Invoke-Obfuscation Via Use Rundll32 - System","Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System","KrbRelayUp Service Installation","Credential Dumping Tools Service Execution - System","Meterpreter or Cobalt Strike Getsystem Service Installation - System","Moriya Rootkit - System","PowerShell Scripts Installed as Services","Anydesk Remote Access Software Service Installation","CSExec Service Installation","HackTool Service Registration or Execution","Mesh Agent Service Installation","NetSupport Manager Service Install","PAExec Service Installation","New PDQDeploy Service - Server Side","New PDQDeploy Service - Client Side","ProcessHacker Privilege Elevation","RemCom Service Installation","Remote Access Tool Services Have Been Installed - System","Remote Utilities Host Service Install","Sliver C2 Default Service Installation","Service Installed By Unusual Client - System","Suspicious Service Installation","PsExec Service Installation","TacticalRMM Service Installation","Tap Driver Installation","Uncommon Service Installation Image Path","RTCore Suspicious Service Installation","Service Installation in Suspicious Folder","Service Installation with Suspicious Folder Pattern","Suspicious Service Installation Script","Suspicious Service was Installed in the System","Clop Ransomware Known Service Name","Malicious Powershell Executed As A Service","Randomly Generated Windows Service Name","Windows Bluetooth Service Installed From Uncommon Location","Windows Driver Load Non-Standard Path","Windows KrbRelayUp Service Creation","Windows Service Create RemComSvc","Windows Service Create SliverC2","Windows Service Created with Suspicious Service Name","Windows Service Created with Suspicious Service Path","Windows Snake Malware Service Create","Windows Vulnerable Driver Installed","Windows Special Privileged Logon On Multiple Hosts","SCM Database Privileged Operation","Suspicious SeIncreaseBasePriorityPrivilege Use","Enabled User Right in AD to Control User Objects","Sensitive Privilege SeEnableDelegationPrivilege assigned to a User","Windows Privileged Group Modification","Potential Defense Evasion Via Raw Disk Access By Uncommon Tools","Windows Raw Access To Disk Volume Partition","Windows Raw Access To Master Boot Record Drive","Hidden Executable In NTFS Alternate Data Stream","Creation Of a Suspicious ADS File Outside a Browser Download","Suspicious File Download From File Sharing Websites -  File Stream","Unusual File Download From File Sharing Websites - File Stream","HackTool Named File Stream Created","Exports Registry Key To an Alternate Data Stream","Unusual File Download from Direct IP Address","Potential Suspicious Winget Package Installation","Potentially Suspicious File Download From ZIP TLD","Download Files Using Telegram","Windows Alternate DataStream - Base64 Content","Windows Alternate DataStream - Executable Content","Potential Malicious AppX Package Installation Attempts","Windows AppX Deployment Full Trust Package Installation","Eventlog Cleared","Important Windows Eventlog Cleared","CobaltStrike Service Installations - Security","HybridConnectionManager Service Installation","Invoke-Obfuscation CLIP+ Launcher - Security","Invoke-Obfuscation Obfuscated IEX Invocation - Security","Invoke-Obfuscation STDIN+ Launcher - Security","Invoke-Obfuscation VAR+ Launcher - Security","Invoke-Obfuscation COMPRESS OBFUSCATION - Security","Invoke-Obfuscation RUNDLL LAUNCHER - Security","Invoke-Obfuscation Via Stdin - Security","Invoke-Obfuscation Via Use Clip - Security","Invoke-Obfuscation Via Use MSHTA - Security","Invoke-Obfuscation Via Use Rundll32 - Security","Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security","Credential Dumping Tools Service Execution - Security","Metasploit Or Impacket Service Installation Via SMB PsExec","Meterpreter or Cobalt Strike Getsystem Service Installation - Security","Windows Pcap Drivers","PowerShell Scripts Installed as Services - Security","Remote Access Tool Services Have Been Installed - Security","Service Installed By Unusual Client - Security","Tap Driver Installation - Security","Windows Service Installed via an Unusual Client","SeDebugPrivilege Enabled by a Suspicious Process","Windows Access Token Manipulation SeDebugPrivilege","Hidden Local User Creation","Suspicious Windows ANONYMOUS LOGON Local Account Created","Local User Creation","Short Lived Windows Accounts","Windows Create Local Account","A Security-Enabled Global Group Was Deleted","Windows ESX Admins Group Creation Security Event","Windows Filtering Platform Blocked Connection From EDR Agent Binary","Potential Evasion via Windows Filtering Platform","Network Connection Initiated By AddinUtil.EXE","Uncommon Connection to Active Directory Web Services","Uncommon Network Connection Initiated By Certutil.EXE","Outbound Network Connection Initiated By Cmstp.EXE","Outbound Network Connection Initiated By Microsoft Dialer","Network Connection Initiated To AzureWebsites.NET By Non-Browser Process","Network Connection Initiated To BTunnels Domains","Network Connection Initiated To Cloudflared Tunnels Domains","Network Communication With Crypto Mining Pool","New Connection Initiated To Potential Dead Drop Resolver Domain","Network Connection Initiated To DevTunnels Domain","Suspicious Dropbox API Usage","Suspicious Network Connection to IP Lookup Service APIs","Suspicious Non-Browser Network Communication With Google API","Communication To LocaltoNet Tunneling Service Initiated","Network Connection Initiated To Mega.nz","Process Initiated Network Connection To Ngrok Domain","Communication To Ngrok Tunneling Service Initiated","Potentially Suspicious Network Connection To Notion API","Network Communication Initiated To Portmap.IO Domain","Suspicious Non-Browser Network Communication With Telegram API","Network Connection Initiated To Visual Studio Code Tunnels Domain","Network Connection Initiated By Eqnedt32.EXE","Network Connection Initiated via Finger.EXE","Network Connection Initiated By IMEWDBLD.EXE","Network Connection Initiated Via Notepad.EXE","Office Application Initiated Network Connection To Non-Local IP","Office Application Initiated Network Connection Over Uncommon Ports","Python Initiated Connection","Outbound RDP Connections Over Non-Standard Tools","RDP Over Reverse SSH Tunnel","RDP to HTTP or HTTPS Target Ports","RegAsm.EXE Initiating Network Connection To Public IP","Network Connection Initiated By Regsvr32.EXE","Remote Access Tool - AnyDesk Incoming Connection","Rundll32 Internet Connection","Silenttrinity Stager Msbuild Activity","Suspicious Network Connection Binary No CommandLine","Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder","Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location","Potentially Suspicious Malware Callback Communication","Communication To Uncommon Destination Ports","Uncommon Outbound Kerberos Connection","Microsoft Sync Center Suspicious Network Connections","Suspicious Outbound SMTP Connections","Potential Remote PowerShell Session Initiated","Outbound Network Connection To Public IP Via Winlogon","Suspicious Wordpad Outbound Connections","Local Network Connection Initiated By Script Interpreter","Outbound Network Connection Initiated By Script Interpreter","Potentially Suspicious Wuauclt Network Connection","Detect Regasm with Network Connection","Detect Regsvcs with Network Connection","LOLBAS With Network Traffic","Network Traffic to Active Directory Web Services Protocol","Windows Detect Network Scanner Behavior","Windows File Transfer Protocol In Non-Common Process Path","Windows Mail Protocol In Non-Common Process Path","Windows Suspect Process With Authentication Traffic","Windows Remote Desktop Network Bruteforce Attempt","ADSI-Cache File Creation By Uncommon Tool","Advanced IP Scanner - File Event","Anydesk Temporary Artefact","Suspicious Binary Writes Via AnyDesk","Suspicious File Created by ArcSOC.exe","Assembly DLL Creation Via AspNetCompiler","BloodHound Collection Files","Potentially Suspicious File Creation by OpenEDR's ITSMService","EVTX Created In Uncommon Location","Creation Of Non-Existent System DLL","Suspicious Deno File Written from Remote Source","New Custom Shim Database Created","Suspicious Screensaver Binary File Creation","Files With System DLL Name In Unsuspected Locations","Files With System Process Name In Unsuspected Locations","Creation Exe for Service with Unquoted Path","Cred Dump Tools Dropped Files","WScript or CScript Dropper - File","CSExec Service File Creation","Dynamic CSharp Compile Artefact","Potential DCOM InternetExplorer.Application DLL Hijack","Desktop.INI Created by Uncommon Process","DLL Search Order Hijackig Via Additional Space in Path","Potentially Suspicious DMP/HDMP File Creation","Potential Persistence Attempt Via ErrorHandler.Cmd","Suspicious ASPX File Drop by Exchange","Suspicious File Drop by Exchange","GoToAssist Temporary Installation Artefact","Uncommon File Created by Notepad++ Updater Gup.EXE","HackTool - CrackMapExec File Indicators","HackTool - Dumpert Process Dumper Default File","HackTool - Typical HiveNightmare SAM File Export","HackTool - Inveigh Execution Artefacts","HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators","HackTool - Mimikatz Kirbi File Creation","HackTool - NetExec File Indicators","HackTool - NPPSpy Hacktool Usage","HackTool - Powerup Write Hijack DLL","HackTool - QuarksPwDump Dump File","HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump","HackTool - SafetyKatz Dump Indicator","HackTool - Impacket File Indicators","Potential Initial Access via DLL Search Order Hijacking","Installation of TeamViewer Desktop","Malicious DLL File Dropped in the Teams or OneDrive Folder","ISO File Created Within Temp Folders","ISO or Image Mount Indicator in Recent Files","GatherNetworkInfo.VBS Reconnaissance Script Output","LSASS Process Memory Dump Files","LSASS Process Dump Artefact In CrashDumps Folder","WerFault LSASS Process Memory Dump","Adwind RAT / JRAT File Artifact","Octopus Scanner Malware","File Creation In Suspicious Directory By Msdt.EXE","Uncommon File Creation By Mysql Daemon Process","Suspicious DotNET CLR Usage Log Artifact","Suspicious File Creation In Uncommon AppData Folder","SCR File Write Event","Potential Persistence Via Notepad++ Plugins","NTDS.DIT Created","NTDS.DIT Creation By Uncommon Parent Process","NTDS.DIT Creation By Uncommon Process","NTDS Exfiltration Filename Patterns","Potential Persistence Via Microsoft Office Add-In","Office Macro File Creation","Office Macro File Download","Office Macro File Creation From Suspicious Process","OneNote Attachment File Dropped In Suspicious Location","Suspicious File Created Via OneNote Application","New Outlook Macro Created","Potential Persistence Via Outlook Form","Suspicious File Created in Outlook Temporary Directory","Suspicious Outlook Macro Created","Publisher Attachment File Dropped In Suspicious Location","Potential Persistence Via Microsoft Office Startup Folder","File With Uncommon Extension Created By An Office Application","Uncommon File Created In Office Startup Folder","PCRE.NET Package Temp Files","Suspicious File Created In PerfLogs","Potential Binary Or Script Dropper Via PowerShell","PowerShell Script Dropped Via PowerShell.EXE","Malicious PowerShell Scripts - FileCreation","PowerShell Module File Created","Potential Suspicious PowerShell Module File Created","PowerShell Module File Created By Non-PowerShell Process","Potential Startup Shortcut Persistence Via PowerShell.EXE","PSScriptPolicyTest Creation By Uncommon Process","Rclone Config File Creation",".RDP File Created By Uncommon Application","Potential Winnti Dropper Activity","PDF File Created By RegEdit.EXE","RemCom Service File Creation","ScreenConnect Temporary Installation Artefact","Remote Access Tool - ScreenConnect Temporary File","Potential RipZip Attack on Startup Folder","Potential SAM Database Dump","Self Extraction Directive File Created In Potentially Suspicious Location","Windows Shell/Scripting Application File Write to Suspicious Folder","Windows Binaries Write Suspicious Extensions","Startup Folder File Write","Suspicious Creation with Colorcpl","Created Files by Microsoft Sync Center","Suspicious Files in Default GPO Folder","Suspicious Creation TXT File in User Desktop","Suspicious Desktopimgdownldr Target File","Creation of a Diagcab","Suspicious Double Extension Files","DPAPI Backup Keys And Certificate Export Activity IOC","Suspicious MSExchangeMailboxReplication ASPX Write","Suspicious Executable File Creation","Suspicious File Write to Webapps Root Directory","Suspicious File Write to SharePoint Layouts Directory","Suspicious Get-Variable.exe Creation","Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream","Potential Homoglyph Attack Using Lookalike Characters in Filename","Legitimate Application Dropped Archive","Legitimate Application Dropped Executable","Legitimate Application Writing Files In Uncommon Location","Legitimate Application Dropped Script","Suspicious LNK Double Extension File Created","PowerShell Profile Modification","Suspicious PROCEXP152.sys File Created In TMP","Suspicious Binaries and Scripts in Public Folder","Suspicious File Creation Activity From Fake Recycle.Bin Folder","Potential File Extension Spoofing Using Right-to-Left Override","Drop Binaries Into Spool Drivers Color Folder","Suspicious Startup Folder Persistence","Suspicious Interactive PowerShell as SYSTEM","Suspicious Scheduled Task Write to System32 Tasks","TeamViewer Remote Session","VsCode Powershell Profile Modification","Potentially Suspicious WDAC Policy File Creation","Windows Terminal Profile Settings Modification By Uncommon Process","WinSxS Executable File Creation By Non-System Process","ADExplorer Writing Complete AD Snapshot Into .dat File","LiveKD Kernel Memory Dump File Created","LiveKD Driver Creation","LiveKD Driver Creation By Uncommon Process","Process Explorer Driver Creation By Non-Sysinternals Binary","Process Monitor Driver Creation By Non-Sysinternals Binary","PsExec Service File Creation","PSEXEC Remote Execution File Artefact","Potential Privilege Escalation Attempt Via .Exe.Local Technique","LSASS Process Memory Dump Creation Via Taskmgr.EXE","Hijack Legit RDP Session to Move Laterally","UAC Bypass Using Consent and Comctl32 - File","UAC Bypass Using .NET Code Profiler on MMC","UAC Bypass Using EventVwr","UAC Bypass Using IDiagnostic Profile - File","UAC Bypass Using IEInstal - File","UAC Bypass Using MSConfig Token Modification - File","UAC Bypass Using NTFS Reparse Point - File","UAC Bypass Abusing Winsat Path Parsing - File","UAC Bypass Using Windows Media Player - File","VHD Image Download Via Browser","Visual Studio Code Tunnel Remote File Creation","Renamed VsCode Code Tunnel Execution - File Indicator","Potential Webshell Creation On Static Website","Creation of WerFault.exe/Wer.dll in Unusual Folder","WinRAR Creating Files in Startup Locations","AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File","WMI Persistence - Script Event Consumer File Write","Wmiexec Default Output File","Wmiprvse Wbemcomn DLL Hijack - File","UEFI Persistence Via Wpbbin - FileCreation","Writing Local Admin Share","Email files written outside of the Outlook directory","Batch File Write to System32","Common Ransomware Extensions","Common Ransomware Notes","ConnectWise ScreenConnect Path Traversal","Creation of lsass Dump with Taskmgr","Detect AzureHound File Modifications","Detect Certipy File Modifications","Detect Exchange Web Shell","Detect Remote Access Software Usage File","Detect RTLO In File Name","Detect SharpHound File Modifications","Drop IcedID License dat","Executables Or Script Creation In Suspicious Path","Executables Or Script Creation In Temp Path","File with Samsam Extension","GitHub Workflow File Creation or Modification","IcedID Exfiltrated Archived File Creation","LLM Model File Creation","Msmpeng Application DLL Side Loading","Overwriting Accessibility Binaries","Process Creating LNK file in Suspicious Location","Process Writing DynamicWrapperX","Ransomware Notes bulk creation","Remcos RAT File Creation in Remcos Folder","Rundll32 Process Creating Exe Dll Files","Ryuk Test Files Detected","Samsam Test File Write","SchCache Change By App Connect And Create ADSI Object","Shai-Hulud 2 Exfiltration Artifact Files","Shai-Hulud Workflow File Creation or Modification","Shim Database File Creation","Spike in File Writes","Spoolsv Writing a DLL - Sysmon","Sqlite Module In Temp Folder","Wermgr Process Create Executable File","Windows Admin Permission Discovery","Windows Archived Collected Data In TEMP Folder","Windows Boot or Logon Autostart Execution In Startup Folder","Windows CAB File on Disk","Windows Credentials from Password Stores Chrome Copied in TEMP Dir","Windows Credentials from Web Browsers Saved in TEMP Folder","Windows File Without Extension In Critical Folder","Windows ISO LNK File Creation","Windows Known Abused DLL Created","Windows Mimikatz Crypto Export File Extensions","Windows MOVEit Transfer Writing ASPX","Windows MSHTA Writing to World Writable Path","Windows NirSoft Tool Bundle File Created","Windows Obfuscated Files or Information via RAR SFX","Windows Outlook Macro Created by Suspicious Process","Windows Potential AppDomainManager Hijack Artifacts Creation","Windows Process Writing File to World Writable Path","Windows RDP Bitmap Cache File Creation","Windows Replication Through Removable Media","Windows Screen Capture in TEMP folder","Windows SharePoint Spinstall0 Webshell File Creation","Windows Snake Malware File Modification Crmlog","Windows Snake Malware Kernel Driver Comadmin","Windows System File on Disk","Windows User Execution Malicious URL Shortcut File","Potential Persistence Via Disk Cleanup Handler - Registry","Creation of a Local Hidden User Account by Registry","UAC Bypass Via Wsreset","CMSTP Execution Registry Event","Windows Defender Threat Severity Default Action Modified","Disable Security Events Logging Adding Reg Key MiniNt","Wdigest CredGuard Registry Modification","Esentutl Volume Shadow Copy Service Keys","Windows Credential Editor Registry","HybridConnectionManager Service Installation - Registry","Registry Entries For Azorult Malware","Potential Qakbot Registry Activity","Path To Screensaver Binary Modified","Narrator's Feedback-Hub Persistence","NetNTLM Downgrade Attack - Registry","New DLL Added to AppCertDlls Registry Key","New DLL Added to AppInit_DLLs Registry Key","Office Application Startup - Office Test","Windows Registry Trust Record Modification","Registry Persistence Mechanisms in Recycle Bin","New PortProxy Registry Entry Added","RedMimicry Winnti Playbook Registry Manipulation","WINEKEY Registry Modification","Run Once Task Configuration in Registry","Shell Open Registry Keys Manipulation","Potential Credential Dumping Via LSASS SilentProcessExit Technique","Security Support Provider (SSP) Added to LSA Configuration","Sticky Key Like Backdoor Usage - Registry","Atbroker Registry Change","Suspicious Run Key from Download","DLL Load via LSASS","Suspicious Camera and Microphone Access","Registry Tampering by Potentially Suspicious Processes","Add DefaultUser And Password In Registry","Malicious InProcServer32 Modification","Remcos client registry install entry","Revil Registry Entry","Sdclt UAC Bypass","Windows Modify Registry Delete Firewall Rules","Windows RDP Server Registry Deletion","Windows Registry Delete Task SD","Windows RunMRU Registry Key or Value Deleted","Windows USBSTOR Registry Key Modification","Windows WPDBusEnum Registry Key Modification","WSReset UAC Bypass","Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback","Registry Persistence via Service in Safe Mode","Add Port Monitor Persistence in Registry","Add Debugger Entry To AeDebug For Persistence","Allow RDP Remote Assistance Feature","Potential AMSI COM Server Hijacking","AMSI Disabled via Registry Modification","Classes Autorun Keys Modification","Common Autorun Keys Modification","CurrentControlSet Autorun Keys Modification","CurrentVersion Autorun Keys Modification","CurrentVersion NT Autorun Keys Modification","Internet Explorer Autorun Keys Modification","Office Autorun Keys Modification","Session Manager Autorun Keys Modification","System Scripts Autorun Keys Modification","WinSock2 Autorun Keys Modification","Wow6432Node CurrentVersion Autorun Keys Modification","Wow6432Node Classes Autorun Keys Modification","Wow6432Node Windows NT CurrentVersion Autorun Keys Modification","New BgInfo.EXE Custom DB Path Registry Configuration","New BgInfo.EXE Custom VBScript Registry Configuration","New BgInfo.EXE Custom WMI Query Registry Configuration","Bypass UAC Using DelegateExecute","Bypass UAC Using Event Viewer","Bypass UAC Using SilentCleanup Task","Default RDP Port Changed to Non Standard Port","IE Change Domain Zone","Sysmon Driver Altitude Change","Change Winevt Channel Access Permission Via Registry","Running Chrome VPN Extensions via the Registry 2 VPN Extension","ClickOnce Trust Prompt Tampering","Potential CobaltStrike Service Installations - Registry","COM Hijack via Sdclt","CrashControl CrashDump Disabled","Security Event Logging Disabled via MiniNt Registry Key - Registry Set","Service Binary in Suspicious Folder","Windows Credential Guard Disabled - Registry","Custom File Open Handler Executes PowerShell","Potential Registry Persistence Attempt Via DbgManagedDebugger","Windows Defender Exclusions Added - Registry","Potentially Suspicious Desktop Background Change Via Registry","Antivirus Filter Driver Disallowed On Dev Drive - Registry","Windows Hypervisor Enforced Code Integrity Disabled","Hypervisor Enforced Paging Translation Disabled","DHCP Callout DLL Installation","Disable Administrative Share Creation at Startup","Potential AutoLogger Sessions Tampering","Disable Microsoft Defender Firewall via Registry","Disable Internal Tools or Feature in Registry","Disable Macro Runtime Scan Scope","Disable Privacy Settings Experience in Registry","Disable Windows Security Center Notifications","Registry Disable System Restore","Windows Defender Service Disabled - Registry","Windows Event Log Access Tampering Via Registry","Disable Windows Firewall by Registry","Disable Windows Event Logging Via Registry","Disable Exploit Guard Network Protection on Windows Defender","Disabled Windows Defender Eventlog","Disable PUA Protection on Windows Defender","Disable Tamper Protection on Windows Defender","Add DisallowRun Execution to Registry","Persistence Via Disk Cleanup Handler - Autorun","DNS-over-HTTPS Enabled by Registry","New DNS ServerLevelPluginDll Installed","ETW Logging Disabled In .NET Processes - Sysmon Registry","Directory Service Restore Mode(DSRM) Registry Value Tampering","Periodic Backup For System Registry Hives Enabled","Windows Recall Feature Enabled - Registry","Enabling COR Profiler Environment Variables","Scripted Diagnostics Turn Off Check Enabled - Registry","Potential EventLog File Location Tampering","Suspicious Application Allowed Through Exploit Guard","Change User Account Associated with the FAX Service","Change the Fax Dll","New File Association Using Exefile","FileFix - Command Evidence in TypedPaths","Add Debugger Entry To Hangs Key For Persistence","Persistence Via Hhctrl.ocx","Registry Modification to Hidden File Extension","Displaying Hidden Files Feature Disabled","Registry Hide Function from User","Hide Schedule Task Via Index Value Tamper","Driver Added To Disallowed Images In HVCI - Registry","IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols","Uncommon Extension In Keyboard Layout IME File Registry Value","Suspicious Path In Keyboard Layout IME File Registry Value","New Root or CA or AuthRoot Certificate to Store","Internet Explorer DisableFirstRunCustomize Enabled","Potential Ransomware Activity Using LegalNotice Message","Lolbas OneDriveStandaloneUpdater.exe Proxy Download","RestrictedAdminMode Registry Value Tampering","Lsass Full Dump Request Via DumpType Registry Settings","NET NGenAssemblyUsageLog Registry Key Tamper","New Netsh Helper DLL Registered From A Suspicious Location","Potential Persistence Via Netsh Helper DLL - Registry","New Application in AppCompat","Potential Credential Dumping Attempt Using New NetworkProvider - REG","New ODBC Driver Registered","Potentially Suspicious ODBC Driver Registered","Trust Access Disable For VBApplications","Microsoft Office Protected View Disabled","Python Function Execution Security Warning Disabled In Excel - Registry","Enable Microsoft Dynamic Data Exchange","Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting","Outlook Macro Execution Without Warning Setting Enabled","Outlook EnableUnsafeClientMailRules Setting Enabled - Registry","Outlook Security Settings Updated - Registry","Macro Enabled In A Potentially Suspicious Document","Uncommon Microsoft Office Trusted Location Added","Office Macros Warning Disabled","MaxMpxCt Registry Value Changed","Potential Persistence Via New AMSI Providers - Registry","Potential Persistence Via AppCompat RegisterAppRestart Layer","Potential Persistence Via App Paths Default Property","Potential Persistence Using DebugPath","Potential Persistence Via AutodialDLL","Potential Persistence Via CHM Helper DLL","COM Object Hijacking Via Modification Of Default System CLSID Default Value","Potential COM Object Hijacking Via TreatAs Subkey - Registry","Potential PSFactoryBuffer COM Hijacking","Potential Persistence Via Custom Protocol Handler","Potential Persistence Via Event Viewer Events.asp","Potential Persistence Via GlobalFlags","Modification of IE Registry Settings","Register New IFiltre For Persistence","Potential Persistence Via Logon Scripts - Registry","Potential Persistence Via LSA Extensions","Potential Persistence Via Mpnotify","Potential Persistence Via MyComputer Registry Keys","Potential Persistence Via DLLPathOverride","Potential Persistence Via Visual Studio Tools for Office","Potential Persistence Via Outlook Home Page","Potential Persistence Via Outlook Today Page","Potential WerFault ReflectDebugger Registry Value Abuse","Potential Persistence Via Scrobj.dll COM Hijacking","Potential Persistence Via Shim Database Modification","Suspicious Shim Database Patching Activity","Potential Persistence Via Shim Database In Uncommon Location","Potential Persistence Via TypedPaths","Potential Persistence Via Excel Add-in - Registry","Potential Attachment Manager Settings Associations Tamper","Potential Attachment Manager Settings Attachments Tamper","Potential ClickFix Execution Pattern - Registry","Registry Modification for OCI DLL Redirection","PowerShell as a Service in Registry","PowerShell Script Execution Policy Enabled","Potential PowerShell Execution Policy Tampering","Suspicious PowerShell In Registry Run Keys","PowerShell Logging Disabled Via Registry Key Tampering","Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG","PUA - Sysinternal Tool Execution - Registry","Suspicious Execution Of Renamed Sysinternals Tools - Registry","PUA - Sysinternals Tools Execution - Registry","Usage of Renamed Sysinternals Tools - RegistrySet","ETW Logging Disabled For rpcrt4.dll","Potentially Suspicious Command Executed Via Run Dialog Box - Registry","ScreenSaver Registry Key Set","Potential SentinelOne Shell Context Menu Scan Command Tampering","ServiceDll Hijack","ETW Logging Disabled For SCM","Registry Explorer Policy Modification","Persistence Via New SIP Provider","Tamper With Sophos AV Registry Keys","Hiding User Account Via SpecialAccounts Registry Key","Activate Suppression of Windows Security Center Notifications","Suspicious Keyboard Layout Load","Potential PendingFileRenameOperations Tampering","Suspicious Printer Driver Empty Manufacturer","Registry Persistence via Explorer Run Key","New RUN Key Pointing to Suspicious Folder","Suspicious Space Characters in RunMRU Registry Path - ClickFix","Suspicious Service Installed","Suspicious Shell Open Command Registry Modification","Suspicious Space Characters in TypedPaths Registry Path - FileFix","Modify User Shell Folders Startup Value","WFP Filter Added via Registry","Suspicious Environment Variable Has Been Registered","Enable LM Hash Storage","Scheduled TaskCache Change by Uncommon Program","Potential Registry Persistence Attempt Via Windows Telemetry","RDP Sensitive Settings Changed to Zero","RDP Sensitive Settings Changed","New TimeProviders Registered With Uncommon DLL Name","Old TLS1.0/TLS1.1 Protocol Version Enabled","COM Hijacking via TreatAs","Potential Signing Bypass Via Windows Developer Features - Registry","UAC Bypass via Event Viewer","UAC Bypass via Sdclt","UAC Bypass Abusing Winsat Path Parsing - Registry","UAC Bypass Using Windows Media Player - Registry","UAC Disabled","UAC Notification Disabled","UAC Secure Desktop Prompt Disabled","VBScript Payload Stored in Registry","Windows Vulnerable Driver Blocklist Disabled","Execution DLL of Choice Using WAB.EXE","Wdigest Enable UseLogonCredential","Disable Windows Defender Functionalities Via Registry Keys","Winget Admin Settings Modification","Enable Local Manifest Installation With Winget","Winlogon AllowMultipleTSSessions Enable","Winlogon Notify Key Logon Persistence","Active Setup Registry Autostart","Allow Inbound Traffic By Firewall Rule Registry","Allow Operation with Consent Admin","Auto Admin Logon Registry Entry","Detect Remote Access Software Usage Registry","Disable AMSI Through Registry","Disable Defender AntiVirus Registry","Disable Defender BlockAtFirstSeen Feature","Disable Defender Enhanced Notification","Disable Defender MpEngine Registry","Disable Defender Spynet Reporting","Disable Defender Submit Samples Consent Feature","Disable ETW Through Registry","Disable Registry Tool","Disable Security Logs Using MiniNt Registry","Disable Show Hidden Files","Disable UAC Remote Restriction","Disable Windows App Hotkeys","Disable Windows Behavior Monitoring","Disable Windows SmartScreen Protection","Disabling CMD Application","Disabling ControlPanel","Disabling Defender Services","Disabling FolderOptions Windows Feature","Disabling NoRun Windows App","Disabling Remote User Account Control","Disabling SystemRestore In Registry","Disabling Task Manager","Disabling Windows Local Security Authority Defences via Registry","Enable RDP In Other Port Number","Enable WDigest UseLogonCredential Registry","ETW Registry Disabled","Eventvwr UAC Bypass","Hide User Account From Sign-In Screen","Logon Script Event Trigger Execution","Modification Of Wallpaper","Monitor Registry Keys for Print Monitors","NET Profiler UAC bypass","Print Processor Registry Autostart","Registry Keys for Creating SHIM Databases","Registry Keys Used For Persistence","Registry Keys Used For Privilege Escalation","Screensaver Event Trigger Execution","Set Default PowerShell Execution Policy To Unrestricted or Bypass","SilentCleanup UAC Bypass","Time Provider Persistence Registry","Windows AD DSRM Account Changes","Windows Audit Policy Auditing Option Modified - Registry","Windows Autostart Execution LSASS Driver Registry Modification","Windows Chrome Auto-Update Disabled via Registry","Windows Chrome Extension Allowed Registry Modification","Windows Compatibility Telemetry Tampering Through Registry","Windows Defender Exclusion Registry Entry","Windows Disable Change Password Through Registry","Windows Disable Lock Workstation Feature Through Registry","Windows Disable LogOff Button Through Registry","Windows Disable Memory Crash Dump","Windows Disable Notification Center","Windows Disable Shutdown Button Through Registry","Windows Disable Windows Group Policy Features Through Registry","Windows DisableAntiSpyware Registry","Windows Enable Win32 ScheduledJob via Registry","Windows Hide Notification Features Through Registry","Windows Impair Defense Change Win Defender Health Check Intervals","Windows Impair Defense Change Win Defender Quick Scan Interval","Windows Impair Defense Change Win Defender Throttle Rate","Windows Impair Defense Change Win Defender Tracing Level","Windows Impair Defense Configure App Install Control","Windows Impair Defense Define Win Defender Threat Action","Windows Impair Defense Delete Win Defender Context Menu","Windows Impair Defense Delete Win Defender Profile Registry","Windows Impair Defense Deny Security Software With Applocker","Windows Impair Defense Disable Controlled Folder Access","Windows Impair Defense Disable Defender Firewall And Network","Windows Impair Defense Disable Defender Protocol Recognition","Windows Impair Defense Disable PUA Protection","Windows Impair Defense Disable Realtime Signature Delivery","Windows Impair Defense Disable Web Evaluation","Windows Impair Defense Disable Win Defender App Guard","Windows Impair Defense Disable Win Defender Compute File Hashes","Windows Impair Defense Disable Win Defender Gen reports","Windows Impair Defense Disable Win Defender Network Protection","Windows Impair Defense Disable Win Defender Report Infection","Windows Impair Defense Disable Win Defender Scan On Update","Windows Impair Defense Disable Win Defender Signature Retirement","Windows Impair Defense Overide Win Defender Phishing Filter","Windows Impair Defense Override SmartScreen Prompt","Windows Impair Defense Set Win Defender Smart Screen Level To Warn","Windows Impair Defenses Disable Auto Logger Session","Windows Impair Defenses Disable AV AutoStart via Registry","Windows Impair Defenses Disable HVCI","Windows Impair Defenses Disable Win Defender Auto Logging","Windows InProcServer32 New Outlook Form","Windows LSA Secrets NoLMhash Registry","Windows Modify Registry AuthenticationLevelOverride","Windows Modify Registry Auto Minor Updates","Windows Modify Registry Auto Update Notif","Windows Modify Registry Configure BitLocker","Windows Modify Registry Default Icon Setting","Windows Modify Registry Disable RDP","Windows Modify Registry Disable Restricted Admin","Windows Modify Registry Disable Toast Notifications","Windows Modify Registry Disable Win Defender Raw Write Notif","Windows Modify Registry Disable WinDefender Notifications","Windows Modify Registry Disable Windows Security Center Notif","Windows Modify Registry DisableRemoteDesktopAntiAlias","Windows Modify Registry DisableSecuritySettings","Windows Modify Registry Disabling WER Settings","Windows Modify Registry DisAllow Windows App","Windows Modify Registry Do Not Connect To Win Update","Windows Modify Registry DontShowUI","Windows Modify Registry EnableLinkedConnections","Windows Modify Registry LongPathsEnabled","Windows Modify Registry MaxConnectionPerServer","Windows Modify Registry No Auto Reboot With Logon User","Windows Modify Registry No Auto Update","Windows Modify Registry NoChangingWallPaper","Windows Modify Registry on Smart Card Group Policy","Windows Modify Registry ProxyEnable","Windows Modify Registry ProxyServer","Windows Modify Registry Suppress Win Defender Notif","Windows Modify Registry Tamper Protection","Windows Modify Registry to Add or Modify Firewall Rule","Windows Modify Registry UpdateServiceUrlAlternate","Windows Modify Registry USeWuServer","Windows Modify Registry Utilize ProgIDs","Windows Modify Registry ValleyRAT C2 Config","Windows Modify Registry ValleyRat PWN Reg Entry","Windows Modify Registry With MD5 Reg Key Name","Windows Modify Registry WuServer","Windows Modify Registry wuStatusServer","Windows Modify Show Compress Color And Info Tip Registry","Windows Mshta Execution In Registry","Windows New Custom Security Descriptor Set On EventLog Channel","Windows New Default File Association Value Set","Windows New EventLog ChannelAccess Registry Value Set","Windows New InProcServer32 Added","Windows Njrat Fileless Storage via Registry","Windows Outlook Dialogs Disabled from Unusual Process","Windows Outlook LoadMacroProviderOnBoot Persistence","Windows Outlook Macro Security Modified","Windows Outlook WebView Registry Modification","Windows Phishing Recent ISO Exec Registry","Windows Proxy Via Registry","Windows RDP Server Registry Entry Created","Windows Registry BootExecute Modification","Windows Registry Certificate Added","Windows Registry Dotnet ETW Disabled Via ENV Variable","Windows Registry Modification for Safe Mode Persistence","Windows Registry Payload Injection","Windows Registry SIP Provider Modification","Windows Remote Access Software RMS Registry","Windows Remote Services Allow Remote Assistance","Windows Remote Services Rdp Enable","Windows Routing and Remote Access Service Registry Key Change","Windows RunMRU Command Execution","Windows Service Creation Using Registry Entry","Windows Service Deletion In Registry","Windows Set Network Profile Category to Private via Registry","Windows Snake Malware Registry Modification wav OpenWithProgIds","Windows SnappyBee Create Test Registry","Detect WMI Event Subscription Persistence","DNS Query for Anonfiles.com Domain - Sysmon","AppX Package Installation Attempts Via AppInstaller.EXE","Cloudflared Tunnels Related DNS Requests","DNS Query To Common Malware Hosting and Shortener Services","DNS Query To Devtunnels Domain","DNS Server Discovery Via LDAP Query","DNS Query To AzureWebsites.NET By Non-Browser Process","DNS Query by Finger Utility","Notepad++ Updater DNS Query to Uncommon Domains","DNS HybridConnectionManager Service Bus","Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing","Suspicious Cobalt Strike DNS Beaconing - Sysmon","DNS Query To MEGA Hosting Website","DNS Query Request To OneLaunch Update Service","DNS Query Request By QuickAssist.EXE","DNS Query Request By Regsvr32.EXE","DNS Query To Remote Access Software Domain From Non-Browser App","Suspicious DNS Query for IP Lookup Service APIs","TeamViewer Domain Query By Non-TeamViewer Application","DNS Query Tor .Onion Address - Sysmon","DNS Query To Ufile.io","DNS Query To Visual Studio Code Tunnels Domain","Local LLM Framework DNS Query","Windows AI Platform DNS Query","Windows BitLockerToGo with Network Activity","Windows DNS Query Request To TinyUrl","Windows Visual Basic Commandline Compiler DNSQuery","3CX Supply Chain Attack Network Indicators","Detect DNS Query to Decommissioned S3 Bucket","Detect hosts connecting to dynamic domain providers","Detect Remote Access Software Usage DNS","DNS Kerberos Coercion","DNS Query Length With High Standard Deviation","Ngrok Reverse Proxy on Network","Rundll32 DNSQuery","Suspicious Process DNS Query Known Abuse Web Services","Suspicious Process With Discord DNS Query","Wermgr Process Connecting To IP Check Web Services","Windows Abused Web Services","Windows DNS Query Request by Telegram Bot API","Windows Gather Victim Network Info Through Ip Check Web Services","Windows Multi hop Proxy TOR Website Query","Windows Spearphishing Attachment Connect To None MS Office Domain","Backup Files Deleted","EventLog EVTX File Deleted","Exchange PowerShell Cmdlet History Deleted","IIS WebServer Access Logs Deleted","Process Deletion of Its Own Executable","PowerShell Console History Logs Deleted","Prefetch File Deleted","TeamViewer Log File Deleted","Tomcat WebServer Logs Deleted","File Deleted Via Sysinternals SDelete","Unusual File Deletion by Dns.exe","ADS Zone.Identifier Deleted By Uncommon Application","Excessive File Deletion In WinDefender Folder","Windows ConsoleHost History File Deletion","Windows Data Destruction Recursive Exec Files Deletion","Windows Default Rdp File Deletion","Windows High File Deletion Frequency","Windows Mark Of The Web Bypass","Windows Rdp AutomaticDestinations Deletion","Windows RDP Cache File Deletion","Remote AppX Package Downloaded from File Sharing or CDN Domain","AppX Located in Known Staging Directory Added to Deployment Pipeline","AppX Located in Uncommon Directory Added to Deployment Pipeline","Windows AppX Deployment Package Installation Success","Register new Logon Process by Rubeus","ETW Logging Disabled In .NET Processes - Registry","NetNTLM Downgrade Attack","Windows Defender Exclusion List Modified","AD Privileged Users or Groups Reconnaissance","Password Policy Enumerated","Reconnaissance Activity","Windows Multiple Account Passwords Changed","A Member Was Removed From a Security-Enabled Global Group","Password Change on Directory Service Restore Mode (DSRM) Account","Windows AD DSRM Password Reset","RDP over Reverse SSH Tunnel WFP","Remote PowerShell Sessions Network Connections (WinRM)","Uncommon Outbound Kerberos Connection - Security","Unusual File Modification by dns.exe","Potential Timestomp in Executable Files","Malicious Driver Load","Malicious Driver Load By Name","PUA - Process Hacker Driver Load","PUA - System Informer Driver Load","Driver Load From A Temporary Directory","Vulnerable Driver Load","Vulnerable Driver Load By Name","Vulnerable HackSys Extreme Vulnerable Driver Load","Vulnerable WinRing0 Driver Load","WinDivert Driver Load","Windows Drivers Loaded by Signature","Windows Suspicious Driver Loaded Path","Windows Vulnerable Driver Loaded","XMRIG Driver Loaded","Sysmon Configuration Change","Sysmon Configuration Modification","Windows Domain Admin Impersonation Indicator","User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'","Potential Privileged System Service Operation - SeLoadDriverPrivilege","DPAPI Domain Master Key Backup Attempt","Password Protected ZIP File Opened","Password Protected ZIP File Opened (Suspicious Filenames)","Password Protected ZIP File Opened (Email Attachment)","AppX Package Deployment Failed Due to Signing Requirements","User Logoff Event","ADCS Certificate Template Configuration Vulnerability","ADCS Certificate Template Configuration Vulnerability with Risky EKU","VSSAudit Security Event Source Registration","Windows Firewall Rule Added","HackTool - EDRSilencer Execution - Filter Added","HackTool - NoFilter Execution","Uncommon New Firewall Rule Added In Windows Firewall Exception List","New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application","New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE","A Rule Has Been Deleted From The Windows Firewall Exception List","Sysmon Application Crashed","Standard User In High Privileged Group","New BITS Job Created Via Bitsadmin","New BITS Job Created Via PowerShell","Potential Active Directory Enumeration Using AD Module - PsModule","Alternate PowerShell Hosts - PowerShell Module","Bad Opsec Powershell Code Artifacts","Clear PowerShell History - PowerShell Module","PowerShell Decompress Commands","Malicious PowerShell Scripts - PoshModule","Suspicious Get-ADDBAccount Usage","PowerShell Get Clipboard","HackTool - Evil-WinRm Execution - PowerShell Module","Invoke-Obfuscation CLIP+ Launcher - PowerShell Module","Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module","Invoke-Obfuscation STDIN+ Launcher - PowerShell Module","Invoke-Obfuscation VAR+ Launcher - PowerShell Module","Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module","Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module","Invoke-Obfuscation Via Stdin - PowerShell Module","Invoke-Obfuscation Via Use Clip - PowerShell Module","Invoke-Obfuscation Via Use MSHTA - PowerShell Module","Invoke-Obfuscation Via Use Rundll32 - PowerShell Module","Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module","Malicious PowerShell Commandlets - PoshModule","Remote PowerShell Session (PS Module)","Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module","AD Groups Or Users Enumeration Using PowerShell - PoshModule","Suspicious PowerShell Download - PoshModule","Use Get-NetTCPConnection - PowerShell Module","Suspicious PowerShell Invocations - Generic - PowerShell Module","Suspicious PowerShell Invocations - Specific - PowerShell Module","Suspicious Get Local Groups Information","Suspicious Computer Machine Password by PowerShell","Suspicious Get Information for SMB Share - PowerShell Module","Zip A Folder With PowerShell For Staging In Temp  - PowerShell Module","SyncAppvPublishingServer Bypass Powershell Restriction - PS Module","Unauthorized System Time Modification","A New Trust Was Created To A Domain","Windows Multiple Accounts Disabled","Windows Multiple Accounts Deleted","Enumerate Users Local Group Using Telegram","Locked Workstation","Denied Access To Remote Desktop","Windows Steal Authentication Certificates - ESC1 Abuse","Windows Steal Authentication Certificates Certificate Request","Windows Steal Authentication Certificates Certificate Issued","Multiple Vault Web Credentials Read","External Disk Drive Or USB Storage Device Was Recognized By The System","High Process Termination Frequency","Windows Processes Killed By Industroyer2 Malware","Windows AppX Deployment Unsigned Package Installation","Windows Developer-Signed MSIX Package Installation","Windows Firewall Rule Modification","Windows Firewall Rule Deletion","Delete Defender Scan ShellEx Context Menu Registry Key","Windows Credential Guard Related Registry Value Deleted - Registry","Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted","Folder Removed From Exploit Guard ProtectedFolders List - Registry","Terminal Server Client Connection History Cleared - Registry","Removal Of AMSI Provider Registry Keys","Removal of Potential COM Hijacking Registry Keys","RunMRU Registry Key Deletion - Registry","Removal Of Index Value to Hide Schedule Task - Registry","Removal Of SD Value to Hide Schedule Task - Registry","Windows Defender Exclusions Added","Windows Defender Exploit Guard Tamper","Windows Defender Submit Sample Feature Disabled","Windows Defender Configuration Changes","Windows Defender ASR Registry Modification","Windows Defender ASR Rule Disabled","Windows Defender ASR Rules Stacking","Certificate Private Key Acquired","Windows Steal Authentication Certificates CryptoAPI","Replay Attack Detected","Failed Code Integrity Checks","Potentially Suspicious Self Extraction Directive File Created","Sysmon File Executable Creation Detected","Windows Executable Masquerading as Benign File Types","Ngrok Usage with Remote Desktop Service","WMI Persistence","Windows Defender Threat Detection Service Disabled","First Time Seen Running Windows Service","Windows Cisco Secure Endpoint Related Service Stopped","Windows Security And Backup Services Stop","Potential Process Hollowing Activity","BITS Transfer Job Downloading File Potential Suspicious Extension","BITS Transfer Job Download From File Sharing Domains","BITS Transfer Job Download From Direct IP","BITS Transfer Job With Uncommon Or Suspicious Remote TLD","BITS Transfer Job Download To Potential Suspicious Folder","CodeIntegrity - Unmet Signing Level Requirements By File Under Validation","DNS Server Error Failed Loading the ServerLevelPluginDLL","Microsoft Defender Blocked from Loading Unsigned DLL","Unsigned Binary Loaded From Suspicious Location","Windows RDP Connection Successful","Windows Defender AMSI Trigger Detected","Windows Defender Threat Detected","Windows Firewall Settings Have Been Changed","All Rules Have Been Deleted From The Windows Firewall Configuration","Windows Update Error","Application Uninstalled","LSASS Process Crashed - Application","Microsoft Malware Protection Engine Crash","Ntdsutil Abuse","Dump Ntds.dit To Suspicious Location","NTLMv1 Logon Between Client and Server","Sysinternals Tools AppX Versions Execution","Suspicious Digital Signature Of AppX Package","Audit CVE Event","Certificate Exported From Local Certificate Store","Windows Export Certificate","Loading Diagcab Package From Remote Path","Failed DNS Zone Transfer","Critical Hive In Suspicious Location Access Bits Cleared","Volume Shadow Copy Mount","NTLM Logon","Print Spooler Failed to Load a Plug-in","Device Installation Blocked","Suspicious Application Installed","Sysmon Blocked Executable","Sysmon Blocked File Shredding","Sysmon Configuration Error","Scheduled Task Executed From A Suspicious Location","Scheduled Task Executed Uncommon LOLBIN","Important Scheduled Task Deleted","WinEvent Windows Task Scheduler Event Action Started","Windows Defender Malware Detection History Deletion","Windows Defender Real-time Protection Disabled","Microsoft Defender Tamper Protection Trigger","Atera Agent Installation","MSI Installation From Suspicious Locations","MSI Installation From Web","Windows SQL Server Configuration Option Hunt","Windows SQL Server Critical Procedures Enabled","Windows SQL Server xp_cmdshell Config Change","Remote Access Tool - ScreenConnect File Transfer","Microsoft Malware Protection Engine Crash - WER","Crash Dump Created By Operating System","Windows MSIX Package Interaction","Windows Event Logging Service Has Shutdown","Print Spooler Adding A Printer Driver","Windows Steal Authentication Certificates CS Backup","Windows RDPClient Connection Sequence Events","LSASS Access Detected via Attack Surface Reduction","PSExec and WMI Process Creations Block","Windows Defender ASR Block Events","OpenSSH Server Listening On Socket","Nslookup PowerShell Download Cradle","Delete Volume Shadow Copies Via WMI With PowerShell","PowerShell Downgrade Attack - PowerShell","PowerShell Called from an Executable Version Mismatch","Netcat The Powershell Version","Remote PowerShell Session (PS Classic)","Renamed Powershell Under Powershell Channel","Suspicious PowerShell Download","Use Get-NetTCPConnection","Tamper Windows Defender - PSClassic","Windows Service Terminated With Error","Important Windows Service Terminated With Error","Important Windows Service Terminated Unexpectedly","Windows Event For Service Disabled","Windows Excessive Disabled Services Event","Windows Service Stop Win Updates","USB Device Plugged","Windows Defender Firewall Has Been Reset To Its Default Configuration","Active Directory Certificate Services Denied Certificate Enrollment Request","DNS Query for Anonfiles.com Domain - DNS Client","Suspicious Cobalt Strike DNS Beaconing - DNS Client","DNS Query To MEGA Hosting Website - DNS Client","DNS Query To Put.io - DNS Client","Query Tor Onion Address - DNS Client","DNS Query To Ufile.io - DNS Client","ETW Logging/Processing Option Disabled On IIS Server","HTTP Logging Disabled On IIS Server","New Module Module Added To IIS Server","Previously Installed IIS Module Was Removed","AppLocker Prevented Application or Script from Running","Windows SIP WinVerifyTrust Failed Trust Validation","CodeIntegrity - Revoked Image Loaded","CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module","DHCP Server Error Failed Loading the CallOut DLL","Potential Active Directory Reconnaissance/Enumeration Via LDAP","Windows Defender Real-Time Protection Failure/Restart","CodeIntegrity - Unsigned Kernel Module Loaded","CodeIntegrity - Blocked Driver Load With Revoked Certificate","CodeIntegrity - Blocked Image Load With Revoked Certificate","CodeIntegrity - Blocked Image/Driver Load For Policy Violation","DHCP Server Loaded the CallOut DLL","Potential Remote Desktop Connection to Non-Domain Host","Win Defender Restored Quarantine File","Windows Defender ASR Audit Events","Windows Defender Malware And PUA Scanning Disabled","Windows Defender Virus Scanning Feature Disabled","Remote Access Tool - ScreenConnect Command Execution","Windows Defender Grace Period Expired","Deployment Of The AppX Package Was Blocked By The Policy","CodeIntegrity - Revoked Kernel Driver Loaded","Restricted Software Access By SRP","Deployment AppX Package Was Blocked By AppLocker","Backup Catalog Deleted","CodeIntegrity - Unsigned Image Loaded","CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked","Local Privilege Escalation Indicator TabTip","ISATAP Router Address Was Set","No Suitable Encryption Key Found For Generating Kerberos Ticket","Unsigned or Unencrypted SMB Connection to Share Established","The Windows Defender Firewall Service Failed To Load Group Policy","Windows Event Triggered Image File Execution Options Injection","Suspicious WMI Event Subscription Created","Windows IIS Components Module Failed to Load"],"_rd":["Detects potential token impersonation and theft. Example, when using \"DuplicateToken(Ex)\" and \"ImpersonateLoggedOnUser\" with the \"LOGON32_LOGON_NEW_CREDENTIALS flag\".","Detect remote login by Administrator user (depending on internal pattern).","Detects the default \"UserName\" used by the DiagTrackEoP POC","Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.","Detects the attack technique pass the hash which is used to move laterally inside the network","RDP login with localhost source address may be a tunnelled login","Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.","Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.","Detects logon events that specify new credentials","Detects a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account.\nThis may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges.","Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like","Detects successful logon attempts performed with WMI","This events that are generated when using the hacktool Ruler by Sensepost","Alerts on Metasploit host's authentications on the domain.","Identifies multiple logon failures followed by a successful one from the same source address. Adversaries will often\nbrute force login attempts across multiple users with a common or known password, in an attempt to gain access to\naccounts.","Identifies potential relay activities against a Computer account by identifying authentication events using the computer\naccount coming from from hosts other than the server that owns the account. Attackers may relay the computer account\nhash after capturing it using forced authentication.","Detects potential relay attacks by identifying coercion attempts followed by authentication events using a target\nserver's computer account, originating from a different host. This may indicate that an attacker has captured and\nrelayed the server's computer account hash to execute code on behalf of the compromised system.","Adversaries may pass the hash using stolen password hashes to move laterally within an environment, bypassing normal\nsystem access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's\ncleartext password.","Identifies a network logon followed by Windows service creation with same LogonId. This could be indicative of lateral\nmovement, but will be noisy if commonly done by administrators.\"","Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account\npasswords to maintain access or evade password duration policies and preserve compromised credentials.","Identifies a user account (often a service account) that normally logs in with high volume using one logon type\nsuddenly showing successful logons using a different logon type with low count. This pattern may indicate account\ntakeover or use of stolen credentials from a new context (e.g. interactive or network logon where only batch/service\nwas expected).","Identifies process creation with alternate credentials. Adversaries may create a new process with a different token to\nescalate privileges and bypass access controls.","Identifies a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to\nlocalhost, followed by a sevice creation from the same LogonId. This may indicate an attempt to leverage a Kerberos\nrelay attack variant that can be used to elevate privilege locally from a domain joined user to local System privileges.","Identifies a user account that normally logs in with high volume from one source IP suddenly logging in from a different\nsource IP. This pattern (one IP with many successful logons, another IP with very few) may indicate account takeover\nor use of stolen credentials from a new location.","The following analytic identifies one source failing to authenticate with 10 or more unique users. This behavior could represent an adversary performing a Password Spraying attack to obtain initial access or elevate privileges. This logic can be used for real time security monitoring as well as threat hunting exercises and works well against any number of data sources ingested into the CIM datamodel. Environments can be very different depending on the organization. Test and customize this detections thresholds if needed.","The following analytic identifies any user failing to authenticate from 10 or more unique sources. This behavior could represent an adversary performing a Password Spraying attack to obtain initial access or elevate privileges. This logic can be used for real time security monitoring as well as threat hunting exercises. Environments can be very different depending on the organization. Test and customize this detections thresholds as needed","The following analytic identifies an unusual number of remote authentication attempts from a single source by leveraging Windows Event ID 4624, which logs successful account logons. It uses statistical analysis, specifically the 3-sigma rule, to detect deviations from normal behavior. This activity is significant for a SOC as it may indicate lateral movement, malware staging, or reconnaissance. If confirmed malicious, this behavior could allow an attacker to move laterally within the network, escalate privileges, or gather information for further attacks.","The following analytic detects a user account initiating an Active Directory replication request, indicative of a DCSync attack. It leverages EventCode 4662 from the Windows Security Event Log, focusing on specific object types and replication permissions. This activity is significant because it can allow an attacker with sufficient privileges to request password hashes for any or all users within the domain. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and potential compromise of the entire domain.","The following analytic identifies unauthorized Active Directory replication requests initiated from non-domain controller locations. It leverages EventCode 4662 to detect when a computer account with replication permissions creates a handle to domainDNS, filtering out known domain controller IP addresses. This activity is significant as it may indicate a DCSync attack, where an attacker with privileged access can request password hashes for any or all users within the domain. If confirmed malicious, this could lead to unauthorized access to sensitive information and potential full domain compromise.","The following analytic detects the temporary addition of a global catalog SPN or a DRS RPC SPN to an Active Directory computer object, indicative of a potential DCShadow attack. This detection leverages EventCode 5136 from the `wineventlog_security` data source, focusing on specific SPN attribute changes. This activity is significant as DCShadow attacks allow attackers with privileged access to register rogue Domain Controllers, enabling unauthorized changes to the AD infrastructure. If confirmed malicious, this could lead to unauthorized replication of changes, including credentials and keys, compromising the entire domain's security.","The following analytic identifies a local successful authentication event on a Windows endpoint using the Kerberos package. It detects EventCode 4624 with LogonType 3 and source address 127.0.0.1, indicating a login to the built-in local Administrator account. This activity is significant as it may suggest a Kerberos relay attack, a method attackers use to escalate privileges. If confirmed malicious, this could allow an attacker to gain unauthorized access to sensitive systems, execute arbitrary code, or create new accounts in Active Directory, leading to potential system compromise.","The following analytic detects attempts to authenticate using the built-in local Administrator account across more than 30 endpoints within a 5-minute window. It leverages Windows Event Logs, specifically events 4625 and 4624, to identify this behavior. This activity is significant as it may indicate an adversary attempting to validate stolen local credentials across multiple hosts, potentially leading to privilege escalation. If confirmed malicious, this could allow the attacker to gain widespread access and control over numerous systems within the network, posing a severe security risk.","The following analytic detects a source computer authenticating to 30 or more remote endpoints within a 5-minute timespan using Event ID 4624. This behavior is identified by analyzing Windows Event Logs for LogonType 3 events and counting unique target computers. Such activity is significant as it may indicate lateral movement or network share enumeration by an adversary. If confirmed malicious, this could lead to unauthorized access to multiple systems, potentially compromising sensitive data and escalating privileges within the network.","The following analytic detects instances where a successful Remote Desktop Protocol (RDP) login session was established, as indicated by Windows Security Event ID 4624 with Logon Type 10. This event confirms that a user has not only provided valid credentials but has also initiated a full interactive RDP session. It is a key indicator of successful remote access to a Windows system. When correlated with Event ID 1149, which logs RDP authentication success, this analytic helps distinguish between mere credential acceptance and actual session establishment—critical for effective monitoring and threat detection.","This analytic detects and analyzes PowerShell Web Access (PSWA) usage in Windows environments. It tracks both connection attempts (EventID 4648) and successful logons (EventID 4624) associated with PSWA, providing a comprehensive view of access patterns. The analytic identifies PSWA's operational status, host servers, processes, and connection metrics. It highlights unique target accounts, domains accessed, and verifies logon types. This information is crucial for detecting potential misuse, such as lateral movement, brute force attempts, or unusual access patterns. By offering insights into PSWA activity, it enables security teams to quickly assess and investigate potential security incidents involving this powerful administrative tool.","Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.","This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.","Identifies multiple consecutive logon failures targeting more than one Admin account from the same source address and within a\nshort time interval. Adversaries will often brute force login attempts across multiple users with a common or known\npassword, in an attempt to gain access to accounts.","Identifies multiple consecutive logon failures from the same source address and within a short time interval.\nAdversaries will often brute force login attempts across multiple users with a common or known password, in an attempt\nto gain access to accounts.","This analytic employs the 3-sigma approach to detect an unusual volume of failed authentication attempts from a single source. A password spray attack is a type of brute force attack where an attacker tries a few common passwords across many different accounts to avoid detection and account lockouts. By utilizing the Authentication Data Model, this detection is effective for all CIM-mapped authentication events, providing comprehensive coverage and enhancing security against these attacks.","The following analytic detects a source process failing to authenticate with 30 unique users, indicating a potential Password Spraying attack. It leverages Windows Event 4625 with Logon Type 2, collected from domain controllers, member servers, and workstations. This activity is significant as it may represent an adversary attempting to gain initial access or elevate privileges within an Active Directory environment. If confirmed malicious, this could lead to unauthorized access, privilege escalation, or further compromise of the network, posing a severe security risk.","The following analytic identifies a source host failing to authenticate against a remote host with 30 unique users. It leverages Windows Event 4625 with Logon Type 3, indicating remote authentication attempts. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges in an Active Directory environment. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information. This detection is crucial for real-time security monitoring and threat hunting.","The following analytic identifies a source process failing to authenticate multiple users, potentially indicating a Password Spraying attack. It leverages Windows Event 4625, which logs failed logon attempts, and uses statistical analysis to detect anomalies. This activity is significant as it may represent an adversary attempting to gain initial access or elevate privileges within an Active Directory environment. If confirmed malicious, the attacker could compromise multiple accounts, leading to unauthorized access, data exfiltration, or further lateral movement within the network.","The following analytic identifies a source host failing to authenticate against a remote host with multiple users, potentially indicating a Password Spraying attack. It leverages Windows Event 4625 (failed logon attempts) and Logon Type 3 (remote authentication) to detect this behavior. This activity is significant as it may represent an adversary attempting to gain initial access or elevate privileges within an Active Directory environment. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and further compromise of the network.","Detects WRITE_DAC access to a domain object","Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.","Detects read access to a domain user from a non-machine account","Detects Mimikatz DC sync security events","Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers","Detects modifications to DNS records in Active Directory where the Distinguished Name (DN) contains a base64-encoded blob\nmatching the pattern \"1UWhRCAAAAA...BAAAA\". This pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure,\ncommonly used in Kerberos coercion attacks. Adversaries may exploit this to coerce victim systems into authenticating to\nattacker-controlled hosts by spoofing SPNs via DNS. It is one of the strong indicators of a Kerberos coercion attack,.\nwhere adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.\nPlease investigate the user account that made the changes, as it is likely a low-privileged account that has been compromised.","Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.","This rule identifies when a User Account starts the Active Directory Replication Process for the first time. Attackers\ncan use the DCSync technique to get credential information of individual accounts or the entire domain, thus\ncompromising the entire domain.","This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync\ntechnique to get credential information of individual accounts or the entire domain, thus compromising the entire\ndomain.","Identifies the creation of a DNS record containing a base64-encoded blob matching the pattern \"UWhRCA...BAAAA\". This\npattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure, commonly used in Kerberos coercion attacks.\nIt is associated with tools and techniques that exploit SPN spoofing via DNS. Adversaries may abuse this to coerce\nvictim systems into authenticating to attacker-controlled hosts while requesting Kerberos tickets for legitimate\nservices (often the victim's own identity). This enables reflective Kerberos relay attacks, potentially resulting in\nprivileged access such as NT AUTHORITY\\SYSTEM, without relying on NTLM fallback.","Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as\nunixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.","Identify read access to a high number of Active Directory object attributes. The knowledge of objects properties can\nhelp adversaries find vulnerabilities, elevate privileges or collect sensitive information.","The following analytic identifies a statistically significant increase in access to Active Directory objects, which may indicate attacker enumeration. It leverages Windows Security Event Code 4662 to monitor and analyze access patterns, comparing them against historical averages to detect anomalies. This activity is significant for a SOC because abnormal access to AD objects can be an early indicator of reconnaissance efforts by an attacker. If confirmed malicious, this behavior could lead to unauthorized access, privilege escalation, or further compromise of the Active Directory environment.","The following analytic detects access attempts to privileged Active Directory objects, such as Domain Admins or Enterprise Admins. It leverages Windows Security Event Code 4662 to identify when these sensitive objects are accessed. This activity is significant because such objects should rarely be accessed by normal users or processes, and unauthorized access attempts may indicate attacker enumeration or lateral movement within the domain. If confirmed malicious, this activity could allow attackers to escalate privileges, persist in the environment, or gain control over critical domain resources.","Detects DNS-based Kerberos coercion attacks where adversaries inject marshaled credential structures into DNS records to spoof SPNs and redirect authentication such as in CVE-2025-33073. This detection leverages Windows Security Event Codes 5136, 5137, 4662, looking for DNS events with specific CREDENTIAL_TARGET_INFORMATION entries.","Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.","Identifies scheduled task creation from a remote source. This could be indicative of adversary lateral movement.","Indicates the creation of a scheduled task using Windows event logs. Adversaries can use these to establish persistence,\nmove laterally, and/or escalate privileges.","Indicates the creation and deletion of a scheduled task within a short time interval. Adversaries can use these to proxy\nmalicious execution via the schedule service and perform clean up.","The following analytic detects the creation of a Scheduled Task with a high entropy, randomly generated name, leveraging Event ID 4698. It uses the `ut_shannon` function from the URL ToolBox Splunk application to measure the entropy of the Task Name. This activity is significant as adversaries often use randomly named Scheduled Tasks for lateral movement and remote code execution, employing tools like Impacket or CrackMapExec. If confirmed malicious, this could allow attackers to execute arbitrary code remotely, potentially leading to further compromise and persistence within the network.","The following analytic detects the creation of scheduled tasks on Windows systems that include HTTP command arguments, using Windows Security EventCode 4698. It identifies tasks registered via schtasks.exe or TaskService with HTTP in their command arguments. This behavior is significant as it often indicates malware activity or the use of Living off the Land binaries (lolbins) to download additional payloads. If confirmed malicious, this activity could lead to data exfiltration, malware propagation, or unauthorized access to sensitive information, necessitating immediate investigation and mitigation.","The following analytic detects the creation of scheduled tasks in Windows that use the rundll32 command. It leverages Windows Security EventCode 4698, which logs the creation of scheduled tasks, and filters for tasks executed via rundll32. This activity is significant as it is a common technique used by malware, such as TrickBot, to persist in an environment or deliver additional payloads. If confirmed malicious, this could lead to data theft, ransomware deployment, or other damaging outcomes. Immediate investigation and mitigation are crucial to prevent further compromise.","The following analytic detects the creation and deletion of scheduled tasks within a short time frame (less than 30 seconds) using Windows Security EventCodes 4698 and 4699. This behavior is identified by analyzing Windows Security Event Logs and leveraging the Windows TA for parsing. Such activity is significant as it may indicate lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or execution of malicious payloads, necessitating prompt investigation and response by security analysts.","The following analytic detects the creation of hidden scheduled tasks on Windows systems, which are not visible in the UI. It leverages Windows Security EventCode 4698 to identify tasks where the 'Hidden' setting is enabled. This behavior is significant as it may indicate malware activity, such as Industroyer2, or the use of living-off-the-land binaries (LOLBINs) to download additional payloads. If confirmed malicious, this activity could allow attackers to execute code stealthily, maintain persistence, or further compromise the system by downloading additional malicious payloads.","The following analytic detects the creation of scheduled tasks designed to execute commands using native Windows shells like PowerShell, Cmd, Wscript, or Cscript or from public folders such as Users, Temp, or ProgramData. It leverages Windows Security EventCode 4698, 4700, and 4702 to identify when such tasks are registered, enabled, or modified. This activity is significant as it may indicate an attempt to establish persistence or execute malicious commands on a system. If confirmed malicious, this could allow an attacker to maintain access, execute arbitrary code, or escalate privileges, posing a severe threat to the environment.","The following analytic detects the creation, modification, or enabling of scheduled tasks with known suspicious or malicious task names. It leverages Windows Security EventCode 4698, 4700, and 4702 to identify when such tasks are registered, modified, or enabled. This activity is significant as it may indicate an attempt to establish persistence or execute malicious commands on a system. If confirmed malicious, this could allow an attacker to maintain access, execute arbitrary code, or escalate privileges, posing a severe threat to the environment.","The following analytic detects the creation or modification of Windows Scheduled Tasks related to CompMgmtLauncher or Eventvwr. These legitimate system utilities, used for launching the Computer Management Console and Event Viewer, can be abused by attackers to execute malicious payloads under the guise of normal system processes. By leveraging these tasks, adversaries can establish persistence or elevate privileges without raising suspicion. This detection helps security analysts identify unusual or unauthorized scheduled tasks involving these executables, allowing for timely investigation and remediation of potential threats.","The following analytic detects the creation of scheduled tasks designed to execute commands using native Windows shells like PowerShell, Cmd, Wscript, or Cscript. It leverages Windows Security EventCode 4698 to identify when such tasks are registered. This activity is significant as it may indicate an attempt to establish persistence or execute malicious commands on a system. If confirmed malicious, this could allow an attacker to maintain access, execute arbitrary code, or escalate privileges, posing a severe threat to the environment.","The following analytic detects the creation of scheduled tasks within user-writable paths using Windows Security EventCode 4698. It identifies tasks registered via schtasks.exe or TaskService that execute commands from directories like Public, ProgramData, Temp, and AppData. This behavior is significant as it may indicate an attempt to establish persistence or execute unauthorized commands. If confirmed malicious, an attacker could maintain long-term access, escalate privileges, or execute arbitrary code, posing a severe threat to system integrity and security.","Detects update to a scheduled task event that contain suspicious keywords.","Identifies first-time modifications to scheduled tasks by user accounts, excluding system activity and machine accounts.","Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled.\nThis may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed.\nAlso, it is recommended to turn off \"Local Group Policy Object Processing\" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as \"gpedit.msc\".\nPlease note, that disabling \"Local Group Policy Object Processing\" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways.","Detects scenarios where system auditing for important events such as \"Process Creation\" or \"Logon\" events is disabled.","Identifies attempts to disable auditing for some security sensitive audit policy sub-categories. This is often done by\nattackers in an attempt to evade detection and forensics on a system.","The following analytic detects the disabling of audit policies on a domain controller. It leverages EventCode 4719 from Windows Security Event Logs to identify changes where success or failure auditing is removed. This activity is significant as it suggests an attacker may have gained access to the domain controller and is attempting to evade detection by tampering with audit policies. If confirmed malicious, this could lead to severe consequences, including data theft, privilege escalation, and full network compromise. Immediate investigation is required to determine the source and intent of the change.","The following analytic detects the disabling of important audit policies. It leverages EventCode 4719 from Windows Security Event Logs to identify changes where success or failure auditing is removed. This activity is significant as it suggests an attacker may have gained access to the domain controller and is attempting to evade detection by tampering with audit policies. If confirmed malicious, this could lead to severe consequences, including data theft, privilege escalation, and full network compromise. Immediate investigation is required to determine the source and intent of the change.","Detects activity when a member is added to a security-enabled global group","Identifies a user being added to an active directory group by the SYSTEM (S-1-5-18) user. This behavior can indicate\nthat the attacker has achieved SYSTEM privileges in a domain controller, which attackers can obtain by exploiting\nvulnerabilities or abusing default group privileges (e.g., Server Operators), and is attempting to pivot to a domain\naccount.","Identifies a user being added to a privileged group in Active Directory. Privileged accounts and groups in Active\nDirectory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly\nany action in Active Directory and on domain-joined systems.","This analytic detects instances where a user adds themselves to an Active Directory (AD) group. This activity is a common indicator of privilege escalation, where a user attempts to gain unauthorized access to higher privileges or sensitive resources. By monitoring AD logs, this detection identifies such suspicious behavior, which could be part of a larger attack strategy aimed at compromising critical systems and data.","This detection identifies when users are added to privileged Active Directory\ngroups by leveraging the Windows Security Event Code 4728 along with a lookup\nof privileged AD groups provided by Splunk Enterprise Security.\nAttackers often add user accounts to privileged AD groups to escalate privileges\nor maintain persistence within an Active Directory environment.\nMonitoring for modifications to privileged groups can help identify potential security breaches\nand unauthorized access attempts.","This analytic detects an increase in modifications to AD user objects. A large volume of changes to user objects can indicate potential security risks, such as unauthorized access attempts, impairing defences or establishing persistence. By monitoring AD logs for unusual modification patterns, this detection helps identify suspicious behavior that could compromise the integrity and security of the AD environment.","Detects scenarios where one can control another users or computers account without having to use their credentials.","Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.","An attacker can use the SID history attribute to gain additional privileges.","Identifies the modification of an account's Kerberos pre-authentication options. An adversary with\nGenericWrite/GenericAll rights over the account can maliciously modify these settings to perform offline password\ncracking attacks such as AS-REP roasting.","Detects the creation and modification of an account with the \"Don't Expire Password\" option Enabled. Attackers can abuse\nthis misconfiguration to persist in the domain and maintain long-term access using compromised accounts with this\nproperty.","Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. Attackers can use this technique to\nmaintain persistence to the domain by having the ability to request tickets for the KRBTGT service.","The following analytic detects when the Kerberos Pre-Authentication flag is disabled in a user account, using Windows Security Event 4738. This event indicates a change in the UserAccountControl property of a domain user object. Disabling this flag allows adversaries to perform offline brute force attacks on the user's password using the AS-REP Roasting technique. This activity is significant as it can be used by attackers with existing privileges to escalate their access or maintain persistence. If confirmed malicious, this could lead to unauthorized access and potential compromise of sensitive information.","The following analytic detects changes to the sIDHistory attribute of user or computer objects across different domains. It leverages Windows Security Event Codes 4738 and 4742 to identify when the sIDHistory attribute is modified. This activity is significant because the sIDHistory attribute allows users to inherit permissions from other AD accounts, which can be exploited by adversaries for inter-domain privilege escalation and persistence. If confirmed malicious, this could enable attackers to gain unauthorized access to resources, maintain persistence, and escalate privileges across domain boundaries.","The following analytic identifies when the SID of a privileged user is added to the SID History attribute of another user. It leverages Windows Security Event Codes 4742 and 4738, combined with identity lookups, to detect this activity. This behavior is significant as it may indicate an attempt to abuse SID history for unauthorized access across multiple domains. If confirmed malicious, this activity could allow an attacker to escalate privileges or maintain persistent access within the environment, posing a significant security risk.","The following analytic detects changes to the sIDHistory attribute of user or computer objects within the same domain. It leverages Windows Security Event Codes 4738 and 4742 to identify when the sIDHistory attribute is modified. This activity is significant because the sIDHistory attribute can be abused by adversaries to grant unauthorized access by inheriting permissions from another account. If confirmed malicious, this could allow attackers to maintain persistent access or escalate privileges within the domain, posing a severe security risk.","Detects the creation of a user with the \"$\" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms.","Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to\nelevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security\nvulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing.","The following analytic detects a suspicious computer account name change in Active Directory. It leverages Event ID 4781, which logs account name changes, to identify instances where a computer account name is changed to one that does not end with a `$`. This behavior is significant as it may indicate an attempt to exploit CVE-2021-42278 and CVE-2021-42287, which can lead to domain controller impersonation and privilege escalation. If confirmed malicious, this activity could allow an attacker to gain elevated privileges and potentially control the domain.","The following analytic detects suspicious Kerberos Ticket Granting Ticket (TGT) requests that may indicate exploitation of CVE-2021-42278 and CVE-2021-42287. It leverages Event ID 4781 (account name change) and Event ID 4768 (TGT request) to identify sequences where a newly renamed computer account requests a TGT. This behavior is significant as it could represent an attempt to escalate privileges by impersonating a Domain Controller. If confirmed malicious, this activity could allow attackers to gain elevated access and potentially control over the domain environment.","Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer","Detects modifications to Default Domain or Default Domain Controllers Group Policy Objects (GPOs).\nAdversaries may modify these default GPOs to deploy malicious configurations across the domain.","Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale","Detects DCShadow via create new SPN","Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.","Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.","Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.","Detects possible addition of shadow credentials to an active directory object.","Identifies the modification of the nTSecurityDescriptor attribute in a domain object with rights related to DCSync to a\nuser/computer account. Attackers can use this backdoor to re-obtain access to hashes of any user/computer.","Identify the modification of the msDS-KeyCredentialLink attribute in an Active Directory Computer or User Object.\nAttackers can abuse control over the object and create a key pair, append to raw public key in the attribute, and obtain\npersistent and stealthy access to the target user or computer object.","Detects when a user account has the servicePrincipalName attribute modified. Attackers can abuse write privileges over a\nuser to configure Service Principle Names (SPNs) so that they can perform Kerberoasting. Administrators can also\nconfigure this for legitimate purposes, exposing the account to Kerberoasting.","Detects modifications in the AdminSDHolder object. Attackers can abuse the SDProp process to implement a persistent\nbackdoor in Active Directory. SDProp compares the permissions on protected objects with those defined on the\nAdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on\nthe protected accounts and groups are reset to match those of the domain's AdminSDHolder object, regaining their\nAdministrative Privileges.","Identifies a modification on the dsHeuristics attribute on the bit that holds the configuration of groups excluded from\nthe SDProp process. The SDProp compares the permissions on protected objects with those defined on the AdminSDHolder\nobject. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected\naccounts and groups are reset to match those of the domain's AdminSDHolder object, meaning that groups excluded will\nremain unchanged. Attackers can abuse this misconfiguration to maintain long-term access to privileged accounts in these\ngroups.","Detects modifications in the msDS-ManagedAccountPrecededByLink attribute of a delegated managed service account by an unusual\nsubject account. Attackers can abuse this attribute to take over the permission of a target account and inherit it's permissions\nallowing them to further elevate privileges.","Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can\nabuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials\ncontains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys,\ncertificates, and certificate requests.","Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or\nuse them to add users as local admins.","Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the\nGPO.","The following analytic detects modifications to the Access Control List (ACL) of the AdminSDHolder object in a Windows domain, specifically the addition of new rules. It leverages EventCode 5136 from the Security Event Log, focusing on changes to the nTSecurityDescriptor attribute. This activity is significant because the AdminSDHolder object secures privileged group members, and unauthorized changes can allow attackers to establish persistence and escalate privileges. If confirmed malicious, this could enable an attacker to control domain-level permissions, compromising the entire Active Directory environment.","This detection identifies an Active Directory access-control list (ACL) modification event, which applies permissions that deny the ability to enumerate permissions of the object.","This detection monitors the addition of the following ACLs to an Active Directory group object: \"Full control\", \"All extended rights\", \"All validated writes\",  \"Create all child objects\", \"Delete all child objects\", \"Delete subtree\", \"Delete\", \"Modify permissions\", \"Modify owner\", and \"Write all properties\".  Such modifications can indicate potential privilege escalation or malicious activity. Immediate investigation is recommended upon alert.","This detection monitors the addition of the following ACLs to an Active Directory user object: \"Full control\",\"All extended rights\",\"All validated writes\", \"Create all child objects\",\"Delete all child objects\",\"Delete subtree\",\"Delete\",\"Modify permissions\",\"Modify owner\",\"Write all properties\".  Such modifications can indicate potential privilege escalation or malicious activity. Immediate investigation is recommended upon alert.","This detection identifies an Active Directory access-control list (ACL) modification event, which applies the minimum required extended rights to perform the DCShadow attack.","The following analytic detects the addition of permissions required for a DCSync attack, specifically DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, and DS-Replication-Get-Changes-In-Filtered-Set. It leverages EventCode 5136 from the Windows Security Event Log to identify when these permissions are granted. This activity is significant because it indicates potential preparation for a DCSync attack, which can be used to replicate AD objects and exfiltrate sensitive data. If confirmed malicious, an attacker could gain extensive access to Active Directory, leading to severe data breaches and privilege escalation.","ACL deletion performed on the domain root object, significant AD change with high impact. Following MS guidance all changes at this level should be reviewed. Drill into the logonID within EventCode 4624 for information on the source device during triage.","ACL modification performed on the domain root object, significant AD change with high impact. Following MS guidance all changes at this level should be reviewed. Drill into the logonID within EventCode 4624 for information on the source device during triage.","This detection identifies when an Active Directory Group Policy is deleted using the Group Policy Management Console.","This detection identifies when an Active Directory Group Policy is disabled using the Group Policy Management Console.","This detection identifies when a a new client side extension is added to an Active Directory Group Policy using the Group Policy Management Console.","This analytic is looking for when an ACL is applied to an OU which denies listing the objects residing in the OU. This activity combined with modifying the owner of the OU will hide AD objects even from domain administrators.","AD Object Owner Updated. The owner provides Full control level privileges over the target AD Object. This event has significant impact alone and is also a precursor activity for hiding an AD object.","Detect when a user creates a new DACL in AD for their own AD object.","The following analytic detects the addition of a Service Principal Name (SPN) to a domain account. It leverages Windows Event Code 5136 and monitors changes to the servicePrincipalName attribute. This activity is significant because it may indicate an attempt to perform Kerberoasting, a technique where attackers extract and crack service account passwords offline. If confirmed malicious, this could allow an attacker to obtain cleartext passwords, leading to unauthorized access and potential lateral movement within the domain environment.","The following analytic identifies the addition and quick deletion of a Service Principal Name (SPN) to a domain account within 5 minutes. This detection leverages EventCode 5136 from the Windows Security Event Log, focusing on changes to the servicePrincipalName attribute. This activity is significant as it may indicate an attempt to perform Kerberoasting, a technique used to crack the cleartext password of a domain account offline. If confirmed malicious, this could allow an attacker to gain unauthorized access to sensitive information or escalate privileges within the domain environment.","The following analytic detects modifications to the SID History attribute in Active Directory by leveraging event code 5136. This detection uses logs from the `wineventlog_security` data source to identify changes to the sIDHistory attribute. Monitoring this activity is crucial as the SID History attribute can be exploited by adversaries to inherit permissions from other accounts, potentially granting unauthorized access. If confirmed malicious, this activity could allow attackers to maintain persistent access and escalate privileges within the domain, posing a significant security risk.","This detection monitors changes to the following Active Directory attributes: \"msDS-AllowedToDelegateTo\", \"msDS-AllowedToActOnBehalfOfOtherIdentity\", \"msDS-KeyCredentialLink\", \"scriptPath\", and \"msTSInitialProgram\".  Modifications to these attributes can indicate potential malicious activity or privilege escalation attempts. Immediate investigation is recommended upon alert.","The following analytic detects modifications to default Group Policy Objects (GPOs) using Event ID 5136. It monitors changes to the `Default Domain Controllers Policy` and `Default Domain Policy`, which are critical for enforcing security settings across domain controllers and all users/computers, respectively. This activity is significant because unauthorized changes to these GPOs can indicate an adversary with privileged access attempting to deploy persistence mechanisms or execute malware across the network. If confirmed malicious, such modifications could lead to widespread compromise, allowing attackers to maintain control and execute arbitrary code on numerous hosts.","The following analytic detects the creation of a new Group Policy Object (GPO) by leveraging Event IDs 5136 and 5137. This detection uses directory service change events to identify when a new GPO is created. Monitoring GPO creation is crucial as adversaries can exploit GPOs to escalate privileges or deploy malware across an Active Directory network. If confirmed malicious, this activity could allow attackers to control system configurations, deploy ransomware, or propagate malware, leading to widespread compromise and significant operational disruption.","The following analytic identifies the creation and quick deletion of a DNS object within 300 seconds in an Active Directory environment, indicative of a potential attack abusing DNS. This detection leverages Windows Security Event Codes 5136 and 5137, analyzing the duration between these events. This activity is significant as temporary DNS entries allows attackers to cause unexpecting network trafficking, leading to potential compromise.","Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, leveraging AD's access control and\nreplication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces\nsome security issues, such as wildcard records, mainly because of the default permission (Any authenticated users) to\ncreate DNS-named records. Attackers can create wildcard records to redirect traffic that doesn't explicitly match\nrecords contained in the zone, becoming the Man-in-the-Middle and being able to abuse DNS similarly to LLMNR/NBNS\nspoofing.","Identifies the creation of a DNS record that is potentially meant to enable WPAD spoofing. Attackers can disable the\nGlobal Query Block List (GQBL) and create a \"wpad\" record to exploit hosts running WPAD with default settings for\nprivilege escalation and lateral movement.","Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, leveraging AD's access control and\nreplication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces\nsome security issues because of the default permission (Any authenticated users) to create DNS-named records. Attackers\ncan perform Dynamic Spoofing attacks, where they monitor LLMNR/NBT-NS requests and create DNS-named records to target\nsystems that are requested from multiple systems. They can also create specific records to target specific services,\nsuch as wpad, for spoofing attacks.","Detects the creation of a delegated Managed Service Account by an unusual subject account. Attackers can abuse the dMSA\naccount migration feature to elevate privileges abusing weak persmission allowing users child objects rights or\nmsDS-DelegatedManagedServiceAccount rights.","The following analytic identifies the creation and quick deletion of a Domain Controller (DC) object within 30 seconds in an Active Directory environment, indicative of a potential DCShadow attack. This detection leverages Windows Security Event Codes 5137 and 5141, analyzing the duration between these events. This activity is significant as DCShadow allows attackers with privileged access to register a rogue DC, enabling unauthorized changes to AD objects, including credentials. If confirmed malicious, this could lead to unauthorized AD modifications, compromising the integrity and security of the entire domain.","Detects Clfs.sys being loaded by a process running from a potentially suspicious location. Clfs.sys is loaded as part of many CVEs exploits that targets Common Log File.","Detects cmstp loading \"dll\" or \"ocx\" files from suspicious locations","Detects loading of \"Amsi.dll\" by a living of the land process. This could be an indication of a \"PowerShell without PowerShell\" attack","Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser.\nAn attacker can use this to authenticate to Azure AD in a browser as that user.","Detects rundll32 loading a renamed comsvcs.dll to dump process memory","Detects loading of \"credui.dll\" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of \"CredUIPromptForCredentials\" or \"CredUnPackAuthenticationBufferW\".","Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.","Detects processes loading modules related to PCRE.NET package","Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process.\nThis library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows.\nIt could also be used for anti-analysis purposes by shut downing specific processes.","Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process.\nThis library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows.\nIt could also be used for anti-analysis purposes by shut downing specific processes.","Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the \"sdiageng.dll\" library","Detects loading of essential DLLs used by PowerShell by non-PowerShell process.\nDetects behavior similar to meterpreter's \"load powershell\" extension.","Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.","Detects the loading of unsigned .node files.\nAdversaries may abuse a lack of .node integrity checking to execute arbitrary code inside of trusted applications such as Slack.\n.node files are native add-ons for Electron-based applications, which are commonly used for desktop applications like Slack, Discord, and Visual Studio Code.\nThis technique has been observed in the DripLoader malware, which uses unsigned .node files to load malicious native code into Electron applications.","Detects the image load of vss_ps.dll by uncommon executables. This DLL is used by the Volume Shadow Copy Service (VSS) to manage shadow copies of files and volumes.\nIt is often abused by attackers to delete or manipulate shadow copies, which can hinder forensic investigations and data recovery efforts.\nThe fact that it is loaded by processes that are not typically associated with VSS operations can indicate suspicious activity.","Detects the image load of VSS DLL by uncommon executables","Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs","Detects SILENTTRINITY stager dll loading activity","Detects potential DLL hijack of \"iertutil.dll\" found in the DCOM InternetExplorer.Application Class","Loading unsigned image (DLL, EXE) into LSASS process","Detects any assembly DLL being loaded by an Office Product","Detects CLR DLL being loaded by an Office Product","Detects any GAC DLL being loaded by an Office Product","Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location","Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process","Detects PowerShell core DLL being loaded by an Office Product","Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.","Detects a remote DLL load event via \"rundll32.exe\".","Detects signs of the WMI script host process \"scrcons.exe\" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity.","Detects potential DLL sideloading of \"7za.dll\"","Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations","Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc","Detects potential DLL sideloading of \"appverifUI.dll\"","Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access \"arubanetsvc.exe\" process using DLL Search Order Hijacking","Detects potential DLL sideloading of \"AVKkid.dll\"","Detects potential DLL sideloading of \"CCleanerDU.dll\"","Detects potential DLL sideloading of \"CCleanerReactivator.dll\"","Detects potential DLL sideloading of \"chrome_frame_helper.dll\"","Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software","Detects potential DLL sideloading using comctl32.dll to obtain system privileges","Detect usage of the \"coregen.exe\" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.","Detects image load events of system control panel items (.cpl) from uncommon or non-system locations that may indicate DLL sideloading or other abuse techniques.","Detects DLL sideloading of \"dbgcore.dll\"","Detects potential DLL sideloading of \"dbghelp.dll\"","Detects potential DLL sideloading of \"DbgModel.dll\"","Detects potential DLL sideloading of \"EACore.dll\"","Detects potential DLL sideloading of \"edputil.dll\"","Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).","Detects potential DLL sideloading of \"goopdate.dll\", a DLL used by googleupdate.exe","Detects potential DLL sideloading of \"libcurl.dll\" by the \"gup.exe\" process from an uncommon location","Detects potential DLL sideloading of \"iviewers.dll\" (OLE/COM Object Interface Viewer)","Detects potential DLL side-loading of jli.dll.\nJLI.dll has been observed being side-loaded by Java processes by various threat actors, including APT41, XWorm,\nand others in order to load malicious payloads in context of legitimate Java processes.","Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor","Detects potential DLL side loading of \"KeyScramblerIE.dll\" by \"KeyScrambler.exe\".\nVarious threat actors and malware have been found side loading a masqueraded \"KeyScramblerIE.dll\" through \"KeyScrambler.exe\".","Detects potential DLL sideloading of \"libvlc.dll\", a DLL that is legitimately used by \"VLC.exe\"","Detects potential DLL sideloading of \"mfdetours.dll\". While using \"mftrace.exe\" it can be abused to attach to an arbitrary process and force load any DLL named \"mfdetours.dll\" from the current directory of execution.","Detects DLL sideloading of unsigned \"mfdetours.dll\". Executing \"mftrace.exe\" can be abused to attach to an arbitrary process and force load any DLL named \"mfdetours.dll\" from the current directory of execution.","Detects potential DLL sideloading of \"MpSvc.dll\".","Detects potential DLL sideloading of \"mscorsvc.dll\".","Detects loading of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes, potentially indicating phantom DLL hijacking attempts.\nPhantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs.","Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location","Detects potential DLL sideloading of Python DLL files.","Detects potential DLL sideloading of rcdll.dll","Detects loading of \"RjvPlatform.dll\" by the \"SystemResetPlatform.exe\" binary which can be abused as a method of DLL side loading since the \"$SysReset\" directory isn't created by default.","Detects potential DLL sideloading of \"RjvPlatform.dll\" by \"SystemResetPlatform.exe\" located in a non-default location.","Detects potential DLL sideloading of \"roboform.dll\", a DLL used by RoboForm Password Manager","Detects processes loading the non-existent DLL \"ShellChromeAPI\". One known example is the \"DeviceEnroller\" binary in combination with the \"PhoneDeepLink\" flag tries to load this DLL.\nAdversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter","Detects potential DLL sideloading of \"ShellDispatch.dll\"","Detects potential DLL sideloading of \"SmadHook.dll\", a DLL used by SmadAV antivirus","Detects potential DLL sideloading of \"SolidPDFCreator.dll\"","Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)","The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.","Detects potential DLL sideloading of \"vivaldi_elf.dll\"","Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service.","Detects potential DLL sideloading of a signed dbghelp.dll by the Sysinternals VMMap.","Detects potential DLL sideloading of an unsigned dbghelp.dll by the Sysinternals VMMap.","Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL","Detects potential DLL sideloading of \"waveedit.dll\", which is part of the Nero WaveEditor audio editing software.","Detects potential DLL side loading of DLLs that are part of the Wazuh security platform","Detects potential sideloading of \"mpclient.dll\" by Windows Defender processes (\"MpCmdRun\" and \"NisSrv\") from their non-default directory.","Detects potential DLL sideloading of \"wwlib.dll\"","Detects BitLocker Access Agent Update Utility (baaupdate.exe) loading DLLs from suspicious locations that are publicly writable which could indicate an attempt to lateral movement via BitLocker DCOM & COM Hijacking.\nThis technique abuses COM Classes configured as INTERACTIVE USER to spawn processes in the context of the logged-on user's session. Specifically, it targets the BDEUILauncher Class (CLSID ab93b6f1-be76-4185-a488-a9001b105b94)\nwhich can launch BaaUpdate.exe, which is vulnerable to COM Hijacking when started with input parameters. This allows attackers to execute code in the user's context without needing to steal credentials or use additional techniques to compromise the account.","Detects unsigned module load by ClickOnce application.","Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as \"C:\\Users\\Public\"","Detects the image load of \"Python Core\" by a non-Python process. This might be indicative of a execution of executable that has been bundled from Python code.\nVarious tools like Py2Exe, PyInstaller, and cx_Freeze are used to bundle Python code into standalone executables.\nThreat actors often use these tools to bundle malicious Python scripts into executables, sometimes to obfuscate the code or to bypass security measures.","Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.","Detects windows utilities loading an unsigned or untrusted DLL.\nAdversaries often abuse those programs to proxy execution of malicious code.","Detects loading and execution of an unsigned thor scanner binary.","Detects the \"iscsicpl.exe\" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%","Attempts to load dismcore.dll after dropping it","Detects when the Microsoft Management Console (MMC) loads the DLL libraries like vbscript, jscript etc which might indicate an attempt\nto execute malicious scripts within a trusted system process for bypassing application whitelisting or defense evasion.","Detects loading of dbgcore.dll or dbghelp.dll from uncommon locations such as user directories.\nThese DLLs contain the MiniDumpWriteDump function, which can be abused for credential dumping purposes or in some cases for evading EDR/AV detection by suspending processes.","Detects DLLs loading from a spoofed Windows directory path with an extra space (e.g \"C:\\Windows \\System32\") which can bypass Windows trusted path verification.\nThis technique tricks Windows into treating the path as trusted, allowing malicious DLLs to load with high integrity privileges bypassing UAC.","Detects WMI command line event consumers","Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc).\nIt could be an indicator of SquiblyTwo technique, which uses Windows Management Instrumentation (WMI) to execute malicious code.","Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.","Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.","Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a\nprocess memory. This may indicate an attempt to dump LSASS memory while bypassing command-line based detection in\npreparation for credential access.","The following analytic detects the use of COM objects like CMLUA or CMSTPLUA to bypass User Account Control (UAC). It leverages Sysmon EventCode 7 to identify the loading of specific DLLs (CMLUA.dll, CMSTPLUA.dll, CMLUAUTIL.dll) by processes not typically associated with these libraries. This activity is significant as it indicates an attempt to gain elevated privileges, a common tactic used by ransomware adversaries. If confirmed malicious, this could allow attackers to execute code with administrative rights, leading to potential system compromise and further malicious activities.","The following analytic detects the loading of the dynwrapx.dll module, which is associated with the DynamicWrapperX ActiveX component. This detection leverages Sysmon EventCode 7 to identify processes that load or register dynwrapx.dll. This activity is significant because DynamicWrapperX can be used to call Windows API functions in scripts, making it a potential tool for malicious actions. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence on the host. Immediate investigation of parallel processes and registry modifications is recommended.","The following analytic detects the execution of MS scripting processes (wscript.exe or cscript.exe) loading LDAP-related modules (Wldap32.dll, adsldp.dll, adsldpc.dll). It leverages Sysmon EventCode 7 to identify these specific DLL loads. This activity is significant as it may indicate an attempt to query LDAP for host information, a behavior observed in FIN7 implants. If confirmed malicious, this could allow attackers to gather detailed Active Directory information, potentially leading to further exploitation or data exfiltration.","The following analytic detects the loading of WMI modules by Microsoft scripting processes like wscript.exe or cscript.exe. It leverages Sysmon EventCode 7 to identify instances where these scripting engines load specific WMI-related DLLs. This activity is significant because it can indicate the presence of malware, such as the FIN7 implant, which uses JavaScript to execute WMI queries for gathering host information to send to a C2 server. If confirmed malicious, this behavior could allow attackers to collect sensitive system information and maintain persistence within the environment.","The following analytic detects the loading of `msi.dll` by a binary not located in `system32`, `syswow64`, `winsxs`, or `windows` directories. This is identified using Sysmon EventCode 7, which logs DLL loads, and filters out legitimate system paths. This activity is significant as it may indicate exploitation of CVE-2021-41379 or DLL side-loading attacks, both of which can lead to unauthorized system modifications. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or persist within the environment.","The following analytic detects the suspicious loading of DLLs by spoolsv.exe, potentially indicating PrintNightmare exploitation. It leverages Sysmon EventCode 7 to identify instances where spoolsv.exe loads multiple DLLs from the Windows System32 spool drivers x64 directory. This activity is significant as it may signify an attacker exploiting the PrintNightmare vulnerability to execute arbitrary code. If confirmed malicious, this could lead to unauthorized code execution, privilege escalation, and persistent access within the environment, posing a severe security risk.","The following analytic identifies the loading of the malicious SolarWinds.Orion.Core.BusinessLayer.dll by SolarWinds.BusinessLayerHost.exe and subsequent DNS queries to avsvmcloud.com. It uses Sysmon EventID 7 for DLL loading and Event ID 22 for DNS queries, correlating these events within a 12-14 day period. This activity is significant as it indicates potential Sunburst malware infection, a known supply chain attack. If confirmed malicious, this could lead to unauthorized network access, data exfiltration, and further compromise of the affected systems.","The following analytic detects the loading of an unsigned DLL by the MMC.exe application, which is indicative of a potential UAC bypass or privilege escalation attempt. It leverages Sysmon EventCode 7 to identify instances where MMC.exe loads a non-Microsoft, unsigned DLL. This activity is significant because attackers often use this technique to modify CLSID registry entries, causing MMC.exe to load malicious DLLs, thereby bypassing User Account Control (UAC) and gaining elevated privileges. If confirmed malicious, this could allow an attacker to execute arbitrary code with higher privileges, leading to further system compromise and persistence.","The following analytic detects a potential UAC bypass using the colorui.dll COM Object. It leverages Sysmon EventCode 7 to identify instances where colorui.dll is loaded by a process other than colorcpl.exe, excluding common system directories. This activity is significant because UAC bypass techniques are often used by malware, such as LockBit ransomware, to gain elevated privileges without user consent. If confirmed malicious, this could allow an attacker to execute code with higher privileges, leading to further system compromise and persistence within the environment.","The following analytic detects a suspicious process loading a COM object from wbemprox.dll, fastprox.dll, or wbemcomn.dll. It leverages Sysmon EventCode 7 to identify instances where these DLLs are loaded by processes not typically associated with them, excluding known legitimate processes and directories. This activity is significant as it may indicate an attempt by threat actors to abuse COM objects for privilege escalation or evasion of detection mechanisms. If confirmed malicious, this could allow attackers to gain elevated privileges or maintain persistence within the environment, posing a significant security risk.","Detects DLL side-loading of Bitdefender Submission Wizard (BDSubmit.exe, bdsw.exe, or renamed BluetoothService.exe) when a malicious log.dll is loaded from a non-standard path via Sysmon ImageLoad events.","The following analytic detects potentially abnormal interactions with VaultCLI.dll, particularly those initiated by processes located in publicly writable Windows folder paths. The VaultCLI.dll module allows processes to extract credentials from the Windows Credential Vault. It was seen being abused by information stealers such as Meduza. The analytic monitors suspicious API calls, unauthorized credential access patterns, and anomalous process behaviors indicative of malicious activity. By leveraging a combination of signature-based detection and behavioral analysis, it effectively flags attempts to misuse the vault for credential theft, enabling swift response to protect sensitive user data and ensure system security.","The following analytic detects instances where a Dynamic Link Library (DLL) is loaded from a temporary directory on a Windows system. Loading DLLs from non-standard paths such as %TEMP% is uncommon for legitimate applications and is often associated with adversary tradecraft, including DLL search order hijacking, side-loading, or execution of malicious payloads staged in temporary folders. Adversaries frequently leverage these directories because they are writable by standard users and often overlooked by security controls, making them convenient locations to drop and execute malicious files. This behavior may indicate attempts to evade detection, execute unauthorized code, or maintain persistence through hijacked execution flows. Detection of DLL loads from %TEMP% can help surface early signs of compromise and should be investigated in the context of the originating process, user account, and potential file creation or modification activity within the same directory.","The following analytic identifies potential DLL search order hijacking or DLL sideloading by detecting known Windows libraries loaded from non-standard directories. It leverages Sysmon EventCode 7 to monitor DLL loads and cross-references them with a lookup of known hijackable libraries. This activity is significant as it may indicate an attempt to execute malicious code by exploiting DLL search order vulnerabilities. If confirmed malicious, this could allow attackers to gain code execution, escalate privileges, or maintain persistence within the environment.","The following analytic detects the loading of the \"WindowsCodecs.dll\" by calc.exe from a non-standard location This could be indicative of a potential DLL side-loading technique. This detection leverages Sysmon EventCode 7 to identify the DLL side-loading activity. In previous versions of the \"calc.exe\" binary, namely on Windows 7, it was vulnerable to DLL side-loading, where an attacker is able to load an arbitrary DLL named \"WindowsCodecs.dll\". This technique has been observed in Qakbot malware. This activity is significant as it indicates potential malware execution through a trusted process, which can bypass security controls. If confirmed malicious, this could allow attackers to execute arbitrary code, maintain persistence, and escalate privileges within the environment.","The following analytic identifies instances where executable files (.exe) are loaded as modules, detected through 'ImageLoaded' events in Sysmon logs. This method leverages Sysmon EventCode 7 to track unusual module loading behavior, which is significant as it deviates from the norm of loading .dll files. This activity is crucial for SOC monitoring because it can indicate the presence of malware like NjRAT, which uses this technique to load malicious modules. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, maintain persistence, and further compromise the host system.","The following analytic detects processes loading the samlib.dll or samcli.dll modules, which are often abused to access Security Account Manager (SAM) objects or credentials on domain controllers. This detection leverages Sysmon EventCode 7 to identify these DLLs being loaded outside typical system directories. Monitoring this activity is crucial as it may indicate attempts to gather sensitive identity information. If confirmed malicious, this behavior could allow attackers to obtain credentials, escalate privileges, or further infiltrate the network.","The following analytic detects a process loading a version.dll file from a directory other than %windir%\\system32 or %windir%\\syswow64. This detection leverages Sysmon EventCode 7 to identify instances where an unsigned or improperly located version.dll is loaded. This activity is significant as it is a common technique used in ransomware and APT malware campaigns, including Brute Ratel C4, to execute malicious code via DLL side loading. If confirmed malicious, this could allow attackers to execute arbitrary code, maintain persistence, and potentially compromise the target host.","The following analytic detects a process loading the credui.dll or wincredui.dll module. This detection leverages Sysmon EventCode 7 to identify instances where these DLLs are loaded by processes outside typical system directories. This activity is significant because adversaries often abuse these modules to create fake credential prompts or dump credentials, posing a risk of credential theft. If confirmed malicious, this activity could allow attackers to harvest user credentials, leading to unauthorized access and potential lateral movement within the network.","The following analytic detects instances where the Windows InstallUtil.exe binary loads `vaultcli.dll` and `Samlib.dll`. This detection leverages Sysmon EventCode 7 to identify these specific DLL loads. This activity is significant because it can indicate an attempt to execute code that bypasses application control and captures credentials using tools like Mimikatz. If confirmed malicious, this behavior could allow an attacker to steal credentials, potentially leading to unauthorized access and further compromise of the system.","The following analytic detects when DLLs with known abuse history are loaded from an unusual location. This activity may represent an attacker performing a DLL search order or sideload hijacking technique. These techniques are used to gain persistence as well as elevate privileges on the target system. This detection relies on Sysmon EID7 and is compatible with all Officla Sysmon TA versions.","The following analytic detects the loading of DLL modules associated with the GraphicalProton backdoor implant, commonly used by SVR in targeted attacks. It leverages Sysmon EventCode 7 to identify specific DLLs loaded by processes. This activity is significant as it may indicate the presence of a sophisticated backdoor, warranting immediate investigation. If confirmed malicious, the attacker could gain persistent access to the compromised host, potentially leading to further exploitation and data exfiltration.","The following analytic identifies when a Windows process loads scripting libraries like jscript.dll or vbscript.dll to execute script code on a target system. While these DLLs are legitimate parts of the operating system, their use by unexpected processes or in unusual contexts can indicate malicious activity, such as script-based malware, living-off-the-land techniques, or automated attacks. This detection monitors which processes load these libraries, along with their command-line arguments and parent processes, to help distinguish normal administrative behavior from potential threats. Alerts should be investigated with attention to the process context and any subsequent network or system activity, as legitimate tools like MMC snap-ins may also trigger this behavior under routine administrative tasks.","The following analytic detects the loading of specific dynamic-link libraries (DLLs) associated with the NetSupport Remote Manager (RMM) tool by any process on a Windows system.\nModules such as CryptPak.dll, HTCTL32.DLL, IPCTL32.DLL, keyshowhook.dll, pcicapi.DLL, PCICL32.DLL, and TCCTL32.DLL, are integral to NetSupport's functionality.\nThis detection is particularly valuable when these modules are loaded by processes running from unusual directories (e.g., Downloads, ProgramData, or user-specific folders) rather than the legitimate Program Files installation path, or by executables that have been renamed but retain the internal \"client32\" identifier.\nThis helps to identify instances where the legitimate NetSupport tool is being misused by adversaries as a Remote Access Trojan (RAT).","The following analytic detects the loading of the mshtml.dll module into an Office product, which is indicative of CVE-2021-40444 exploitation. It leverages Sysmon EventID 7 to monitor image loads by specific Office processes. This activity is significant because it can indicate an attempt to exploit a vulnerability in the MSHTML component via a malicious document. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further network penetration.","The following analytic detects an Office document creating a scheduled task, either through a macro VBA API or by loading `taskschd.dll`. This detection leverages Sysmon EventCode 7 to identify when Office applications load the `taskschd.dll` file. This activity is significant as it is a common technique used by malicious macro malware to establish persistence or initiate beaconing. If confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary commands, or schedule future malicious activities, posing a significant threat to the environment.","The following analytic identifies office documents executing macro code. It leverages Sysmon EventCode 7 to detect when processes like WINWORD.EXE or EXCEL.EXE load specific DLLs associated with macros (e.g., VBE7.DLL). This activity is significant because macros are a common attack vector for delivering malicious payloads, such as malware. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the system. Disabling macros by default is recommended to mitigate this risk.","The following analytic identifies the loading of four specific Windows DLLs (credui.dll, dbghelp.dll, samcli.dll, winhttp.dll) by a non-standard process. This detection leverages Sysmon EventCode 7 to monitor DLL load events and flags when all four DLLs are loaded within a short time frame. This activity is significant as it may indicate the presence of Brute Ratel C4, a sophisticated remote access tool used for credential dumping and other malicious activities. If confirmed malicious, this behavior could lead to unauthorized access, credential theft, and further compromise of the affected system.","The following analytic detects instances where the taskschd.dll is loaded by processes running in suspicious or writable directories. This activity is unusual, as legitimate processes that load taskschd.dll typically reside in protected system locations. Malware or threat actors may attempt to load this DLL from writable or non-standard directories to manipulate the Task Scheduler and execute malicious tasks. By identifying processes that load taskschd.dll in these unsafe locations, this detection helps security analysts flag potentially malicious activity and investigate further to prevent unauthorized system modifications.","SpeechRuntime is vulnerable to an attack that allows a user to run code on another user's session remotely and stealthily by exploiting a Windows COM class. When this class is invoked, it launches SpeechRuntime.exe in the context of the currently logged-on user. Because this COM class is susceptible to COM Hijacking, the attacker can alter the registry remotely to point to a malicious DLL. By dropping that DLL on the target system (e.g., via SMB) and triggering the COM object, the attacker causes the malicious DLL to load into SpeechRuntime.exe and executing under the user's context. This detection identifies suspicious DLL loads by SpeechRuntime.exe from outside the expected locations.","The following analytic detects the abuse of SqlWriter and SQLDumper executables to sideload the vcruntime140.dll library. It leverages Sysmon EventCode 7 logs, focusing on instances where SQLDumper.exe or SQLWriter.exe load vcruntime140.dll, excluding legitimate loads from the System32 directory. This activity is significant as it indicates potential DLL sideloading, a technique used by adversaries to execute malicious code within trusted processes. If confirmed malicious, this could allow attackers to execute arbitrary code, maintain persistence, and evade detection by blending with legitimate processes.","The following analytic detects the creation of potentially malicious unsigned DLLs in the c:\\windows\\system32 or c:\\windows\\syswow64 folders. It leverages Sysmon EventCode 7 logs to identify unsigned DLLs with unavailable signatures loaded in these critical directories. This activity is significant as it may indicate a DLL hijacking attempt, a technique used by attackers to gain unauthorized access and execute malicious code. If confirmed malicious, this could lead to privilege escalation, allowing the attacker to gain elevated privileges and further compromise the target system.","This detection identifies unsigned DLLs loaded through DLL side-loading with same file path with the process loaded the DLL, a technique observed in DarkGate malware. This detection monitors DLL loading, verifies signatures, and flags unsigned DLLs. Suspicious file paths and known executable associations are checked. Detecting such suspicious DLLs is crucial in preventing privilege escalation attacks and other potential security breaches. Regular security assessments, thorough monitoring, and implementing security best practices are essential in safeguarding systems from such threats.","The following analytic identifies potential DLL side-loading instances involving unsigned DLLs mimicking Microsoft signatures. It detects this activity by analyzing Sysmon logs for Event Code 7, where both the `Image` and `ImageLoaded` paths do not match system directories like `system32`, `syswow64`, and `programfiles`. This behavior is significant as adversaries often exploit DLL side-loading to execute malicious code via legitimate processes. If confirmed malicious, this activity could allow attackers to execute arbitrary code, potentially leading to privilege escalation, persistence, and unauthorized access to sensitive information.","The following analytic identifies processes loading Mozilla NSS-Mozglue libraries such as mozglue.dll and nss3.dll. It leverages Sysmon Event logs, specifically monitoring EventCode 7, which tracks image loaded events. This activity is significant because it can indicate unauthorized access or manipulation of these libraries, which are commonly used by Mozilla applications like Firefox and Thunderbird. If confirmed malicious, this could lead to data exfiltration, credential theft, or further compromise of the system.","Detects remote thread creation from CACTUSTORCH as described in references.","Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons","Detects remote thread creation in \"KeePass.exe\" which could indicates potential password dumping activity","Detects remote thread creation in the \"mstsc.exe\" process by a process located in a potentially suspicious location.\nThis technique is often used by attackers in order to hook some APIs used by DLLs loaded by \"mstsc.exe\" during RDP authentications in order to steal credentials.","Detects remote thread creation by PowerShell processes into \"lsass.exe\"","Detects the creation of a remote thread from a Powershell process in an uncommon target process","Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage.\nThe process in field Process is the malicious program. A single execution can lead to hundreds of events.","Detects uncommon processes creating remote threads.","Detects uncommon target processes for remote thread creation","Detects a remote thread creation of Ttdinject.exe used as proxy","An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes\nused to evade detection or elevate privileges.","The following analytic detects suspicious process injection in command shell applications, specifically targeting `cmd.exe` and `powershell.exe`. It leverages Sysmon EventCode 8 to identify the creation of remote threads within these shell processes. This activity is significant because it is a common technique used by malware, such as IcedID, to inject malicious code and execute it within legitimate processes. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe threat to system security.","The following analytic detects the creation of a remote thread in the Local Security Authority Subsystem Service (LSASS). This behavior is identified using Sysmon EventID 8 logs, focusing on processes that create remote threads in lsass.exe. This activity is significant because it is commonly associated with credential dumping, a tactic used by adversaries to steal user authentication credentials. If confirmed malicious, this could allow attackers to gain unauthorized access to sensitive information, leading to potential compromise of the entire network. Analysts should investigate to differentiate between legitimate tools and potential threats.","The following analytic detects suspicious PowerShell processes attempting to inject code into critical Windows processes using CreateRemoteThread. It leverages Sysmon EventCode 8 to identify instances where PowerShell spawns threads in processes like svchost.exe, csrss.exe, and others. This activity is significant as it is commonly used by malware such as TrickBot and offensive tools like Cobalt Strike to execute malicious payloads, establish reverse shells, or download additional malware. If confirmed malicious, this behavior could lead to unauthorized code execution, privilege escalation, and persistent access within the environment.","The following analytic detects the creation of a remote thread by rundll32.exe into another process. It leverages Sysmon EventCode 8 logs, specifically monitoring SourceImage and TargetImage fields. This activity is significant as it is a common technique used by malware, such as IcedID, to execute malicious code within legitimate processes, aiding in defense evasion and data theft. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, escalate privileges, and exfiltrate sensitive information from the compromised host.","The following analytic detects the suspicious creation of a remote thread by rundll32.exe targeting browser processes such as firefox.exe, chrome.exe, iexplore.exe, and microsoftedgecp.exe. This detection leverages Sysmon EventCode 8, focusing on SourceImage and TargetImage fields to identify the behavior. This activity is significant as it is commonly associated with malware like IcedID, which hooks browsers to steal sensitive information such as banking details. If confirmed malicious, this could allow attackers to intercept and exfiltrate sensitive user data, leading to potential financial loss and privacy breaches.","The following analytic identifies the suspicious remote thread execution of the wermgr.exe process into known browsers such as firefox.exe, chrome.exe, and others. It leverages Sysmon EventCode 8 logs to detect this behavior by monitoring SourceImage and TargetImage fields. This activity is significant because it is indicative of Qakbot malware, which injects malicious code into legitimate processes to steal information. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, and exfiltrate sensitive data from the compromised host.","The following analytic detects suspicious remote thread execution in processes such as Taskmgr.exe, calc.exe, and notepad.exe, which may indicate process injection by malware like Qakbot. This detection leverages Sysmon EventCode 8 to identify remote thread creation in specific target processes. This activity is significant as it often signifies an attempt by malware to inject malicious code into legitimate processes, potentially leading to unauthorized code execution. If confirmed malicious, this could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence on the compromised host.","The following analytic detects a process from a non-standard file path on Windows attempting to create a remote thread in another process. This is identified using Sysmon EventCode 8, focusing on processes not originating from typical system directories. This behavior is significant as it often indicates process injection, a technique used by adversaries to evade detection or escalate privileges. If confirmed malicious, this activity could allow an attacker to execute arbitrary code within another process, potentially leading to unauthorized actions and further compromise of the system.","One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution","Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection\nor destroy forensic evidence on a system.","The following analytic detects the clearing of Windows event logs by identifying Windows Security Event ID 1102 or System log event 104. This detection leverages Windows event logs to monitor for log clearing activities. Such behavior is significant as it may indicate an attempt to cover tracks after malicious activities. If confirmed malicious, this action could hinder forensic investigations and allow attackers to persist undetected, making it crucial to investigate further and correlate with other alerts and data sources.","Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.","Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\nWeb browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\nWeb browsers typically store the credentials in an encrypted format within a credential store.","Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.","Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace.\nThis will bypass the default DNS server and uses a specified server for answering the query.","Detects usage of the \"Add-WindowsCapability\" cmdlet to add Windows capabilities. Notable capabilities could be \"OpenSSH\" and others.","Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7","Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts","Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities","Detects Silence EmpireDNSAgent as described in the Group-IP report","Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.","Detects potential exfiltration attempt via audio file using PowerShell","Once established within a system or network, an adversary may use automated techniques for collecting internal data.","Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation.\nScreen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations","Detects keywords that could indicate clearing PowerShell history","Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.","Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code","Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file","Uses PowerShell to install/copy a file into a system directory such as \"System32\" or \"SysWOW64\"","Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR.\nThe COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR).\nThese profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.\n(Citation: Microsoft Profiling Mar 2017)\n(Citation: Microsoft COR_PROFILER Feb 2013)","Detects creation of a local user via PowerShell","Detects the creation of a dMSA service account using the New-ADServiceAccount cmdlet in certain OUs.\nThe fact that the cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious.\nIt is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.\nOn top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions,\nit is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.","Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information","Adversaries may employ various system checks to detect and avoid virtualization and analysis environments.\nThis may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox","Enumerates Active Directory to determine computers that are joined to the domain","Adversaries may create a domain account to maintain access to victim systems.\nDomain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..","Detects scripts or commands that disabled the Powershell command history by removing psreadline module","Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images","Detects usage of \"Reflection.Assembly\" load functions to dynamically load assemblies in memory","Detects usage of COM objects that can be abused to download files in PowerShell by CLSID","Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.\nThe DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.","Adversaries may search for common password storage locations to obtain user credentials.\nPasswords are stored in several places on a system, depending on the operating system or application holding the credentials.","Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.","Detects usage of the built-in PowerShell cmdlet \"Enable-WindowsOptionalFeature\" used as a Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images","Detects usage of powershell cmdlets to disable or remove ETW trace sessions","Detects calls to cmdlets inside of PowerShell scripts that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.","Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward.","Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.\nWindows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services","Detects usage of the \"Get-AdComputer\" to enumerate Computers or properties within Active Directory.","Detects usage of the \"Get-AdGroup\" cmdlet to enumerate Groups within Active Directory","The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory.\nThese include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.","Adversaries may enumerate browser bookmarks to learn more about compromised hosts.\nBrowser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about\ninternal network resources such as servers, tools/dashboards, or other related infrastructure.","Detects calls to \"get-process\" where the output is piped to a \"where-object\" filter to search for security solution processes.\nAdversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus","Detects the execution of the hacktool Rubeus using specific command line flags","Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.","Detects call to \"Win32_QuickFixEngineering\" in order to enumerate installed hotfixes often used in \"enum\" scripts by attackers","Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.","Detects powershell scripts that import modules from suspicious directories","Detects usage of the \"Add-AppxPackage\" or it's alias \"Add-AppPackage\" to install unsigned AppX packages","DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel","Detects Obfuscated use of Clip.exe to execute PowerShell","Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \\u2014","Detects Obfuscated use of stdin to execute PowerShell","Detects Obfuscated use of Environment Variables to execute PowerShell","Detects Obfuscated Powershell via COMPRESS OBFUSCATION","Detects Obfuscated Powershell via RUNDLL LAUNCHER","Detects Obfuscated Powershell via Stdin in Scripts","Detects Obfuscated Powershell via use Clip.exe in Scripts","Detects Obfuscated Powershell via use MSHTA in Scripts","Detects Obfuscated Powershell via use Rundll32 in Scripts","Detects Obfuscated Powershell via VAR++ LAUNCHER","Adversaries may log user keystrokes to intercept credentials as the user types them.","Adversaries may manipulate accounts to maintain access to victim systems.\nAccount manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups","Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations","Detects Commandlet names from well-known PowerShell exploitation frameworks","Detects keywords from well-known PowerShell exploitation frameworks","Detects usage of a PowerShell command to dump the live memory of a Windows machine","Detects modification of dMSA link attributes (msDS-ManagedAccountPrecededByLink) via PowerShell scripts.\nThis command line pattern could be an indicator an attempt to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.","Detect malicious GPO modifications can be used to implement many other malicious behaviors.","Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)\nAdversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code","Detects Commandlet names and arguments from the Nishang exploitation framework","Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.","Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.\nOffice add-ins can be used to add functionality to Office programs","Detects the execution of powershell scripts with calls to the \"Start-NetEventSession\" cmdlet. Which allows an attacker to start event and packet capture for a network event session.\nAdversaries may attempt to capture network to gather information over the course of an operation.\nData captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol.","Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.","Detects the use of the \"Get-ADComputer\" cmdlet in order to identify systems which are configured for unconstrained delegation.","Detects the installation and configuration of PowerShell Web Access, which could be used for remote access and potential abuse","Detects Cmdlet names from PowerView of the PowerSploit exploitation framework.","Detects PowerShell calling a credential prompt","Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell","Detects the use of PSAttack PowerShell hack tool","Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system","Detects PowerShell module creation where the module Contents are set to \"function Get-VMRemoteFXPhysicalVideoAdapter\". This could be a sign of potential abuse of the \"RemoteFXvGPUDisablement.exe\" binary which is known to be vulnerable to module load-order hijacking.","Detects PowerShell scripts that utilize native PowerShell Identity modules to request Kerberos tickets.\nThis behavior is typically seen during a Kerberos or silver ticket attack. A successful execution will output the SPNs for the endpoint in question.","Detects PowerShell scripts that have capabilities to read files, loop through them and resolve DNS host entries.","Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.","Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.","Detects PowerShell scripts leveraging the \"Invoke-WebRequest\" cmdlet to send data via either \"PUT\" or \"POST\" method.","Detect adversaries enumerate sensitive files","Detects PowerShell scripts set ACL to of a file or a folder","Detects PowerShell scripts to set the ACL to a file in the Windows folder","Detects changing the PowerShell script execution policy to a potentially insecure level using the \"Set-ExecutionPolicy\" cmdlet.","Detects Base64 encoded Shellcode","Detects Commandlet names from ShellIntel exploitation scripts.","Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.","Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.","Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.","Adversaries may attempt to find domain-level groups and permission settings.\nThe knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as domain administrators.","Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation","Detects usage of known powershell cmdlets such as \"Clear-EventLog\" to clear the Windows event logs","Detects technique used by MAZE ransomware to enumerate directories using Powershell","Detects suspicious PowerShell download command","Adversaries may abuse the Windows command shell for execution.\nThe Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems.\nThe Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands.\nBatch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops.\nCommon uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system","Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.\nThese can be files created by users to store their own credentials, shared credential stores for a group of individuals,\nconfiguration files containing passwords for a system or service, or source code/binary files containing embedded passwords.","Detects execution of \"TroubleshootingPack\" cmdlets to leverage CVE-2022-30190 or action similar to \"msdt\" lolbin (as described in LOLBAS)","Detetcts PowerShell activity in which Get-Addefaultdomainpasswordpolicy is used to get the default password policy for an Active Directory domain.","Detects the use of PowerShell to identify the current logged user.","Detect use of Get-GPO to get one GPO or all the GPOs in a domain.","Get the processes that are running on the local computer.","Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity","Detects suspicious Powershell code that execute COM Objects","Adversaries may carry out malicious operations using a virtual instance to avoid detection","Detects suspicious PowerShell invocation command parameters","Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.\nCommands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.","Open a handle on the drive volume via the \\\\.\\ DOS device path specifier and perform direct access read of the first few bytes of the volume.","Detects PowerShell scripts that contains reference to keystroke capturing functions","Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework","Detects the use of PowerShell modules and cmdlets to gather local group information.\nAdversaries may use local system permission groups to determine which groups exist and which users belong to a particular group such as the local administrators group.","Adversaries may target user email on local systems to collect sensitive information.\nFiles containing email data can be acquired from a users local system, such as Outlook storage or cache files.","Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation","Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.\nWithout knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism","Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.","Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity","Once established within a system or network, an adversary may use automated techniques for collecting internal data","Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.\nAccounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.","Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)","Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts","Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as\na precursor for Collection and to identify potential systems of interest for Lateral Movement.\nNetworks often contain shared network drives and folders that enable users to access file directories on various systems across a network.","Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.","Powershell use PassThru option to start in background","Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.","An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users.\nThis may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper","Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.","Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil","Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.\nIn some cases, windows that would typically be displayed when an application carries out an operation can be hidden","Detects usage of the \"Write-EventLog\" cmdlet with 'RawData' flag. The cmdlet can be levreage to write malicious payloads to the EventLog and then retrieve them later for later use","Detects PowerShell scripts that make use of the \"Compress-Archive\" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.\nAn adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.","Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.","Detects attempts to remove Windows Defender configuration using the 'MpPreference' cmdlet","Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.","Adversaries may communicate using a protocol and port paring that are typically not associated.\nFor example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.","Adversaries may modify file time attributes to hide new or changes to existing files.\nTimestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.","Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file","Detects calls to \"Add-Content\" cmdlet in order to modify the content of the user profile and potentially adding suspicious commands for persistence","Detects attempts to modify the registry using VBScript's CreateObject(\"Wscript.shell\") and RegWrite methods embedded within PowerShell scripts or commands.\nThreat actors commonly embed VBScript code within PowerShell to perform registry modifications, attempting to evade detection that monitors for direct registry access through traditional tools.\nThis technique can be used for persistence, defense evasion, and privilege escalation by modifying registry keys without using regedit.exe, reg.exe, or PowerShell's native registry cmdlets.","Detects execution of a PowerShell script that contains calls to the \"Veeam.Backup\" class, in order to dump stored credentials.","Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs","Detects usage of the WMI class \"Win32_NTEventlogFile\" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script","Detects the execution of an MSI file using PowerShell and the WMI Win32_Product class","Detects use of WinAPI functions in PowerShell scripts","Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions","Detects when a user disables the Windows Firewall via a Profile to help evade defense.","Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\nRegistry entries in HKLM\\Software[Wow6432Node]Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are\nused to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to\nload and execute malicious DLLs and/or executables.","Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.","Detects known WMI recon method to look for unquoted service paths, often used by pentest inside of powershell scripts attackers enum scripts","Detects parameters used by WMImplant","Detect use of X509Enrollment","Detects PowerShell scripts with repeated invalid backtick escapes between word characters (letters, digits, underscore,\nor dash), splitting tokens while preserving execution. Attackers use this obfuscation to fragment keywords and evade\npattern-based detection and AMSI.","Detects PowerShell scripts that uses backtick-escaped characters inside `${}` variable expansion (multiple backticks\nbetween word characters) to reconstruct strings at runtime. Attackers use variable-expansion obfuscation to split\nkeywords, hide commands, and evade static analysis and AMSI.","Detects PowerShell scripts that reconstructs strings from char[] arrays, index lookups, or repeated ([char]NN)+\nconcatenation/join logic. Attackers use character-array reconstruction to hide commands, URLs, or payloads and evade\nstatic analysis and AMSI.","Detects PowerShell scripts that builds commands from concatenated string literals inside dynamic invocation constructs\nlike &() or .(). Attackers use concatenated dynamic invocation to obscure execution intent, bypass keyword-based\ndetections, and evade AMSI.","Detects long PowerShell script block content with unusually high numeric character density (high digit-to-length ratio), often produced by byte arrays, character-code reconstruction, or embedded encoded blobs.\nAttackers use numeric-heavy obfuscation to conceal payloads and rebuild them at runtime to avoid static inspection.","Detects PowerShell scripts that reconstructs IEX (Invoke-Expression) by indexing environment variable strings (for example, $env:VAR[1,2,3]) or related `.name[...]` slices and joining characters at runtime.\nAttackers use environment-variable slicing to hide dynamic execution and evade keyword-based detections and AMSI.","Detects PowerShell scripts that rebuilds IEX by converting method references to strings (for example,\n''.IndexOf.ToString()) and extracting multiple indexed characters (for example, [n,n,n]). Attackers use method-string\nreconstruction to conceal dynamic execution and bypass static detections and AMSI.","Detects PowerShell scripts that uses negative index ranges (for example, $var[-1..0]) to reverse strings or arrays and\nrebuild content at runtime. Attackers use index reversal to reconstruct hidden commands or payloads and evade static\nanalysis and AMSI.","Detects PowerShell scripts containing reversed keyword strings associated with execution or network activity (for\nexample, ekovni, noisserpxe, daolnwod, tcejbo-wen, tcejboimw, etc.). Attackers reverse keywords and reconstruct them at\nruntime to hide intent and evade static detection and AMSI.","Detects PowerShell scripts that repeatedly concatenates multiple quoted string literals with + to assemble commands or tokens at runtime.\nAttackers use string concatenation to fragment keywords or URLs and evade static analysis and AMSI.","Detects PowerShell scripts that uses format placeholders like \"{0}{1}\" with the -f operator or ::Format to reorder strings at runtime.\nAttackers use format-based reconstruction to hide commands or payload strings and evade static analysis and AMSI.","Detects PowerShell scripts dominated by whitespace and special characters with low symbol diversity, a profile often\nproduced by formatting or encoding obfuscation. Attackers use symbol-heavy encoding or formatting (for example,\nSecureString-style blobs or character-level transforms) to hide payloads and evade static analysis and AMSI.","The following analytic detects the use of the `[Adsisearcher]` type accelerator in PowerShell to query Active Directory for domain users. It leverages PowerShell Script Block Logging (EventCode=4104) to identify script blocks containing `[adsisearcher]`, `objectcategory=user`, and `.findAll()`. This activity is significant as it may indicate an attempt by adversaries or Red Teams to enumerate domain users for situational awareness and Active Directory discovery. If confirmed malicious, this could lead to further reconnaissance, privilege escalation, or lateral movement within the network.","The following analytic detects a suspicious PowerShell command that allows inbound traffic to a specific local port within the public profile. It leverages PowerShell script block logging (EventCode 4104) to identify commands containing keywords like \"firewall,\" \"Inbound,\" \"Allow,\" and \"-LocalPort.\" This activity is significant because it may indicate an attacker attempting to establish remote access by modifying firewall rules. If confirmed malicious, this could allow unauthorized access to the machine, potentially leading to further exploitation and data exfiltration.","The following analytic detects the use of PowerShell to delete shadow copies via the WMIC PowerShell module. It leverages EventCode 4104 and searches for specific keywords like \"ShadowCopy,\" \"Delete,\" or \"Remove\" within the ScriptBlockText. This activity is significant because deleting shadow copies is a common tactic used by ransomware, such as DarkSide, to prevent data recovery. If confirmed malicious, this action could lead to irreversible data loss and hinder recovery efforts, significantly impacting business continuity and data integrity.","The following analytic detects the use of the Certify tool via an in-memory PowerShell function to enumerate Active Directory Certificate Services (AD CS) environments. It leverages PowerShell Script Block Logging (EventCode 4104) to identify specific command patterns associated with Certify's enumeration and exploitation functions. This activity is significant as it indicates potential reconnaissance or exploitation attempts against AD CS, which could lead to unauthorized certificate issuance. If confirmed malicious, attackers could leverage this to escalate privileges, persist in the environment, or access sensitive information by abusing AD CS.","The following analytic detects the use of PowerShell commands to copy the SAM, SYSTEM, or SECURITY hives, which are critical for credential theft. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command executed. This activity is significant as it indicates an attempt to exfiltrate sensitive registry hives for offline password cracking. If confirmed malicious, this could lead to unauthorized access to credentials, enabling further compromise of the system and potential lateral movement within the network.","The following analytic detects suspicious PowerShell execution indicative of PowerShell-Empire activity. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze commands sent to PowerShell, specifically looking for patterns involving `system.net.webclient` and base64 encoding. This behavior is significant as it often represents initial stagers used by PowerShell-Empire, a known post-exploitation framework. If confirmed malicious, this activity could allow attackers to download and execute additional payloads, leading to potential code execution, data exfiltration, or further compromise of the affected system.","The following analytic detects the execution of Mimikatz commands via PowerShell by leveraging PowerShell Script Block Logging (EventCode=4104). This method captures and logs the full command sent to PowerShell, allowing for the identification of suspicious activities such as Pass the Ticket, Pass the Hash, and credential dumping. This activity is significant as Mimikatz is a well-known tool used for credential theft and lateral movement. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information within the environment.","The following analytic detects the execution of the `Get-ADUser` PowerShell cmdlet with parameters indicating a search for domain accounts with Kerberos Pre-Authentication disabled. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this specific activity. This behavior is significant because discovering accounts with Kerberos Pre-Authentication disabled can allow adversaries to perform offline password cracking. If confirmed malicious, this activity could lead to unauthorized access to user accounts, potentially compromising sensitive information and escalating privileges within the network.","The following analytic detects the execution of the `Get-DomainUser` commandlet with the `-PreauthNotRequired` parameter using PowerShell Script Block Logging (EventCode=4104). This command is part of PowerView, a tool used for enumerating Windows Active Directory networks. Identifying domain accounts with Kerberos Pre-Authentication disabled is significant because adversaries can leverage this information to attempt offline password cracking. If confirmed malicious, this activity could lead to unauthorized access to domain accounts, potentially compromising sensitive information and escalating privileges within the network.","The following analytic detects the use of the `[Adsisearcher]` type accelerator in PowerShell to query Active Directory for domain groups. It leverages PowerShell Script Block Logging (EventCode=4104) to identify specific script blocks containing `[adsisearcher]` and group-related queries. This activity is significant as it may indicate an attempt by adversaries or Red Teams to enumerate domain groups for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further reconnaissance, privilege escalation, or lateral movement within the network.","The following analytic detects the execution of the `Get-DomainGroupMember` cmdlet from PowerView, identified through PowerShell Script Block Logging (EventCode=4104). This cmdlet is used to enumerate members of elevated domain groups such as Domain Admins and Enterprise Admins. Monitoring this activity is crucial as it indicates potential reconnaissance efforts by adversaries to identify high-privileged users within the domain. If confirmed malicious, this activity could lead to targeted attacks on privileged accounts, facilitating further compromise and lateral movement within the network.","The following analytic detects the usage of specific Exchange PowerShell modules, such as New-MailboxExportRequest, New-ManagementRoleAssignment, New-MailboxSearch, and Get-Recipient. It leverages PowerShell Script Block Logging (EventCode 4104) to identify these commands. This activity is significant because these modules can be exploited by adversaries who have gained access via ProxyShell or ProxyNotShell vulnerabilities. If confirmed malicious, attackers could export mailbox contents, assign management roles, conduct mailbox searches, or view recipient objects, potentially leading to data exfiltration, privilege escalation, or unauthorized access to sensitive information.","The following analytic detects the execution of the `Get-ADDefaultDomainPasswordPolicy` PowerShell cmdlet, which is used to retrieve the password policy in a Windows domain. This detection leverages PowerShell Script Block Logging (EventCode=4104) to identify the specific command execution. Monitoring this activity is significant as it can indicate an attempt to gather domain policy information, which is often a precursor to further malicious actions. If confirmed malicious, this activity could allow an attacker to understand password policies, aiding in password attacks or further domain enumeration.","The following analytic detects the execution of the `Get-AdUser` PowerShell cmdlet, which is used to enumerate all domain users. It leverages PowerShell Script Block Logging (EventCode=4104) to identify instances where this command is executed with a filter. This activity is significant as it may indicate an attempt by adversaries or Red Teams to gather information about domain users for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further reconnaissance and potential exploitation of user accounts within the domain.","The following analytic detects the execution of the `Get-ADUserResultantPasswordPolicy` PowerShell cmdlet, which is used to obtain the password policy in a Windows domain. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity. Monitoring this behavior is significant as it may indicate an attempt to enumerate domain policies, a common tactic used by adversaries for situational awareness and Active Directory discovery. If confirmed malicious, this activity could allow attackers to understand password policies, aiding in further attacks such as password guessing or policy exploitation.","The following analytic detects the execution of the `Get-DomainPolicy` cmdlet using PowerShell Script Block Logging (EventCode=4104). It leverages logs capturing script block text to identify attempts to obtain the password policy in a Windows domain. This activity is significant as it indicates potential reconnaissance efforts by adversaries or Red Teams to gather domain policy information, which is crucial for planning further attacks. If confirmed malicious, this behavior could lead to detailed knowledge of domain security settings, aiding in privilege escalation or lateral movement within the network.","The following analytic detects the execution of the Get-DomainTrust command from PowerView using PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, allowing for detailed inspection. Identifying this activity is significant because it may indicate an attempt to gather domain trust information, which is often a precursor to lateral movement or privilege escalation. If confirmed malicious, this activity could enable an attacker to map trust relationships within the domain, potentially leading to further exploitation and compromise of additional systems.","The following analytic detects the execution of the `Get-DomainUser` cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet is part of PowerView, a tool often used for domain enumeration. The detection leverages PowerShell operational logs to identify instances where this command is executed. Monitoring this activity is crucial as it may indicate an adversary's attempt to gather information about domain users, which is a common step in Active Directory Discovery. If confirmed malicious, this activity could lead to further reconnaissance and potential exploitation of domain resources.","The following analytic detects the execution of the Get-ForestTrust command from PowerSploit using PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, providing detailed visibility into potentially suspicious activities. Monitoring this behavior is crucial as it can indicate an attempt to gather domain trust information, which is often a precursor to lateral movement or privilege escalation. If confirmed malicious, this activity could allow an attacker to map trust relationships within the domain, facilitating further exploitation and access to sensitive resources.","The following analytic detects the execution of the `Get-WMIObject Win32_Group` command using PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, allowing for detailed analysis. Identifying group information on an endpoint is not inherently malicious but can be suspicious based on context such as time, endpoint, and user. This activity is significant as it may indicate reconnaissance efforts by an attacker. If confirmed malicious, it could lead to further enumeration and potential lateral movement within the network.","The following analytic detects the execution of the `Get-AdComputer` PowerShell commandlet using PowerShell Script Block Logging (EventCode=4104). This detection leverages script block text to identify when this commandlet is run. The `Get-AdComputer` commandlet is significant as it can be used by adversaries to enumerate all domain computers, aiding in situational awareness and Active Directory discovery. If confirmed malicious, this activity could allow attackers to map the network, identify targets, and plan further attacks, potentially leading to unauthorized access and data exfiltration.","The following analytic detects the execution of the `Get-AdGroup` PowerShell cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet is used to enumerate all domain groups, which adversaries may exploit for situational awareness and Active Directory discovery. Monitoring this activity is crucial as it can indicate reconnaissance efforts within the network. If confirmed malicious, this behavior could lead to further exploitation, such as privilege escalation or lateral movement, by providing attackers with detailed information about the domain's group structure.","The following analytic detects the execution of the `GetCurrent` method from the WindowsIdentity .NET class using PowerShell Script Block Logging (EventCode=4104). This method identifies the current Windows user. The detection leverages PowerShell script block logs to identify when this method is called. This activity is significant because adversaries and Red Teams may use it to gain situational awareness and perform Active Directory discovery on compromised endpoints. If confirmed malicious, this could allow attackers to map out user accounts and potentially escalate privileges or move laterally within the network.","The following analytic detects the execution of the `Get-DomainComputer` commandlet using PowerShell Script Block Logging (EventCode=4104). This commandlet is part of PowerView, a tool often used for enumerating domain computers within Windows environments. The detection leverages script block text analysis to identify this specific command. Monitoring this activity is crucial as it can indicate an adversary's attempt to gather information about domain computers, which is a common step in Active Directory reconnaissance. If confirmed malicious, this activity could lead to further network enumeration and potential lateral movement within the domain.","The following analytic detects the execution of the `Get-DomainController` commandlet using PowerShell Script Block Logging (EventCode=4104). This commandlet is part of PowerView, a tool often used for domain enumeration. The detection leverages script block text to identify this specific activity. Monitoring this behavior is crucial as it may indicate an adversary or Red Team performing reconnaissance to map out domain controllers. If confirmed malicious, this activity could lead to further domain enumeration, potentially exposing sensitive information and aiding in lateral movement within the network.","The following analytic detects the execution of the `Get-DomainGroup` cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet, part of the PowerView tool, is used to enumerate domain groups within a Windows domain. The detection leverages script block text to identify this specific command. Monitoring this activity is crucial as it may indicate an adversary or Red Team performing reconnaissance to gain situational awareness and map out Active Directory structures. If confirmed malicious, this activity could lead to further exploitation, including privilege escalation and lateral movement within the network.","The following analytic detects the execution of the `Get-LocalUser` PowerShell commandlet using PowerShell Script Block Logging (EventCode=4104). This commandlet lists all local users on a system. The detection leverages script block text from PowerShell logs to identify this activity. Monitoring this behavior is significant as adversaries and Red Teams may use it to enumerate local users for situational awareness and Active Directory discovery. If confirmed malicious, this activity could lead to further reconnaissance, enabling attackers to identify potential targets for privilege escalation or lateral movement.","The following analytic detects the execution of the `Get-NetTcpconnection` PowerShell cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet lists network connections on a system, which adversaries may use for situational awareness and Active Directory discovery. Monitoring this activity is crucial as it can indicate reconnaissance efforts by an attacker. If confirmed malicious, this behavior could allow an attacker to map the network, identify critical systems, and plan further attacks, potentially leading to data exfiltration or lateral movement within the network.","The following analytic detects the execution of the `Get-WmiObject` cmdlet with the `DS_Computer` class parameter via PowerShell Script Block Logging (EventCode=4104). This detection leverages script block text to identify queries targeting domain computers using WMI. Monitoring this activity is crucial as adversaries and Red Teams may use it for Active Directory Discovery and situational awareness. If confirmed malicious, this behavior could allow attackers to map out domain computers, facilitating further attacks such as lateral movement or privilege escalation.","The following analytic detects the execution of the `Get-WmiObject` commandlet with the `DS_Group` parameter via PowerShell Script Block Logging (EventCode=4104). This method leverages WMI to query all domain groups. Monitoring this activity is crucial as adversaries and Red Teams may use it for domain group enumeration, aiding in situational awareness and Active Directory discovery. If confirmed malicious, this activity could allow attackers to map out the domain structure, potentially leading to further exploitation and privilege escalation within the network.","The following analytic detects the execution of the `Get-WmiObject` cmdlet with the `DS_User` class parameter via PowerShell Script Block Logging (EventCode=4104). It leverages logs to identify attempts to query all domain users using WMI. This activity is significant as it may indicate an adversary or Red Team operation attempting to enumerate domain users for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further reconnaissance, enabling attackers to map out the network and identify potential targets for privilege escalation or lateral movement.","The following analytic detects the execution of the `Get-WmiObject` commandlet with the `Win32_UserAccount` parameter via PowerShell Script Block Logging (EventCode=4104). This method leverages script block text to identify when a list of all local users is being enumerated. This activity is significant as it may indicate an adversary or Red Team operation attempting to gather user information for situational awareness and Active Directory discovery. If confirmed malicious, this could lead to further reconnaissance, privilege escalation, or lateral movement within the network.","The following analytic detects the use of the `Enter-PSSession` cmdlet to establish an interactive session on a remote endpoint via the WinRM protocol. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity by searching for specific script block text patterns. This behavior is significant as it may indicate lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this activity could allow attackers to execute commands remotely, potentially leading to further compromise of the network and unauthorized access to sensitive information.","The following analytic detects the use of the `Set-ADAccountControl` PowerShell cmdlet with parameters that disable Kerberos Pre-Authentication. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this specific command execution. Disabling Kerberos Pre-Authentication is significant because it allows adversaries to perform offline brute force attacks against user passwords using the AS-REP Roasting technique. If confirmed malicious, this activity could enable attackers to escalate privileges or maintain persistence within an Active Directory environment, posing a severe security risk.","The following analytic detects the execution of known MailSniper PowerShell functions on a machine. It leverages PowerShell logs (EventCode 4104) to identify specific script block text associated with MailSniper activities. This behavior is significant as MailSniper is often used by attackers to harvest sensitive emails from compromised Exchange servers. If confirmed malicious, this activity could lead to unauthorized access to sensitive email data, credential theft, and further compromise of the email infrastructure.","The following analytic identifies suspicious PowerShell execution using Script Block Logging (EventCode 4104). It leverages specific patterns and keywords within the ScriptBlockText field to detect potentially malicious activities. This detection is significant for SOC analysts as PowerShell is commonly used by attackers for various malicious purposes, including code execution, privilege escalation, and persistence. If confirmed malicious, this activity could allow attackers to execute arbitrary commands, exfiltrate data, or maintain long-term access to the compromised system, posing a severe threat to the organization's security.","The following analytic detects attempts to modify or add a Component Object Model (COM) entry to the InProcServer32 path within the registry using PowerShell. It leverages PowerShell ScriptBlock Logging (EventCode 4104) to identify suspicious script blocks that target the InProcServer32 registry path. This activity is significant because modifying COM objects can be used for persistence or privilege escalation by attackers. If confirmed malicious, this could allow an attacker to execute arbitrary code or maintain persistent access to the compromised system, posing a severe security risk.","The following analytic detects the execution of PowerShell scripts using the `mutex` function via EventCode 4104. This detection leverages PowerShell Script Block Logging to identify scripts that create thread mutexes, a technique often used in obfuscated scripts to ensure only one instance runs on a compromised machine. This activity is significant as it may indicate the presence of sophisticated malware or persistence mechanisms. If confirmed malicious, the attacker could maintain exclusive control over a process, potentially leading to further exploitation or persistence within the environment.","The following analytic detects the execution of PowerShell commands used for domain enumeration, such as `get-netdomaintrust` and `get-adgroupmember`. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command sent to PowerShell. This activity is significant as it often indicates reconnaissance efforts by an attacker to map out the domain structure and identify key users and groups. If confirmed malicious, this behavior could lead to further targeted attacks, privilege escalation, and unauthorized access to sensitive information within the domain.","The following analytic detects the use of the Enable-PSRemoting cmdlet, which allows PowerShell remoting on a local or remote computer. This detection leverages PowerShell Script Block Logging (EventCode 4104) to identify when this cmdlet is executed. Monitoring this activity is crucial as it can indicate an attacker enabling remote command execution capabilities on a compromised system. If confirmed malicious, this activity could allow an attacker to take control of the system remotely, execute commands, and potentially pivot to other systems within the network, leading to further compromise and lateral movement.","The following analytic detects the enabling of the SMB1 protocol via `powershell.exe`. It leverages PowerShell script block logging (EventCode 4104) to identify the execution of the `Enable-WindowsOptionalFeature` cmdlet with the `SMB1Protocol` parameter. This activity is significant because enabling SMB1 can facilitate lateral movement and file encryption by ransomware, such as RedDot. If confirmed malicious, this action could allow an attacker to propagate through the network, encrypt files, and potentially disrupt business operations.","The following analytic detects the execution of a COM CLSID through PowerShell. It leverages EventCode 4104 and searches for specific script block text indicating the creation of a COM object. This activity is significant as it is commonly used by adversaries and malware, such as the Conti ransomware, to execute commands, potentially for privilege escalation or bypassing User Account Control (UAC). If confirmed malicious, this technique could allow attackers to gain elevated privileges or persist within the environment, posing a significant security risk.","The following analytic detects the use of `GetProcAddress` in PowerShell script blocks, leveraging PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, which is then logged in Windows event logs. The presence of `GetProcAddress` is unusual for typical PowerShell scripts and often indicates malicious activity, as many attack toolkits use it to achieve code execution. If confirmed malicious, this activity could allow an attacker to execute arbitrary code, potentially leading to system compromise. Analysts should review parallel processes and the entire logged script block for further investigation.","The following analytic detects the execution of PowerShell scripts containing Base64 encoded content, specifically identifying the use of `FromBase64String`. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command sent to PowerShell. This activity is significant as Base64 encoding is often used by attackers to obfuscate malicious payloads, making it harder to detect. If confirmed malicious, this could lead to code execution, allowing attackers to run arbitrary commands and potentially compromise the system.","The following analytic detects the execution of the PowerShell cmdlet `get-localgroup` using PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, providing detailed visibility into script execution. Monitoring this activity is significant as it can indicate an attempt to enumerate local groups, which may be a precursor to privilege escalation or lateral movement. If confirmed malicious, an attacker could gain insights into group memberships, potentially leading to unauthorized access or privilege abuse. Review parallel processes and the entire script block for comprehensive analysis.","The following analytic detects the creation of a New-CIMSession cmdlet followed by the use of the Invoke-CIMMethod cmdlet within PowerShell. It leverages PowerShell Script Block Logging to identify these specific cmdlets in the ScriptBlockText field. This activity is significant because it mirrors the behavior of the Invoke-WMIMethod cmdlet, often used for remote code execution via NTLMv2 pass-the-hash authentication. If confirmed malicious, this could allow an attacker to execute commands remotely, potentially leading to unauthorized access and control over targeted systems.","The following analytic detects the execution of the Invoke-WMIExec utility within PowerShell Script Block Logging (EventCode 4104). This detection leverages PowerShell script block logs to identify instances where the Invoke-WMIExec command is used. Monitoring this activity is crucial as it indicates potential lateral movement using WMI commands with NTLMv2 pass-the-hash authentication. If confirmed malicious, this activity could allow an attacker to execute commands remotely on target systems, potentially leading to further compromise and lateral spread within the network.","The following analytic detects the execution of suspicious PowerShell commands associated with Meterpreter modules, such as \"MSF.Powershell\" and \"MSF.Powershell.Meterpreter\". It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command sent to PowerShell. This activity is significant as it indicates potential post-exploitation actions, including credential dumping and persistence mechanisms. If confirmed malicious, an attacker could gain extensive control over the compromised system, escalate privileges, and maintain long-term access, posing a severe threat to the environment.","The following analytic detects the use of PowerShell scripts to load .NET assemblies into memory via reflection, a technique often used in malicious activities such as those by Empire and Cobalt Strike. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command executed. This behavior is significant as it can indicate advanced attack techniques aiming to execute code in memory, bypassing traditional defenses. If confirmed malicious, this activity could lead to unauthorized code execution, privilege escalation, and persistent access within the environment.","The following analytic detects suspicious PowerShell script execution involving compressed stream data processing, identified via EventCode 4104. It leverages PowerShell Script Block Logging to flag scripts using `IO.Compression`, `IO.StreamReader`, or decompression methods. This activity is significant as it often indicates obfuscated PowerShell or embedded .NET/binary execution, which are common tactics for evading detection. If confirmed malicious, this behavior could allow attackers to execute hidden code, escalate privileges, or maintain persistence within the environment.","The following analytic detects the execution of a PowerShell script that modifies the 'TrustedHosts' configuration via EventCode 4104. It leverages PowerShell Script Block Logging to identify commands targeting WSMan settings, specifically those altering or concatenating trusted hosts. This activity is significant as it can indicate attempts to manipulate remote connection settings, potentially allowing unauthorized remote access. If confirmed malicious, this could enable attackers to establish persistent remote connections, bypass security protocols, and gain unauthorized access to sensitive systems and data.","The following analytic detects a suspicious PowerShell command attempting to delete the Windows Defender directory. It leverages PowerShell Script Block Logging to identify commands containing \"rmdir\" and targeting the Windows Defender path. This activity is significant as it may indicate an attempt to disable or corrupt Windows Defender, a key security component. If confirmed malicious, this action could allow an attacker to bypass endpoint protection, facilitating further malicious activities without detection.","The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that contains multiple URLs within a function or array. It leverages PowerShell operational logs to detect script blocks with embedded URLs, often indicative of obfuscated scripts or those attempting to download secondary payloads. This activity is significant as it may signal an attempt to execute malicious code or download additional malware. If confirmed malicious, this could lead to code execution, further system compromise, or data exfiltration. Review parallel processes and the full script block for additional context and related artifacts.","The following analytic identifies the use of PowerShell's Start-Service or Stop-Service cmdlets on an endpoint. It leverages PowerShell Script Block Logging to detect these commands. This activity is significant because attackers can manipulate services to disable or stop critical functions, causing system instability or disrupting business operations. If confirmed malicious, this behavior could allow attackers to disable security services, evade detection, or disrupt essential services, leading to potential system downtime and compromised security.","The following analytic detects suspicious PowerShell script execution using memory streams as a backing store, identified via EventCode 4104. It leverages PowerShell Script Block Logging to capture scripts that create new objects with memory streams, often used to decompress and execute payloads in memory. This activity is significant as it indicates potential in-memory execution of malicious code, bypassing traditional file-based detection. If confirmed malicious, this technique could allow attackers to execute arbitrary code, maintain persistence, or escalate privileges without leaving a trace on the disk.","The following analytic detects the use of .NET classes in PowerShell to download a URL payload directly into memory, a common fileless malware staging technique. It leverages PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell commands involving `system.net.webclient`, `system.net.webrequest`, and `IO.MemoryStream`. This activity is significant as it indicates potential fileless malware execution, which is harder to detect and can bypass traditional file-based defenses. If confirmed malicious, this technique could allow attackers to execute code in memory, evade detection, and maintain persistence in the environment.","The following analytic detects the use of PowerShell commands to add or set Windows Defender exclusions. It leverages EventCode 4104 to identify suspicious `Add-MpPreference` or `Set-MpPreference` commands with exclusion parameters. This activity is significant because adversaries often use it to bypass Windows Defender, allowing malicious code to execute without detection. If confirmed malicious, this behavior could enable attackers to evade antivirus defenses, maintain persistence, and execute further malicious activities undetected.","The following analytic detects suspicious PowerShell script execution via EventCode 4104, specifically targeting checks for installed anti-virus products using WMI or PowerShell commands. This detection leverages PowerShell Script Block Logging to identify scripts containing keywords like \"SELECT,\" \"WMIC,\" \"AntiVirusProduct,\" or \"AntiSpywareProduct.\" This activity is significant as it is commonly used by malware and APT actors to map running security applications or services, potentially aiding in evasion techniques. If confirmed malicious, this could allow attackers to disable or bypass security measures, leading to further compromise of the endpoint.","The following analytic detects suspicious PowerShell activity via EventCode 4104, where WMI performs event queries to gather information on running processes or services. This detection leverages PowerShell Script Block Logging to identify specific WMI queries targeting system information classes like Win32_Bios and Win32_OperatingSystem. This activity is significant as it often indicates reconnaissance efforts by an adversary to profile the compromised machine. If confirmed malicious, the attacker could gain detailed system information, aiding in further exploitation or lateral movement within the network.","The following analytic detects the execution of PowerShell commands that initiate a process on a remote endpoint via the DCOM protocol. It leverages PowerShell Script Block Logging (EventCode=4104) to identify the use of ShellExecute and ExecuteShellCommand. This activity is significant as it may indicate lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this behavior could allow attackers to execute arbitrary code on remote systems, potentially leading to further compromise and persistence within the network.","The following analytic detects the execution of PowerShell commands that use the `Invoke-Command` cmdlet to start a process on a remote endpoint via the WinRM protocol. It leverages PowerShell Script Block Logging (EventCode=4104) to identify such activities. This behavior is significant as it may indicate lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this activity could allow attackers to execute arbitrary code on remote systems, potentially leading to further compromise and persistence within the network.","The following analytic detects the execution of the `Invoke-WmiMethod` commandlet with parameters used to start a process on a remote endpoint via WMI, leveraging PowerShell Script Block Logging (EventCode=4104). This method identifies specific script block text patterns associated with remote process instantiation. This activity is significant as it may indicate lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this could allow attackers to execute arbitrary code on remote systems, potentially leading to further compromise and persistence within the network.","The following analytic detects the use of the `[Adsisearcher]` type accelerator in PowerShell scripts to query Active Directory for domain computers. It leverages PowerShell Script Block Logging (EventCode=4104) to identify specific script blocks containing `adsisearcher` and `objectcategory=computer` with methods like `findAll()` or `findOne()`. This activity is significant as it may indicate an attempt by adversaries or Red Teams to perform Active Directory discovery and gain situational awareness. If confirmed malicious, this could lead to further reconnaissance and potential lateral movement within the network.","The following analytic detects the use of `powershell.exe` to query the domain for Service Principal Names (SPNs) using Script Block Logging EventCode 4104. It identifies the use of the KerberosRequestorSecurityToken class within the script block, which is equivalent to using setspn.exe. This activity is significant as it often precedes kerberoasting or silver ticket attacks, which can lead to credential theft. If confirmed malicious, attackers could leverage this information to escalate privileges or persist within the environment.","The following analytic detects the tampering of AMSI (Antimalware Scan Interface) via PowerShell reflection. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze suspicious PowerShell commands, specifically those involving `system.management.automation.amsi`. This activity is significant as it indicates an attempt to bypass AMSI, a critical security feature that helps detect and block malicious scripts. If confirmed malicious, this could allow an attacker to execute harmful code undetected, leading to potential system compromise and data exfiltration.","The following analytic detects the use of PowerShell environment variables to identify the current logged user by leveraging PowerShell Script Block Logging (EventCode=4104). This method monitors script blocks containing `$env:UserName` or `[System.Environment]::UserName`. Identifying this activity is significant as adversaries and Red Teams may use it for situational awareness and Active Directory discovery on compromised endpoints. If confirmed malicious, this activity could allow attackers to gain insights into user context, aiding in further exploitation and lateral movement within the network.","The following analytic detects the execution of the PowerView PowerShell cmdlet Get-NetUser with the UACFilter parameter set to NOT_ACCOUNTDISABLE, indicating an attempt to enumerate Active Directory user accounts that are not disabled. This detection leverages PowerShell Script Block Logging (EventCode 4104) to identify the specific script block text. Monitoring this activity is significant as it may indicate reconnaissance efforts by an attacker to identify active user accounts for further exploitation. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, or lateral movement within the network.","The following analytic detects the execution of the PowerView PowerShell cmdlet Get-NetUser, specifically querying for \"samaccountname\" and \"pwdlastset\" attributes. It leverages Event ID 4104 from PowerShell Script Block Logging to identify this activity. This behavior is significant as it may indicate an attempt to gather user account information from Active Directory, which is a common reconnaissance step in lateral movement or privilege escalation attacks. If confirmed malicious, this activity could allow an attacker to map out user accounts, potentially leading to further exploitation and unauthorized access within the network.","The following analytic detects the execution of the PowerView PowerShell cmdlet Get-NetUser with the -PreauthNotRequire parameter, leveraging Event ID 4104. This method identifies attempts to query Active Directory user accounts that do not require Kerberos preauthentication. Monitoring this activity is crucial as it can indicate reconnaissance efforts by an attacker to identify potentially vulnerable accounts. If confirmed malicious, this behavior could lead to further exploitation, such as unauthorized access or privilege escalation within the network.","The following analytic detects the use of PowerShell scripts to archive files into a temporary folder. It leverages PowerShell Script Block Logging, specifically monitoring for the `Compress-Archive` command targeting the `Temp` directory. This activity is significant as it may indicate an adversary's attempt to collect and compress data for exfiltration. If confirmed malicious, this behavior could lead to unauthorized data access and exfiltration, posing a severe risk to sensitive information and overall network security.","The following analytic detects the execution of the PowerShell command 'Get-Clipboard' to retrieve clipboard data. It leverages PowerShell Script Block Logging (EventCode 4104) to identify instances where this command is used. This activity is significant because it can indicate an attempt to steal sensitive information such as usernames, passwords, or other confidential data copied to the clipboard. If confirmed malicious, this behavior could lead to unauthorized access to sensitive information, potentially compromising user accounts and other critical assets.","The following analytic detects the execution of the PowerView PowerShell cmdlet Get-NetComputer, which is used to query Active Directory for user account details such as \"samaccountname,\" \"accountexpires,\" \"lastlogon,\" and more. It leverages Event ID 4104 from PowerShell Script Block Logging to identify this activity. This behavior is significant as it may indicate an attempt to gather user account information, which is often a precursor to further malicious actions. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, or lateral movement within the network.","The following analytic detects the enabling of PowerShell Web Access via PowerShell commands. It leverages PowerShell script block logging (EventCode 4104) to identify the execution of the `Install-WindowsFeature` cmdlet with the `WindowsPowerShellWebAccess` parameter. This activity is significant because enabling PowerShell Web Access can facilitate remote execution of PowerShell commands, potentially allowing an attacker to gain unauthorized access to systems and networks.","This analytic detects attempts to create an \"ESX Admins\" group using PowerShell commands. This activity may indicate an attempt to exploit the VMware ESXi Active Directory Integration Authentication Bypass vulnerability (CVE-2024-37085). Attackers can use this method to gain unauthorized access to ESXi hosts by recreating the 'ESX Admins' group after its deletion from Active Directory.","The following analytic detects potential data exfiltration using PowerShell's Invoke-RestMethod. It leverages PowerShell Script Block Logging to identify scripts that attempt to upload files via HTTP POST requests. This activity is significant as it may indicate an attacker is exfiltrating sensitive data, such as desktop screenshots or files, to an external command and control (C2) server. If confirmed malicious, this could lead to data breaches, loss of sensitive information, and further compromise of the affected systems. Immediate investigation is recommended to determine the intent and scope of the activity.","The following analytic identifies potential data exfiltration using the PowerShell `net.webclient` command with the `UploadString` method. It leverages PowerShell Script Block Logging to detect instances where this command is executed. This activity is significant as it may indicate an attempt to upload sensitive data, such as desktop screenshots or files, to an external or internal URI, often associated with malware like Winter-Vivern. If confirmed malicious, this could lead to unauthorized data transfer, compromising sensitive information and potentially leading to further exploitation of the compromised host.","The following analytic detects the execution of the Invoke-ShareFinder PowerShell cmdlet from PowerView. This detection leverages PowerShell Script Block Logging to identify instances where this specific command is executed. Monitoring this activity is crucial as it indicates an attempt to enumerate network file shares, which may contain sensitive information such as backups, scripts, and credentials. If confirmed malicious, this activity could enable an attacker to escalate privileges or move laterally within the network, potentially compromising additional systems and sensitive data.","The following analytic detects the execution of the `Get-DomainOU` cmdlet, a part of the PowerView toolkit used for Windows domain enumeration. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity. Detecting `Get-DomainOU` usage is significant as adversaries may use it to gather information about organizational units within Active Directory, which can facilitate lateral movement or privilege escalation. If confirmed malicious, this activity could allow attackers to map the domain structure, aiding in further exploitation and persistence within the network.","The following analytic detects the execution of the `Find-InterestingDomainAcl` cmdlet, part of the PowerView toolkit, using PowerShell Script Block Logging (EventCode=4104). This detection leverages logs to identify when this command is run, which is significant as adversaries may use it to find misconfigured or unusual Access Control Lists (ACLs) within a domain. If confirmed malicious, this activity could allow attackers to identify privilege escalation opportunities or weak security configurations in Active Directory, potentially leading to unauthorized access or further exploitation.","The following analytic detects the execution of the `Get-ForestDomain` cmdlet, a component of the PowerView toolkit used for Windows domain enumeration. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity. Detecting `Get-ForestDomain` is significant because adversaries and Red Teams use it to gather detailed information about Active Directory forest and domain configurations. If confirmed malicious, this activity could enable attackers to understand the domain structure, facilitating lateral movement or privilege escalation within the environment.","The following analytic detects a PowerShell script that enumerates camera devices on the targeted host. This detection leverages PowerShell Script Block Logging, specifically looking for commands querying Win32_PnPEntity for camera-related information. This activity is significant as it is commonly observed in DCRat malware, which collects camera data to send to its command-and-control server. If confirmed malicious, this behavior could indicate an attempt to gather sensitive visual information from the host, potentially leading to privacy breaches or further exploitation.","The following analytic detects the use of the Get-ADComputer cmdlet with parameters indicating a search for Windows endpoints with Kerberos Unconstrained Delegation. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this specific activity. This behavior is significant as it may indicate an attempt by adversaries or Red Teams to gain situational awareness and perform Active Directory discovery. If confirmed malicious, this activity could allow attackers to identify high-value targets for further exploitation, potentially leading to privilege escalation or lateral movement within the network.","The following analytic detects the execution of the `Find-LocalAdminAccess` cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet is part of PowerView, a toolkit for Windows domain enumeration. Identifying the use of `Find-LocalAdminAccess` is crucial as adversaries may use it to find machines where the current user has local administrator access, facilitating lateral movement or privilege escalation. If confirmed malicious, this activity could allow attackers to target and compromise additional systems within the network, significantly increasing their control and access to sensitive information.","The following analytic detects the use of the `[Adsisearcher]` type accelerator in PowerShell Script Block Logging (EventCode=4104) to query Active Directory for domain organizational units. This detection leverages PowerShell operational logs to identify script blocks containing `[adsisearcher]`, `objectcategory=organizationalunit`, and `findAll()`. This activity is significant as it indicates potential reconnaissance efforts by adversaries to gain situational awareness of the domain structure. If confirmed malicious, this could lead to further exploitation, such as privilege escalation or lateral movement within the network.","The following analytic detects the addition of a DLL to the Windows Global Assembly Cache (GAC) using PowerShell. It leverages PowerShell Script Block Logging to identify commands containing \"system.enterpriseservices.internal.publish\". This activity is significant because adding a DLL to the GAC allows it to be shared across multiple applications, potentially enabling an adversary to execute malicious code system-wide. If confirmed malicious, this could lead to widespread code execution, privilege escalation, and persistent access across the operating system, posing a severe security risk.","The following analytic detects suspicious PowerShell script execution involving the cryptography namespace via EventCode 4104. It leverages PowerShell Script Block Logging to identify scripts using cryptographic functions, excluding common hashes like SHA and MD5. This activity is significant as it is often associated with malware that decrypts or decodes additional malicious payloads. If confirmed malicious, this could allow an attacker to execute further code, escalate privileges, or establish persistence within the environment. Analysts should investigate the parent process, decrypted data, network connections, and the user executing the script.","The following analytic detects the use of `get-WebConfigurationProperty` and `Set-ItemProperty` commands in PowerShell to disable HTTP logging on Windows systems. This detection leverages PowerShell Script Block Logging, specifically looking for script blocks that reference HTTP logging properties and attempt to set them to \"false\" or \"dontLog\". Disabling HTTP logging is significant as it can be used by adversaries to cover their tracks and delete logs, hindering forensic investigations. If confirmed malicious, this activity could allow attackers to evade detection and persist in the environment undetected.","The following analytic detects the use of the PowerShell Cmdlet `export-certificate` by leveraging Script Block Logging. This activity is significant as it may indicate an adversary attempting to exfiltrate certificates from the local Certificate Store on a Windows endpoint. Monitoring this behavior is crucial because stolen certificates can be used to impersonate users, decrypt sensitive data, or facilitate further attacks. If confirmed malicious, this activity could lead to unauthorized access to encrypted communications and sensitive information, posing a severe security risk.","The following analytic detects the use of the PowerShell cmdlet `export-pfxcertificate` by leveraging Script Block Logging. This activity is significant as it may indicate an adversary attempting to exfiltrate certificates from the Windows Certificate Store. Monitoring this behavior is crucial for identifying potential certificate theft, which can lead to unauthorized access and impersonation attacks. If confirmed malicious, this activity could allow attackers to compromise secure communications, authenticate as legitimate users, and escalate their privileges within the network.","The following analytic detects the use of the Get-CimInstance cmdlet with the -ComputerName parameter, indicating an attempt to retrieve information from a remote computer. It leverages PowerShell Script Block Logging to identify this specific command execution. This activity is significant as it may indicate unauthorized remote access or information gathering by an attacker. If confirmed malicious, this could allow the attacker to collect sensitive data from remote systems, potentially leading to further exploitation or lateral movement within the network.","The following analytic detects the usage of PowerShell to delete its command history file, which may indicate an attempt to evade detection by removing evidence of executed commands. PowerShell stores command history in ConsoleHost_history.txt under the user’s profile directory. Adversaries or malicious scripts may delete this file using Remove-Item, del, or similar commands. This detection focuses on file deletion events targeting the history file, correlating them with recent PowerShell activity. While legitimate users may occasionally clear history, frequent or automated deletions should be investigated for potential defense evasion or post-exploitation cleanup activities.","The following analytic detects the usage of PowerShell Cmdlets - New-WebGlobalModule, Enable-WebGlobalModule, and Set-WebGlobalModule, which are used to create, enable, or modify IIS Modules. This detection leverages PowerShell Script Block Logging, specifically monitoring EventCode 4104 for these cmdlets. This activity is significant as adversaries may use these lesser-known cmdlets to manipulate IIS configurations, similar to AppCmd.exe, potentially bypassing traditional defenses. If confirmed malicious, this could allow attackers to persist in the environment, manipulate web server behavior, or escalate privileges.","The following analytic detects the import of Windows PowerShell Applocker cmdlets, specifically identifying the use of \"Import-Module Applocker\" and \"Set-AppLockerPolicy\" with an XML policy. It leverages PowerShell Script Block Logging (EventCode 4104) to capture and analyze script block text. This activity is significant as it may indicate an attempt to enforce restrictive Applocker policies, potentially used by malware like Azorult to disable antivirus products. If confirmed malicious, this could allow an attacker to bypass security controls, leading to further system compromise and persistence.","The following analytic detects the use of PowerShell's Invoke-RestMethod cmdlet to collect geolocation data from ipinfo.io or IP address information from api.ipify.org. This behavior leverages PowerShell Script Block Logging to identify scripts that gather external IP information and potential geolocation data. This activity is significant as it may indicate reconnaissance efforts, where threat actors are attempting to determine the geographical location or network details of a compromised system. While some legitimate software may use these services, this pattern is commonly observed in malware and post-exploitation toolkits like those used by Water Gamayun threat actors.","This detection identifies potentially suspicious usage of Invoke-Sqlcmd PowerShell cmdlet, which can be used for database operations and potential data exfiltration. The detection looks for suspicious parameter combinations and query patterns that may indicate unauthorized database access, data theft, or malicious database operations. Threat actors may prefer using PowerShell Invoke-Sqlcmd over sqlcmd.exe as it provides a more flexible programmatic interface and can better evade detection.","The following analytic detects the process of logging off a user through the use of the quser and logoff commands. By monitoring for these commands, the analytic identifies actions where a user session is forcibly terminated, which could be part of an administrative task or a potentially unauthorized access attempt. This detection helps identify potential misuse or malicious activity where a user’s access is revoked without proper authorization, providing insight into potential security incidents involving account management or session manipulation.","The following analytic detects the execution of PowerShell commands to install unsigned AppX packages using Add-AppxPackage or Add-AppPackage cmdlets with the -AllowUnsigned flag. This detection leverages PowerShell Script Block Logging (EventCode=4104) to capture the full command content. This activity is significant as adversaries may use unsigned AppX packages to install malicious applications, bypass security controls, or establish persistence. If confirmed malicious, this could allow attackers to install unauthorized applications that may contain malware, backdoors, or other malicious components.","The following analytic detects potential malicious activities involving PowerShell's task scheduling cmdlets. It leverages PowerShell Script Block Logging (EventCode 4104) to identify unusual or suspicious use of cmdlets like 'New-ScheduledTask' and 'Set-ScheduledTask'. This activity is significant as attackers often use these cmdlets for persistence and remote execution of malicious code. If confirmed malicious, this could allow attackers to maintain access, deliver additional payloads, or execute ransomware, leading to data theft or other severe impacts. Immediate investigation and mitigation are crucial to prevent further compromise.","The following analytic detects the execution of multiple offensive toolkits and commands by leveraging PowerShell Script Block Logging (EventCode=4104). This method captures and logs the full command sent to PowerShell, allowing for the identification of suspicious activities including several well-known tools used for credential theft, lateral movement, and persistence. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information within the environment.","The following analytic detects the use of the Win32_ScheduledJob WMI class via PowerShell script block logging. This class, which manages scheduled tasks, is disabled by default due to security concerns and must be explicitly enabled through registry modifications. The detection leverages PowerShell event code 4104 and script block text analysis. Monitoring this activity is crucial as it may indicate malicious intent, especially if the class was enabled by an attacker. If confirmed malicious, this could allow attackers to persist in the environment by creating scheduled tasks.","The following analytic detects the execution of the Get-GPPPassword PowerShell cmdlet, which is used to search for unsecured credentials in Group Policy Preferences (GPP). This detection leverages PowerShell Script Block Logging to identify specific script block text associated with this cmdlet. Monitoring this activity is crucial as it can indicate an attempt to retrieve and decrypt stored credentials from SYSVOL, potentially leading to unauthorized access. If confirmed malicious, this activity could allow an attacker to escalate privileges or move laterally within the network by exploiting exposed credentials.","The following analytic detects the execution of PowerView PowerShell cmdlets `Get-ObjectAcl` or `Get-DomainObjectAcl`, which are used to enumerate Access Control List (ACL) permissions for Active Directory objects. It leverages Event ID 4104 from PowerShell Script Block Logging to identify this activity. This behavior is significant as it may indicate an attempt to discover weak permissions in Active Directory, potentially leading to privilege escalation. If confirmed malicious, attackers could exploit these permissions to gain unauthorized access or escalate their privileges within the network.","The following analytic detects the use of PowerView commandlets to discover Windows endpoints with Kerberos Constrained Delegation. It leverages PowerShell Script Block Logging (EventCode=4104) to identify specific commandlets like `Get-DomainComputer` or `Get-NetComputer` with the `-TrustedToAuth` parameter. This activity is significant as it indicates potential reconnaissance efforts by adversaries or Red Teams to map out privileged delegation settings in Active Directory. If confirmed malicious, this could allow attackers to identify high-value targets for further exploitation, potentially leading to privilege escalation or lateral movement within the network.","The following analytic detects the execution of the `Get-DomainSPNTicket` commandlet, part of the PowerView tool, by leveraging PowerShell Script Block Logging (EventCode=4104). This commandlet requests Kerberos service tickets for specified service principal names (SPNs). Monitoring this activity is crucial as it can indicate attempts to perform Kerberoasting, a technique used to extract SPN account passwords via cracking tools like hashcat. If confirmed malicious, this activity could allow attackers to gain unauthorized access to sensitive accounts, potentially leading to privilege escalation and further network compromise.","The following analytic detects the execution of the `Get-DomainUser` or `Get-NetUser` PowerShell cmdlets with the `-SPN` parameter, indicating the use of PowerView for SPN discovery. It leverages PowerShell Script Block Logging (EventCode=4104) to identify these specific commands. This activity is significant as it suggests an attempt to enumerate domain accounts associated with Service Principal Names (SPNs), a common precursor to Kerberoasting attacks. If confirmed malicious, this could allow an attacker to identify and target accounts for credential theft, potentially leading to unauthorized access and privilege escalation within the network.","The following analytic detects the use of PowerView commandlets to discover Windows endpoints with Kerberos Unconstrained Delegation. It leverages PowerShell Script Block Logging (EventCode=4104) to identify specific commands like `Get-DomainComputer` or `Get-NetComputer` with the `-Unconstrained` parameter. This activity is significant as it indicates potential reconnaissance efforts by adversaries or Red Teams to map out privileged delegation settings in Active Directory. If confirmed malicious, this could allow attackers to identify high-value targets for further exploitation, potentially leading to privilege escalation or lateral movement within the network.","The following analytic detects the use of the `[Adsisearcher]` type accelerator in PowerShell to query Active Directory for root domain linked policies. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity. This behavior is significant as it may indicate an attempt by adversaries or Red Teams to gain situational awareness and perform Active Directory Discovery. If confirmed malicious, this activity could allow attackers to map out domain policies, potentially aiding in further exploitation or lateral movement within the network.","The following analytic detects the execution of a PowerShell script designed to capture screen images on a host. It leverages PowerShell Script Block Logging to identify specific script block text patterns associated with screen capture activities. This behavior is significant as it may indicate an attempt to exfiltrate sensitive information by capturing desktop screenshots. If confirmed malicious, this activity could allow an attacker to gather visual data from the compromised system, potentially leading to data breaches or further exploitation.","The following analytic identifies suspicious PowerShell script execution via EventCode 4104, where WMI performs an event query to list running processes or services. This detection leverages PowerShell Script Block Logging to capture and analyze script block text for specific WMI queries. This activity is significant as it is commonly used by malware and APT actors to map security applications or services on a compromised machine. If confirmed malicious, this could allow attackers to identify and potentially disable security defenses, facilitating further compromise and persistence within the environment.","Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload.","Detects uncommon child processes of Appvlp.EXE\nAppvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse \"AppVLP\" to execute shell commands.\nNormally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder\nor to mark a file as a system file.","Detects script interpreters, command-line tools, and similar suspicious child processes of ArcSOC.exe.\nArcSOC.exe is the process name which hosts ArcGIS Server REST services. If an attacker compromises an ArcGIS\nServer system and uploads a malicious Server Object Extension (SOE), they can send crafted requests to the corresponding\nservice endpoint and remotely execute code from the ArcSOC.exe process.","Detects execution of \"aspnet_compiler.exe\" which can be abused to compile and execute C# code.","Detects potentially suspicious child processes of \"aspnet_compiler.exe\".","Detects execution of \"aspnet_compiler.exe\" with potentially suspicious paths for compilation.","Detects an interactive AT job, which may be used as a form of privilege escalation.","Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.","Detects the execution of the BitLocker Access Agent Update Utility (baaupdate.exe) which is not a common parent process for other processes.\nSuspicious child processes spawned by baaupdate.exe could indicate an attempt at lateral movement via BitLocker DCOM & COM Hijacking.","Detects suspicious child processes of \"BgInfo.exe\" which could be a sign of potential abuse of the binary to proxy execution via external VBScript","Detects uncommon child processes of \"BgInfo.exe\" which could be a sign of potential abuse of the binary to proxy execution via external VBScript","Detects the execution of \"BitLockerToGo.EXE\".\nBitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system.\nThis is a rarely used application and usage of it at all is worth investigating.\nMalware such as Lumma stealer has been seen using this process as a target for process hollowing.","Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control","Detects execution of Chromium based browser in headless mode","Detects execution of chromium based browser in headless mode using the \"dump-dom\" command line to download files","Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension","Detects the execution of a Chromium based browser process with the \"headless\" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data).","Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension","Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state.","Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks","Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion.","Detects a code page switch in command line or batch scripts to a rare language","Detects the execution of the \"cloudflared\" binary from a non standard location.","Detects execution of the \"cloudflared\" tool with the tunnel \"cleanup\" flag in order to cleanup tunnel connections.","Detects execution of the \"cloudflared\" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.","Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.","Detects possible payload obfuscation via the commandline","Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)","Shadow Copies storage symbolic link creation using operating systems utilities","Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.\nThis could be a sign of obfuscation of a fat finger problem (typo by the developer).","Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe","Detects a method often used by ransomware. Which combines the \"ping\" to wait a couple of seconds and then \"del\" to delete the file in question. Its used to hide the file responsible for the initial infection for example","Detects the execution of the builtin \"copy\" command that targets a shadow copy (sometimes used to copy registry hives that are in use)","Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen","By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system.\nWhen the sticky keys are \"activated\" the privilleged shell is launched.","Detects usage of the \"type\" command to download/upload data from WebDAV server","Detects suspicious parent process for cmd.exe","Detects various indicators of Microsoft Connection Manager Profile Installer execution","Detects the OpenEDR ssh-shellhost.exe spawning a command shell (cmd.exe) or PowerShell with PTY (pseudo-terminal) capabilities.\nThis may indicate remote command execution through OpenEDR's remote management features, which could be legitimate administrative activity or potential abuse of the remote access tool.\nThreat actors may leverage OpenEDR's remote shell capabilities to execute commands on compromised systems, facilitating lateral movement or other command-and-control operations.","ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.","Detects uncommon \"conhost\" child processes. This could be a sign of \"conhost\" usage as a LOLBIN or potential process injection activity.","Detects the execution of CustomShellHost.exe where the child isn't located in 'C:\\Windows\\explorer.exe'. CustomShellHost is a known LOLBin that can be abused by attackers for defense evasion techniques.","Detects uncommon child processes of \"DefaultPack.EXE\" binary as a proxy to launch other programs","Detects the use of PowerShell to execute the 'Set-MpPreference' cmdlet to configure Windows Defender's threat severity default action to 'Allow' (value '6') or 'NoAction' (value '9').\nThis is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level.\nAn attacker might use this technique via the command line to bypass defenses before executing payloads.","Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.","Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet","Detects the execution of DeviceCredentialDeployment to hide a process from view.","Detects a certain command line flag combination used by \"devinit.exe\", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system","Detects potentially suspicious child processes of a ClickOnce deployment application","Detects attempts to query system information directly from the Windows Registry.","Detects potentially suspicious child processes of \"Diskshadow.exe\". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules.","Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL","Detects a \"dllhost\" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.","Well-known DNS Exfiltration tools execution","Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)","Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.","Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)","Detects the execution of Dnx.EXE. The Dnx utility allows for the execution of C# code.\nAttackers might abuse this in order to bypass application whitelisting.","Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1","Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.","Detects uncommon or suspicious child processes of \"eventvwr.exe\" which might indicate a UAC bypass attempt","Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks","Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries,\nwhich is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from \"svchost\"","Detects the initial execution of \"cmd.exe\" which spawns \"explorer.exe\" with the appropriate command line arguments for opening the \"My Computer\" folder.","Detects the execution of a potential recon command where the results are piped to \"findstr\". This is meant to trigger on inline calls of \"cmd.exe\" via the \"/c\" or \"/k\" for example.\nAttackers often time use this technique to extract specific information they require in their reconnaissance phase.","Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which \"format.com\" is used to load malicious DLL files or other programs.","Detects execution of GfxDownloadWrapper.exe with a URL as an argument to download file.","Detects potentially suspicious child processes of \"GoogleUpdate.exe\"","Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information","Detects execution of the Notepad++ updater (gup) to launch other commands or executables","Detects suspicious child process creation by the Notepad++ updater process (gup.exe).\nThis could indicate potential exploitation of the updater component to deliver unwanted malware.","Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks","Detects a suspicious child process of a Microsoft HTML Help (HH.exe)","Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service","F-Secure C3 produces DLLs with a default exported StartNodeRelay function.","Detects suspicious command lines used in Covenant luanchers","This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.","Detects various execution patterns of the CrackMapExec pentesting framework","Detects suspicious process patterns found in logs when CrackMapExec is used","Detects the use of the Dinject PowerShell cradle based on the specific flags","Detects suspicious powershell command line parameters used in Empire","Detects some Empire PowerShell UAC bypass methods","Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.","Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against","Detects usage of HollowReaper, a process hollowing shellcode launcher used for stealth payload execution through process hollowing.\nIt replaces the memory of a legitimate process with custom shellcode, allowing the attacker to execute payloads under the guise of trusted binaries.","Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass)","Detects command line parameters used by Hydra password guessing hack tool","Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)","Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block","Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer.\nLaZagne has been leveraged multiple times by threat actors in order to dump credentials.","Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting","Detection well-known mimikatz command line arguments","Detects execution of the hacktool NetExec.\nNetExec (formerly CrackMapExec) is a widely used post-exploitation tool designed for Active Directory penetration testing and network enumeration\nIn enterprise environments, the use of NetExec is considered suspicious or potentially malicious because it enables attackers to enumerate hosts, exploit network services, and move laterally across systems.\nThreat actors and red teams commonly use NetExec to identify vulnerable systems, harvest credentials, and execute commands remotely.","Detects the creation of a schtask via PowerSploit or Empire Default Configuration.","Detects the usage of \"pypykatz\" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored","Detects usage of the Quarks PwDump tool via commandline arguments","Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility","Detects different hacktools used for relay attacks on Windows for privilege escalation","Detects the execution of SharpWSUS or WSUSpendu, utilities that allow for lateral movement through WSUS.\nWindows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations.","Detects process activity patterns as seen being used by Sliver C2 framework implants","Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information.","Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.","Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script","Detects suspicious use of XORDump process memory dumping utility","ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.","Use of hostname to get information","Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation","HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.\nHxTsr.exe is part of Outlook apps, because it resides in a hidden \"WindowsApps\" subfolder of \"C:\\Program Files\".\nAny instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe","Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors","Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity","Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.","Uses the .NET InstallUtil.exe application in order to execute image without log","Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)","Detects suspicious child processes of the \"Manage Engine ServiceDesk Plus\" Java web service","Detects a JAVA process running with remote debugging allowing more than just localhost to connect","Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)","Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)","Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.","Detects the presence of \"UWhRC....AAYBAAAA\" pattern in command line.\nThe pattern \"1UWhRCAAAAA..BAAAA\" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.\nAttackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.\nIt is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records\nto spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073.\nIf you see this pattern in the command line, it is likely an attempt to add spoofed Service Principal Names (SPNs) to DNS records,\nor checking for the presence of such records through the `nslookup` command.","Detects an uncommon parent process of \"LINK.EXE\".\nLink.EXE in Microsoft incremental linker. Its a utility usually bundled with Visual Studio installation.\nMultiple utilities often found in the same folder (editbin.exe, dumpbin.exe, lib.exe, etc) have a hardcode call to the \"LINK.EXE\" binary without checking its validity.\nThis would allow an attacker to sideload any binary with the name \"link.exe\" if one of the aforementioned tools get executed from a different location.\nBy filtering the known locations of such utilities we can spot uncommon parent process of LINK.EXE that might be suspicious or malicious.","The Devtoolslauncher.exe executes other binary","Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.","Download and compress a remote file and store it in a cab file on local machine.","Extract data from cab file and hide it in an alternate data stream","Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.","Detects process injection using the signed Windows tool \"Mavinject\" via the \"INJECTRUNNING\" flag","Detects file execution using the msdeploy.exe lolbin","The OpenWith.exe executes other binary","Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.","Detect indirect command execution via Program Compatibility Assistant pcwrun.exe","Detects indirect command execution via Program Compatibility Assistant \"pcwrun.exe\" leveraging the follina (CVE-2022-30190) vulnerability","Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)","Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.","Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands.","Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application.","Detects the use of Replace.exe which can be used to replace file with another file","Detect usage of the \"runexehelper.exe\" binary as a proxy to launch other programs","Detects execution of powershell scripts via Runscripthelper.exe","Detects the usage of the \"sftp.exe\" binary as a LOLBIN by abusing the \"-D\" flag","Detects when a possible suspicious driver is being installed via pnputil.exe lolbin","Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors","Detects process dump via legitimate sqldumper.exe binary","Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs","Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.","Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.","Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity","Detects child processes of the \"Trace log generation tool for Media Foundation Tools\" (Mftrace.exe) which can abused to execute arbitrary binaries.","Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of \"-Embedding\" as a child of svchost.exe","Detects a Windows command line executable started from MMC","Detects execution of \"msdt.exe\" using an answer file which is simulating the legitimate way of calling msdt via \"pcwrun.exe\" (For example from the compatibility tab).","Detects the presence of the keywords \"Wscript\", \"Shell\" and \"Run\" in the command, which could indicate a suspicious activity","Detects potential LethalHTA technique where the \"mshta.exe\" is spawned by an \"svchost.exe\" process","Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)","Detects suspicious msiexec process starts with web addresses as parameter","Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.","Detects RDP session hijacking by using MSTSC shadowing","Detects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data within XML files.\nAdversaries can abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.","Detects the execution of the \"msxsl\" binary with an \"http\" keyword in the command line. This might indicate a potential remote execution of XSL files.","Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc","Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud","Detects the execution of Notepad to open a file that has the string \"password\" which may indicate unauthorized access to credentials or suspicious activity.","Detects a set of suspicious network related commands often used in recon stages","Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)","Detects an uncommon child process of \"odbcconf.exe\" binary which normally shouldn't have any child processes.","Detects the execution of malicious OneNote documents that contain embedded scripts.\nWhen a user clicks on a OneNote attachment and then on the malicious link inside the \".one\" file, it exports and executes the malicious embedded script from specific directories.","Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros","Detects a suspicious program execution in Outlook temp folder","Detects a suspicious process spawning from an Outlook process.","Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).","Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)","Detects suspicious execution of \"PDQDeployRunner\" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines","Detects a ping command that uses a hex encoded IP address","Execution of plink to perform data exfiltration and tunneling","Detects Request to \"amsiInitFailed\" that can be used to disable AMSI Scanning","Detects audio capture via PowerShell Cmdlet.","Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines","Detects usage of a base64 encoded \"FromBase64String\" cmdlet in a process command line","Detects usage of a base64 encoded \"IEX\" cmdlet in a process command line","Detects base64 encoded \"MpPreference\" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV","Detects base64 encoded .NET reflective loading of Assembly","Detects suspicious base64 encoded and obfuscated \"LOAD\" keyword used in .NET \"reflection.assembly\"","Detects calls to \"SyncInvoke\" that is part of the \"CL_Invocation.ps1\" script to proxy execution using \"System.Diagnostics.Process\"","Detects calls to \"LoadAssemblyFromPath\" or \"LoadAssemblyFromNS\" that are part of the \"CL_LoadAssembly.ps1\" script. This can be abused to load different assemblies and bypass App locker controls.","Detects the use of the Microsoft signed script \"CL_mutexverifiers\" to proxy the execution of additional PowerShell script commands","Detects potential access attempts to the PowerShell console history directly via history file (ConsoleHost_history.txt).\nThis can give access to plaintext passwords used in PowerShell commands or used for general reconnaissance.","Detects the creation of a new service using powershell.","Detects attempts of decoding encoded Gzip archives via PowerShell.","Detects requests to disable Microsoft Defender features using PowerShell commands","Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets","Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features","Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0","Detects the execution of a specific OneLiner to download and execute powershell modules in memory.","Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest or Invoke-RestMethod cmdlets.","Detects PowerShell download and execution cradles.","Detects email exfiltration via powershell cmdlets","Commandline to launch powershell with a base64 payload","Detects inline execution of PowerShell code from a file","Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.","Detects usage of the \"FromBase64String\" function in the commandline which is used to decode a base64 encoded string","Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward.","Detects usage of the 'Get-Clipboard' cmdlet via CLI","Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet","Detects a \"Get-Process\" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity","Detects suspicious ways to run Invoke-Execution using IEX alias","Detects the Installation of a Exchange Transport Agent","Detects suspicious encoded character syntax often used for defense evasion","This rule detects execution of PowerShell scripts located in the \"C:\\Users\\Public\" folder","Detects calls to the AtomicTestHarnesses \"Invoke-ATHRemoteFXvGPUDisablementCommand\" which is designed to abuse the \"RemoteFXvGPUDisablement.exe\" binary to run custom PowerShell code via module load-order hijacking.","Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet","Detects PowerShell script execution from Alternate Data Stream (ADS)","Detects PowerShell script execution via input stream redirect","Detects suspicious PowerShell scripts accessing SAM hives","Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)","Detects suspicious PowerShell invocation with a parameter substring","Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder","Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation","Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary","Attackers can use print.exe for remote file copy","Detects child processes of \"provlaunch.exe\" which might indicate potential abuse to proxy execution.","Detects suspicious child processes of \"provlaunch.exe\" which might indicate potential abuse to proxy execution.","Detects execution of Windows Problem Steps Recorder (psr.exe), a utility used to record the user screen and clicks.","Detects active directory enumeration activity using known AdFind CLI flags","Detects AdFind execution with common flags seen used during attacks","Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts","Detects usage of the Chisel tunneling tool via the commandline arguments","Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.","Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.","Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network","Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available.\nInvolved domains are bin.equinox.io for download and *.ngrok.io for connections.","Detects the use of NirCmd tool for command execution as SYSTEM user","Detects the execution of the Restic backup tool, which can be used for data exfiltration.\nThreat actors may leverage Restic to back up and exfiltrate sensitive data to remote storage locations, including cloud services.\nIf not legitimately used in the enterprise environment, its presence may indicate malicious activity.","Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts","Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously.\nWhile it is a legitimate tool, intended for use in CI pipelines and security assessments,\nIt was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information.","This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed,\nUsee to Query/modify DNS records for Active Directory integrated DNS via LDAP","Detects python spawning a pretty tty","Detects potentially suspicious execution of the Qemu utility in a Windows environment.\nThreat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky.","Detects usage of \"query.exe\" a system binary to exfil information such as \"sessions\" and \"processes\" for later use","Detects the execution of Microsoft Quick Assist tool \"QuickAssist.exe\". This utility can be used by attackers to gain remote access.","Detects usage of \"rar\" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.","Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.","Detects suspicious process related to rasdial.exe","Detects suspicious command line reg.exe tool adding key to RUN key in Registry","Detects suspicious addition to BitLocker related registry keys via the reg.exe utility","Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS","Detects the usage of \"reg.exe\" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData.","Detects execution of \"reg.exe\" to disable security services such as Windows Defender.","Adversaries may search the Registry on compromised systems for insecurely stored credentials.\nThe Windows Registry stores configuration information that can be used by the system or other programs.\nAdversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services","Detects changes to the \"DisableRestrictedAdmin\" registry value in order to disable or enable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise","Use of reg to get MachineGuid information","Detects changes to the \"NoLMHash\" registry value in order to allow Windows to store LM Hashes.\nBy setting this registry value to \"0\" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.","Adversaries may establish persistence by executing malicious content triggered by user inactivity.\nScreensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension","Detects commands that temporarily turn off Volume Snapshots","Detects applications trying to modify the registry in order to disable any write-protect property for storage devices.\nThis could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.","Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe","Detects using register-cimprovider.exe to execute arbitrary dll file.","Detects processes that query known 3rd party registry keys that holds credentials via commandline","Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the \"HTTP\" and \"HTTPS\" protocols to point to the \"My Computer\" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.","Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).","Detects the addition of a new LogonScript to the registry value \"UserInitMprLogonScript\" for potential persistence","Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it","Detects changes to the registry value \"PythonFunctionWarnings\" that would prevent any warnings or alerts from showing when Python functions are about to be executed.\nThreat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.","Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level","Detects potential abuse of the provisioning registry key for indirect command execution through \"Provlaunch.exe\".","Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine","Detects changes to the registry key \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" where the value is set to \"0\" in order to hide user account from being listed on the logon screen.","Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt","Detects a potential command line flag anomaly related to \"regsvr32\" in which the \"/i\" flag is used without the \"/n\" which should be uncommon.","Detects potentially suspicious child processes of \"regsvr32.exe\".","Detects various command line and scripting engines/processes such as \"PowerShell\", \"Wscript\", \"Cmd\", etc. spawning a \"regsvr32\" instance.","Detects piping the password to an anydesk instance via CMD and the '--set-password' flag.","Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.","Detects potential execution of MeshAgent which is a tool used for remote access.\nHistorical data shows that threat actors rename MeshAgent binary to evade detection.\nMatching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access.","Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly.\nMeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.","Detects ScreenConnect program starts that establish a remote access to a system.","Detects potential web shell execution from the ScreenConnect server process.","An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)","Detects TacticalRMM agent installations where the --api, --auth, and related flags are used on the command line.\nThese parameters configure the agent to connect to a specific RMM server with authentication, client ID, and site ID.\nThis technique could indicate a threat actor attempting to register the agent with an attacker-controlled RMM infrastructure silently.","Detects the command line executed when TeamViewer starts a session started by a remote host.\nOnce a connection has been started, an investigator can verify the connection details by viewing the \"incoming_connections.txt\" log file in the TeamViewer folder.","Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.","Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection","Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452","Detects execution of commands that leverage the \"mshtml.dll\" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...)","Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity","Detects suspicious process run from unusual locations","Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack","Detects actions that clear the local ShimCache and remove forensic evidence","Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452","Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module","Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand","Detects the creation of a new service using the \"sc.exe\" utility.","Detects creation of a new service (kernel driver) with the type \"kernel\"","Detects service path modification via the \"sc\" binary to a suspicious command or path","Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.","Detects the creation of a schtask that executes a file from C:\\Users\\<USER>\\AppData\\Local","Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location\nAttackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on\nInstead they modify the task after creation to include their malicious payload","Detects the creation of scheduled tasks by user accounts via the \"schtasks\" utility.","Detects the creation of scheduled tasks that involves a temporary folder and runs only once","Detects the creation of a scheduled task using schtasks.exe, potentially in combination with curl for downloading payloads and PowerShell for executing them.\nThis facilitates executing malicious payloads or connecting with C&C server persistently without dropping the malware sample on the host.","Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities","Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.","Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities","Detects creation of a scheduled task with a GUID like name","Detects scheduled task creation using \"schtasks\" that contain potentially suspicious or uncommon commands","Detects the creation or update of a scheduled task to run with \"NT AUTHORITY\\SYSTEM\" privileges","Detects a suspicious child process of Script Event Consumer (scrcons.exe).","A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques.","Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)","Detects a suspicious process pattern which could be a sign of an exploited Serv-U service","Detects uncommon child process of Setres.EXE.\nSetres.EXE is a Windows server only process and tool that can be used to set the screen resolution.\nIt can potentially be abused in order to launch any arbitrary file with a name containing the word \"choice\" from the current execution path.","Use of the commandline to shutdown or reboot windows","Detects the rare use of the command line tool shutdown to logoff a user","Detects uncommon child processes spawning from \"sigverif.exe\", which could indicate potential abuse of the latter as a living of the land binary in order to proxy execution.","Detects potentially uncommon child processes of SndVol.exe (the Windows volume mixer)","Detect attacker collecting audio via SoundRecorder application.","Detects suspicious Speech Runtime Binary Execution by monitoring its child processes.\nChild processes spawned by SpeechRuntime.exe could indicate an attempt for lateral movement via COM & DCOM hijacking.","Detects suspicious Splwow64.exe process without any command line parameters","Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information.","Detects dump of credentials in VeeamBackup dbo","Detects the usage of the \"Squirrel.exe\" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)","Detects the usage of the \"Squirrel.exe\" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)","Detects port forwarding activity via SSH.exe","Execution of ssh.exe to perform data exfiltration and tunneling through RDP","Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.","Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe","Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications","Detects addition of users to the local administrator group via \"Net\" or \"Add-LocalGroupMember\".","Detects addition of users to highly privileged groups via \"Net\" or \"Add-LocalGroupMember\".","Detects addition of users to the local Remote Desktop Users group via \"Net\" or \"Add-LocalGroupMember\".","Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection","Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue \".appx\" package installation/execution","The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create \"shortcuts\" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.","Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)","Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt.","Detects potential commandline obfuscation using known escape characters","Detects suspicious execution patterns where users are tricked into running malicious commands via clipboard manipulation, either through the Windows Run dialog (ClickFix) or File Explorer address bar (FileFix).\nAttackers leverage social engineering campaigns—such as fake CAPTCHA challenges or urgent alerts—encouraging victims to paste clipboard contents, often executing mshta.exe, powershell.exe, or similar commands to infect systems.","Detects process creation with suspicious whitespace padding followed by a '#' character, which may indicate ClickFix or FileFix techniques used to conceal malicious commands from visual inspection.\nClickFix and FileFix are social engineering attack techniques where adversaries distribute phishing documents or malicious links that deceive users into opening the Windows Run dialog box or File Explorer search bar.\nThe victims are then instructed to paste commands from their clipboard, which contain extensive whitespace padding using various Unicode space characters to push the actual malicious command far to the right, effectively hiding it from immediate view.","Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline","Detects command line parameters or strings often used by crypto miners","Detects the use of various CLI utilities exfiltrating data via web requests","Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.","Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns","Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents","Detects the use of the filename DumpStack.log to evade Microsoft Defender","Detects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of \".asar\" file tampering (See reference section for more information) or binary execution proxy through specific CLI arguments (see related rule)","Detects events that appear when a user click on a link file with a powershell command in it","Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.","Detects changes to environment variables related to ETW logging via the CommandLine.\nThis could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.","Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.","Detects a potentially suspicious execution of a parent process located in the \"\\Users\\Public\" folder executing a child process containing references to shell or scripting binaries and commandlines.","Detects a potentially suspicious execution from an uncommon folder.","Detects suspicious FileFix execution patterns where users are tricked into running malicious commands through browser file upload dialog manipulation.\nThis attack typically begins when users visit malicious websites impersonating legitimate services or news platforms,\nwhich may display fake CAPTCHA challenges or direct instructions to open file explorer and paste clipboard content.\nThe clipboard content usually contains commands that download and execute malware, such as information stealing tools.","Detects execution of the built-in script located in \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\". Which can be used to gather information about the target machine","Detects command line containing reference to the \"::$index_allocation\" stream, which can be used as a technique to prevent access to folders or files from tooling such as \"explorer.exe\" or \"powershell.exe\"","Monitors for the hiding possible malicious files in the C:\\Windows\\Fonts\\ location. This folder doesn't require admin privillege to be written and executed from.","Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters.\nThis is used as an obfuscation and masquerading techniques. Only \"perfect\" homoglyphs are included; these are characters that\nare indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.","Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)","Detects encoded base64 MZ header in the commandline","Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec","Detects potentially suspicious search for JWT tokens via CLI by looking for the string \"eyJ0eX\" or \"eyJhbG\".\nJWT tokens are often used for access-tokens across various applications and services like Microsoft 365, Azure, AWS, Google Cloud, and others.\nThreat actors may search for these tokens to steal them for lateral movement or privilege escalation.","Detects the presence of the keywords \"lsass\" and \".dmp\" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.","Detects usage of the \"ms-appinstaller\" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE\nThe downloaded files are temporarly stored in \":\\Users\\%username%\\AppData\\Local\\Packages\\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\\AC\\INetCache\\<RANDOM-8-CHAR-DIRECTORY>\"","Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems","Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system","Detects potential network sniffing via use of network tools such as \"tshark\", \"windump\".\nNetwork sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.\nAn adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.","Detect the use of processes with no name (\".exe\"), which can be used to evade Image-based detections.","Detects whether the image specified in a process creation event doesn't refer to an \".exe\" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process.\nThis rule might require some initial baselining to align with some third party tooling in the user environment.","Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry","Detects suspicious process patterns used in NTDS.DIT exfiltration","Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection","Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection","Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command","Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line","Detects suspicious parent processes that should not have any children or should only have a single possible child program","Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools","Detect suspicious parent processes of well-known Windows processes","Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools","Detects process execution from a fake recycle bin folder, often used to avoid security solution.","Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers","Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.","Detects the presence of the \"u202+E\" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence.\nThis character is used as an obfuscation and masquerading techniques by adversaries to trick users into opening malicious files.","Detects a suspicious script executions from temporary folder","Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks).\nThis behavior is indicative of an attempt to find and steal secrets, as seen in the \"Shai-Hulud: The Second Coming\" campaign.","Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit)","Detects creation of a new service via \"sc\" command or the powershell \"new-service\" cmdlet with suspicious binary paths","Detects a service binary running in a suspicious directory","Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)","Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.","Detects Access to Domain Group Policies stored in SYSVOL","The Tasks folder in system32 and syswow64 are globally writable paths.\nAdversaries can take advantage of this and load or influence any script hosts or ANY .NET Application\nin Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr","There is an option for a MS VS Just-In-Time Debugger \"vsjitdebugger.exe\" to launch specified executable and attach a debugger.\nThis option may be used adversaries to execute malicious code by signed verified binary.\nThe debugger is installed alongside with Microsoft Visual Studio package.","Detects the suspicious use of the Velociraptor DFIR tool to execute other tools or download additional payloads, as seen in a campaign where it was abused for remote access and to stage further attacks.","Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI.\nAn example would be a threat actor creating a new user via the net command and providing the password inline","Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine","Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)","Detects using WorkFolders.exe to execute an arbitrary control.exe","It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.","Detects instances of svchost.exe running with an unusual or uncommon command line parameter by excluding known legitimate or common patterns.\nThis could point at a file masquerading as svchost, a process injection, or hollowing of a legitimate svchost instance.","Detects an uncommon svchost parent process","Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools","Detects usage of the SysInternals Procdump utility","Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name","Detects potential credential harvesting attempts through LSASS memory dumps using ProcDump.\nThis rule identifies suspicious command-line patterns that combine memory dump flags (-ma, -mm, -mp) with LSASS-related process markers.\nLSASS (Local Security Authority Subsystem Service) contains sensitive authentication data including plaintext passwords, NTLM hashes, and Kerberos tickets in memory.\nAttackers commonly dump LSASS memory to extract credentials for lateral movement and privilege escalation.","Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights","Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility","Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)","Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges","Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)","Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders","Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques","Detects one of the possible scenarios for disabling Symantec Endpoint Protection.\nSymantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism.\nAs a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.","Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM","Detects the creation of a process via the Windows task manager. This might be an attempt to bypass UAC","Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams.\nThe database might contain authentication tokens and other sensitive information about the logged in accounts.","Detects a tscon.exe start as LOCAL SYSTEM","Detects a suspicious RDP session redirect using tscon.exe","Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)","Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)","Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)","Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)","Detects the pattern of UAC Bypass using Event Viewer RecentViews","Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.","Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)","Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)","Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)","A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.","Detects indicators of a UAC bypass method by mocking directories","Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config","Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)","Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon","Detects uncommon \"userinit.exe\" child processes, which could be a sign of uncommon shells or login scripts used for persistence.","Detects attempts to modify the registry using VBScript's CreateObject(\"Wscript.shell\") and RegWrite methods via common LOLBINs.\nIt could be an attempt to modify the registry for persistence without using straightforward methods like regedit.exe, reg.exe, or PowerShell.\nThreat Actors may use this technique to evade detection by security solutions that monitor for direct registry modifications through traditional tools.","Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.","Detect VBoxDrvInst.exe run with parameters allowing processing INF file.\nThis allows to create values in the registry and install drivers.\nFor example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys","Detects uncommon or suspicious child processes spawning from a VsCode \"code.exe\" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.","Detects the installation of VsCode tunnel (code-tunnel) as a service.","Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter","Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity","Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity","Detects possible execution via LNK file accessed on a WebDAV server.","Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells","Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system","Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands","Detects suspicious Windows Error Reporting manager (wermgr.exe) child process","Detects suspicious Windows Error Reporting manager (wermgr.exe) execution location.","Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section)","Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)","Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).","Detects suspicious processes including shells spawnd from WinRM host process","Detects a child process spawned by 'winrshost.exe', which suggests remote command execution through Windows Remote Shell (WinRs) and may indicate potential lateral movement activity.","An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities","Detects a WMI backdoor in Exchange Transport Agents via WMI event filters","Detects WMI script event consumers","Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence","Detects WMIC executing \"process call create\" with suspicious calls to processes such as \"rundll32\", \"regsrv32\", etc.","Detects uninstallation or termination of security products using the WMIC utility","Detects WmiPrvSE spawning a process","Detects suspicious and uncommon child processes of WmiPrvSE","Detects execution of the binary \"wpbbin\" which is used as part of the UEFI based persistence method described in the reference section","Detects wscript/cscript executions of scripts located in user directories","Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32.\nMalware such as Pikabot and Qakbot were seen using similar techniques as well as many others.","Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL","Detects the use of Kali Linux through Windows Subsystem for Linux","Detects the execution of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract \".cab\" files using the \"/extract\" argument from potentially suspicious paths.","Detects execution of the \"wusa.exe\" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location.\nAttackers could instantiate an instance of \"wusa.exe\" in order to bypass User Account Control (UAC). They can duplicate the access token from \"wusa.exe\" to gain elevated privileges.","Detects the execution of Xwizard tool with the \"RunWizard\" flag and a GUID like argument.\nThis utility can be abused in order to run custom COM object created in the registry.","Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS\nprocess instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.","The following analytic detects `spoolsv.exe` writing a `.dll` file, which is unusual behavior and may indicate exploitation of vulnerabilities like CVE-2021-34527 (PrintNightmare). This detection leverages the Endpoint datamodel, specifically monitoring process and filesystem events to identify `.dll` file creation within the `\\spool\\drivers\\x64\\` path. This activity is significant as it may signify an attacker attempting to execute malicious code via the Print Spooler service. If confirmed malicious, this could lead to unauthorized code execution and potential system compromise. Immediate endpoint isolation and further investigation are recommended.","The following analytic detects the creation of .wav files in the AppData folder, a behavior associated with Remcos RAT malware, which stores audio recordings in this location for data exfiltration. The detection leverages endpoint process and filesystem data to identify .wav file creation within the AppData\\Roaming directory. This activity is significant as it indicates potential unauthorized data collection and exfiltration by malware. If confirmed malicious, this could lead to sensitive information being sent to an attacker's command and control server, compromising the affected system's confidentiality.","The following analytic detects when a process attempts to execute a file from within an NTFS file system alternate data stream. This detection leverages process execution data from sources like Windows process monitoring or Sysmon Event ID 1, focusing on specific processes known for such behavior. This activity is significant because alternate data streams can be used by threat actors to hide malicious code, making it difficult to detect. If confirmed malicious, this could allow an attacker to execute hidden code, potentially leading to unauthorized actions and further compromise of the system.","The following analytic detects BitLockerToGo.exe execution, which has been observed being abused by Lumma stealer malware. The malware leverages this legitimate Windows utility to manipulate registry keys, search for cryptocurrency wallets and credentials, and exfiltrate sensitive data. This activity is significant because BitLockerToGo.exe provides functionality for viewing, copying, and writing files as well as modifying registry branches - capabilities that the Lumma stealer exploits. However, note that if legitimate use of BitLockerToGo.exe is in the organization, this detection will","The following analytic detects the installation of PowerShell Web Access using the Deployment Image Servicing and Management (DISM) tool. It leverages Sysmon EventID 1 to identify the execution of `dism.exe` with specific parameters related to enabling the WindowsPowerShellWebAccess feature. This activity is significant because enabling PowerShell Web Access can facilitate remote execution of PowerShell commands, potentially allowing an attacker to gain unauthorized access to systems and networks. If confirmed malicious, this action could lead to further exploitation and compromise of the affected system.","This detection identifies instances where Windows Explorer.exe spawns PowerShell or cmd.exe processes, particularly focusing on executions initiated by LNK files. This behavior is associated with the ZDI-CAN-25373 Windows shortcut zero-day vulnerability, where specially crafted LNK files are used to trigger malicious code execution through cmd.exe or powershell.exe. This technique has been actively exploited by multiple APT groups in targeted attacks through both HTTP and SMB delivery methods.","This detection identifies instances where Windows Explorer.exe spawns PowerShell or cmd.exe processes with abnormally large padding (50 or more spaces) in the command line. This specific pattern is a key indicator of the ZDI-CAN-25373 Windows shortcut zero-day vulnerability exploitation, where threat actors craft malicious LNK files containing padded content to trigger code execution. The excessive spacing in the command line is used to manipulate the way Windows processes the shortcut file, enabling arbitrary code execution. This technique has been actively exploited by multiple APT groups in targeted attacks, with malicious LNK files being delivered through both HTTP and SMB protocols. The presence of significant command line padding when Explorer.exe launches command shells is highly suspicious and warrants immediate investigation.","The following analytic detects instances where file or folder permissions are modified to grant read-only access. Such changes are characterized by the presence of read-related permissions (e.g., R, REA, RA, RD) and the absence of write (W) or execute (E) permissions. Monitoring these events is crucial for tracking access control changes that could be intentional for restricting access or indicative of malicious behavior. Alerts generated by this detection help ensure that legitimate security measures are enforced while unauthorized changes are promptly investigated.","The following analytic detects the enabling of permission inheritance using ICACLS. This analytic identifies instances where ICACLS commands are used to enable permission inheritance on files or directories. The /inheritance:e flag, which restores inherited permissions from a parent directory, is monitored to detect changes that might reapply broader access control settings. Enabling inheritance can indicate legitimate administrative actions but may also signal attempts to override restrictive custom permissions, potentially exposing sensitive files to unauthorized access.","The following analytic detects the removal of permission inheritance using ICACLS. This analytic identifies instances where ICACLS is used to remove permission inheritance from files or directories. The /inheritance:r flag, which strips inherited permissions while optionally preserving or altering explicit permissions, is monitored to detect changes that may restrict access or establish isolated permission configurations. Removing inheritance can be a legitimate administrative action but may also indicate an attempt to conceal malicious activity or bypass inherited security controls.","The following analytic identifies a LOLBAS process being executed outside of it's expected location.\nProcesses being executed outside of expected locations may be an indicator that an adversary is attempting to evade defenses or execute malicious code.\nThe LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code.","The following analytic detects Office products writing .cab or .inf files, indicative of CVE-2021-40444 exploitation. It leverages the Endpoint.Processes and Endpoint.Filesystem data models to identify Office applications creating these file types. This activity is significant as it may signal an attempt to load malicious ActiveX controls and download remote payloads, a known attack vector. If confirmed malicious, this could lead to remote code execution, allowing attackers to gain control over the affected system and potentially compromise sensitive data.","The following analytic detects the use of mmc.exe to launch Computer Management (compmgmt.msc) and connect to a remote machine. This technique allows administrators to access system management tools, including Event Viewer, Services, Shared Folders, and Local Users & Groups, without initiating a full remote desktop session. While commonly used for legitimate administrative purposes, adversaries may leverage this method for remote reconnaissance, privilege escalation, or persistence. Monitoring the execution of mmc.exe with the /computer:{hostname/ip} argument can help detect unauthorized system administration attempts or lateral movement within a network.","The following analytic detects the execution of winrshost.exe initiating CMD or PowerShell processes as part of a potential payload execution. winrshost.exe is associated with Windows Remote Management (WinRM) and is typically used for remote execution. By monitoring for this behavior, the detection identifies instances where winrshost.exe is leveraged to run potentially malicious commands or payloads via CMD or PowerShell. This behavior may indicate exploitation of remote management tools for unauthorized access or lateral movement within a compromised environment, signaling a potential security incident.","This analytic detects instances where the sqlservr.exe process spawns a command shell (cmd.exe) or PowerShell process. This behavior is often indicative of command execution initiated from within the SQL Server process, potentially due to exploitation of SQL injection vulnerabilities or the use of extended stored procedures like xp_cmdshell.","The following analytic detects an anomaly where an svchost.exe process is spawned by a parent process other than the standard services.exe. In a typical Windows environment, svchost.exe is a system process that hosts Windows service DLLs, and is expected to be a child of services.exe. A process deviation from this hierarchy may indicate suspicious behavior, such as malicious code attempting to masquerade as a legitimate system process or evade detection. It is essential to investigate the parent process and associated behavior for further signs of compromise or unauthorized activity.","Detects abuse of Tiny-C-Compiler (TinyCC) for shellcode execution, where tcc.exe is renamed to masquerade as svchost.exe and used to compile and execute C source files containing shellcode. This technique was observed in the Lotus Blossom Chrysalis backdoor campaign, where attackers renamed tcc.exe to svchost.exe and executed conf.c containing Metasploit block_api shellcode with the flags -nostdlib -run.\nTinyCC is a legitimate C compiler, but its ability to compile and execute code on-the-fly makes it attractive to attackers seeking to evade detection. The combination of a renamed compiler binary executing from non-standard locations with suspicious flags is a strong indicator of malicious activity.","The following analytic detects an unusual process execution pattern where a process running from C:\\Windows\\SysWOW64\\ attempts to execute a binary from C:\\Windows\\System32\\. In a typical Windows environment, 32-bit processes under SysWOW64 should primarily interact with 32-bit binaries within the same directory. However, an execution flow where a 32-bit process spawns a 64-bit binary from System32 can indicate potential process injection, privilege escalation, evasion techniques, or unauthorized execution hijacking.","Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities","Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity","The following analytic detects the creation of new accounts elevated to local administrators. It uses Windows event logs, specifically EventCode 4720 (user account creation) and EventCode 4732 (user added to Administrators group). This activity is significant as it indicates potential unauthorized privilege escalation, which is critical for SOC monitoring. If confirmed malicious, this could allow attackers to gain administrative access, leading to unauthorized data access, system modifications, and disruption of services. Immediate investigation is required to mitigate risks and prevent further unauthorized actions.","The following analytic detects the addition of a new member to the DnsAdmins group in Active Directory by leveraging Event ID 4732. This detection uses security event logs to identify changes to this high-privilege group. Monitoring this activity is crucial because members of the DnsAdmins group can manage the DNS service, often running on Domain Controllers, and potentially execute malicious code with SYSTEM privileges. If confirmed malicious, this activity could allow an attacker to escalate privileges and gain control over critical domain services, posing a significant security risk.","Identifies the remote update to a computer account's DnsHostName attribute. If the new value set is a valid domain\ncontroller DNS hostname and the subject computer name is not a domain controller, then it's highly likely a preparation\nstep to exploit CVE-2022-26923 in an attempt to elevate privileges from a standard domain user to domain admin\nprivileges.","The following analytic detects changes to computer accounts using an anonymous logon.\nIt leverages Windows Security Event Codes 4742 (Computer Change) with a SubjectUserName of a value \"ANONYMOUS LOGON\".\nThis activity can be significant because anonymous logons should not typically be modifying computer accounts, indicating potential unauthorized access or misconfiguration.\nIf confirmed malicious, this could allow an attacker to alter computer accounts, potentially leading to privilege escalation or persistent access within the network.","The following analytic identifies a genuine Domain Controller (DC) promotion event by detecting when a computer assigns itself the necessary Service Principal Names (SPNs) to function as a domain controller. It leverages Windows Security Event Code 4742 to monitor existing domain controllers for these changes. This activity is significant as it can help identify rogue DCs added to the network, which could indicate a DCShadow attack. If confirmed malicious, this could allow an attacker to manipulate Active Directory, leading to potential privilege escalation and persistent access within the environment.","Detects remote task creation via at.exe or API interacting with ATSVC namedpipe","Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.","Detects a threat actor creating a file named `iertutil.dll` in the `C:\\Program Files\\Internet Explorer\\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.","Detects execution of Impacket's psexec.py.","Detect AD credential dumping using impacket secretdump HKTL","This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes","Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.","Detect PetitPotam coerced authentication activity.","Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers","Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).","detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one","Detects known sensitive file extensions accessed on a network share","Detects remote service activity via remote access to the svcctl named pipe","Transferring files with well-known filenames (sensitive files with credential data) using network shares","Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network for a WMI DLL Hijack scenario.","Identifies potential relay attacks against a machine account by identifying network share access events coming from a\nremote source.ip but using the target server computer account. This may indicate a successful SMB relay attack.","Identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an\nattempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for\ncredential access and privileges elevation.","The following analytic detects executable files (.exe or .dll) being written to Windows administrative SMB shares (Admin$, IPC$, C$). It leverages Windows Security Event Logs with EventCode 5145 to identify this activity. This behavior is significant as it is commonly used by tools like PsExec/PaExec for staging binaries before creating and starting services on remote endpoints, a technique often employed for lateral movement and remote code execution. If confirmed malicious, this activity could allow an attacker to execute arbitrary code remotely, potentially compromising additional systems within the network.","The following analytic detects a high frequency of file copying or moving within network shares, which may indicate potential data sabotage or exfiltration attempts. It leverages Windows Security Event Logs (EventCode 5145) to monitor access to specific file types and network shares. This activity is significant as it can reveal insider threats attempting to transfer classified or internal files, potentially leading to data breaches or evidence tampering. If confirmed malicious, this behavior could result in unauthorized data access, data loss, or compromised sensitive information.","The following analytic detects network share access requests indicative of the PetitPotam attack (CVE-2021-36942). It leverages Windows Event Code 5145, which logs attempts to access network share objects. This detection is significant as PetitPotam can coerce authentication from domain controllers, potentially leading to unauthorized access. If confirmed malicious, this activity could allow attackers to escalate privileges or move laterally within the network, posing a severe security risk. Ensure Event Code 5145 is enabled via Group Policy to utilize this analytic effectively.","The following analytic detects a source computer accessing Windows administrative shares (C$, Admin$, IPC$) on 30 or more remote endpoints within a 5-minute window. It leverages Event IDs 5140 and 5145 from file share events. This behavior is significant as it may indicate an adversary enumerating network shares to locate sensitive files, a common tactic used by threat actors. If confirmed malicious, this activity could lead to unauthorized access to critical data, lateral movement, and potential compromise of multiple systems within the network.","Detects execution of 7z in order to compress a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration.","Detects the execution \"AccCheckConsole\" a command-line tool for verifying the accessibility implementation of an application's UI.\nOne of the tests that this checker can run are called \"verification routine\", which tests for things like Consistency, Navigation, etc.\nThe tool allows a user to provide a DLL that can contain a custom \"verification routine\". An attacker can build such DLLs and pass it via the CLI, which would then be loaded in the context of the \"AccCheckConsole\" utility.","Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.","Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.","Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory.","Detects execution of \"AdPlus.exe\", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.","Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th positional argument","Detects tampering of AMSI (Anti-Malware Scan Interface) related registry values via command line tools such as reg.exe or PowerShell.\nAMSI provides a generic interface for applications and services to integrate with antimalware products.\nAdversaries may disable AMSI to evade detection of malicious scripts and code execution.","Detects the start of a non built-in assistive technology applications via \"Atbroker.EXE\".","Detects usage of attrib.exe to hide files from users.","Detects the usage of attrib with the \"+s\" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs","Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.","Detects suspicious activity where the WMIC process is used to create an autorun registry entry via reg.exe, which is often indicative of persistence mechanisms employed by malware.","Detects execution of Microsoft bash launcher with the \"-c\" flag.\nThis can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.","Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly.\nThis can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.","Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.","Detects potential malicious and unauthorized usage of bcdedit.exe","Detects the execution of the BCP utility in order to export data from the database.\nAttackers were seen saving their malware to a database column or table and then later extracting it via \"bcp.exe\" into a file.","Detects usage of bitsadmin downloading a file","Detects usage of bitsadmin downloading a file using an URL that contains an IP","Detects usage of bitsadmin downloading a file from a suspicious domain","Detects usage of bitsadmin downloading a file with a suspicious extension","Detects usage of bitsadmin downloading a file to a suspicious target folder","BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished.\nWhen the job runs on the system the command specified in the BITS job will be executed.\nThis can be abused by actors to create a backdoor within the system and for persistence.\nIt will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded.","Detects the use of Tor or Tor-Browser to connect to onion routing networks","Detects usage of \"cdb.exe\" to launch arbitrary processes or commands from a debugger script file","Detects execution of \"certmgr\" with the \"add\" flag in order to install a new certificate on the system.\nAdversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.","Detects when a user downloads a file by using CertOC.exe","Detects when a user downloads a file from an IP based URL using CertOC.exe","Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.","Detects when a user installs certificates by using CertOC.exe to load the target DLL file.","Detects a suspicious CertReq execution downloading a file.\nThis behavior is often used by attackers to download additional payloads or configuration files.\nCertreq is a built-in Windows utility used to request and retrieve certificates from a certification authority (CA). However, it can be abused by threat actors for malicious purposes.","Detects execution of \"certutil\" with the \"addstore\" flag in order to install a new certificate on the system.\nAdversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.","Detects the execution of certutil with either the \"decode\" or \"decodehex\" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution","Detects the execution of certutil with certain flags that allow the utility to download files.","Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.","Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.","Detects the execution of certutil with the \"encode\" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration","Detects the execution of certutil with the \"encode\" flag to encode a file to base64 where the extensions of the file is suspicious","Detects the execution of certutil with the \"encode\" flag to encode a file to base64 where the files are located in potentially suspicious locations","Detects the execution of the certutil with the \"exportPFX\" flag which allows the utility to export certificates.","Detects possible NTLM coercion via certutil using the 'syncwithWU' flag","Detects use of chcp to look up the system locale value as part of host discovery","Detects usage of the \"cipher\" built-in utility in order to overwrite deleted data from disk.\nAdversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.\nData destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives","Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory","Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications.","Detects creation of an ad-hoc Cloudflare Quick Tunnel, which can be used to tunnel local services such as HTTP, RDP, SSH and SMB.\nThe free TryCloudflare Quick Tunnel will generate a random subdomain on trycloudflare[.]com, following a call to api[.]trycloudflare[.]com.\nThe tool has been observed in use by threat groups including Akira ransomware.","Detects file association changes using the builtin \"assoc\" command.\nWhen a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.","Detects when a program changes the default file association of any extension to an executable.\nWhen a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.","Detects usage of the copy builtin cmd command to copy files with the \".dmp\"/\".dump\" extension from a remote share","Detects execution of the builtin \"del\"/\"erase\" commands in order to delete files.\nAdversaries may delete files left behind by the actions of their intrusion activity.\nMalware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.\nRemoval of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.","Detects execution of the \"del\" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence.","Detects usage of the \"dir\" command part of Windows CMD with the \"/S\" command line flag in order to enumerate files in a specified directory and all subdirectories.","Detects cmd.exe executing commands with the \"start\" utility using \"/b\" (no window) or \"/min\" (minimized) flags.\nTo reduce false positives from standard background tasks, detection is restricted to scenarios where the target is a known script extension or located in suspicious temporary/public directories.\nThis technique was observed in Chaos, DarkSide, and Emotet malware campaigns.","Detects the creation of a symbolic link between \"cmd.exe\" and the accessibility on-screen keyboard binary (osk.exe) using \"mklink\". This technique provides an elevated command prompt to the user from the login screen without the need to log in.","Detects the execution of the \"net use\" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files","Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking","Detects uncommon and potentially suspicious one-liner command containing both \"ping\" and \"copy\" at the same time, which is usually used by malware.","Detects inline Windows shell commands redirecting output via the \">\" symbol to a suspicious location.\nThis technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as \"hostname\" and \"dir\" to files for future exfiltration.","Detects execution of the builtin \"rmdir\" command in order to delete directories.\nAdversaries may delete files left behind by the actions of their intrusion activity.\nMalware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.\nRemoval of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.","Detect the use of \"<\" to read and potentially execute a file via cmd.exe","Detects usage of \"cmdkey.exe\" to add generic credentials.\nAs an example, this can be used before connecting to an RDP session via command line interface.","Detects usage of cmdkey to look for cached credentials on the system","Detects execution of Cmdl32 with the \"/vpn\" and \"/lan\" flags.\nAttackers can abuse this utility in order to download arbitrary files via a configuration file.\nInspect the location and the content of the file passed as an argument in order to determine if it is suspicious.","Detects the execution of \"ConfigSecurityPolicy.EXE\", a binary part of Windows Defender used to manage settings in Windows Defender.\nUsers can configure different pilot collections for each of the co-management workloads.\nIt can be abused by attackers in order to upload or download files.","Detects the use of powershell commands from headless ConHost window.\nThe \"--headless\" flag hides the windows from the user upon execution.","detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking","Detects suspicious child processes related to Windows Shell utilities spawned by `conhost.exe`, which could indicate malicious activity using trusted system components.","Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.","Detects the malicious use of a control panel item","Detects the creation of a dMSASvc account using the New-ADServiceAccount cmdlet in certain OUs.\nThe fact that the Cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious.\nIt is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.\nOn top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions,\nit is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.","Detects uses of the createdump.exe LOLOBIN utility to dump process memory","Detects attempts to add, modify, or delete Windows Credential Guard related registry keys or values via command line tools such as Reg.exe or PowerShell.\nCredential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.\nAdversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.\nThe rule matches suspicious command lines that target DeviceGuard or LSA registry paths and manipulate keys like EnableVirtualizationBasedSecurity, RequirePlatformSecurityFeatures, or LsaCfgFlags.\nSuch activity may indicate an attempt to disable or tamper with Credential Guard, potentially exposing sensitive credentials for misuse.","Detects execution of \"csc.exe\" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.","Detects a potentially suspicious parent of \"csc.exe\", which could be a sign of payload delivery.","Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'","Detects the execution of CSharp interactive console by PowerShell","Detects the execution of \"csvde.exe\" in order to export organizational Active Directory structure.","Detects execution of \"curl.exe\" with the \"-c\" flag in order to save cookie data.","Detects execution of \"curl.exe\" with a potential custom \"User-Agent\". Attackers can leverage this to download or exfiltrate data via \"curl\" to a domain that only accept specific \"User-Agent\" strings","Detects file downloads directly from IP address URL using curl.exe","Detects potentially suspicious file downloads directly from IP addresses using curl.exe","Detects potentially suspicious file download from file sharing domains using curl.exe","Detects execution of \"curl.exe\" with the \"--insecure\" flag.","Detects execution of \"curl.exe\" with the \"insecure\" flag over proxy or DOH.","Detects execution of \"curl.exe\" with the \"file://\" protocol handler in order to read local files.","Detects a suspicious curl process start on Windows and outputs the requested document to a local file","Detects the execution of \"dctask64.exe\", a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central.\nThis binary can be abused for DLL injection, arbitrary command and process execution.","Detects the use of reg.exe or PowerShell to delete the Windows Defender context menu handler registry keys.\nThis action removes the \"Scan with Microsoft Defender\" option from the right-click menu for files, directories, and drives.\nAttackers may use this technique to hinder manual, on-demand scans and reduce the visibility of the security product.","Detects execution of devcon.exe with commands that disable the VMware Virtual Machine Communication Interface (VMCI) device.\nThis can be legitimate during VMware Tools troubleshooting or driver conflicts, but may also indicate malware attempting to hijack communication with the hardware via the VMCI device.\nThis has been used to facilitate VMware ESXi vulnerability exploits to escape VMs and execute code on the ESXi host.","Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named \"ShellChromeAPI.dll\".\nAdversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter","Detect the usage of \"DirLister.exe\" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files.","Detects execution of \"Diskshadow.exe\" in script mode to execute an script with a potentially uncommon extension.\nInitial baselining of the allowed extension list is required.","Detects execution of \"Diskshadow.exe\" in script mode using the \"/s\" flag where the script is located in a potentially suspicious location.","Detects the use of DISM to enable the PowerShell Web Access feature, which could be used for remote access and potential abuse","Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images","Detects execution of arbitrary DLLs or unsigned code via a \".csproj\" files via Dotnet.EXE.","Detects commandline arguments for executing a child process via dotnet-trace.exe","Detects the execution of \"dotnet-dump\" with the \"collect\" flag. The execution could indicate potential process dumping of critical processes such as LSASS.","Detect usage of the \"driverquery\" utility to perform reconnaissance on installed drivers","Detect usage of the \"driverquery\" utility. Which can be used to perform reconnaissance on installed drivers","Detects usage of Dsacls to grant over permissive permissions","Detects possible password spraying attempts using Dsacls","Detects execution of \"dsquery.exe\" for domain trust discovery","Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder.\nCurrently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage.","Detects the use of \"DumpMinitool.exe\" a tool that allows the dump of process memory via the use of the \"MiniDumpWriteDump\"","Detects suspicious ways to use the \"DumpMinitool.exe\" binary","Detects the execution of \"DXCap.EXE\" with the \"-c\" flag, which allows a user to launch any arbitrary binary or windows package through DXCap itself. This can be abused to potentially bypass application whitelisting.","Files with well-known filenames (sensitive files with credential data) copying","One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe","Detects attempts to disable security event logging by adding the `MiniNt` registry key.\nThis key is used to disable the Windows Event Log service, which collects and stores event logs from the operating system and applications.\nAdversaries may want to disable this service to prevent logging of security events that could be used to detect their activities.","Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks","Detects execution of \"findstr\" with specific flags and a remote share path. This specific set of CLI flags would allow \"findstr\" to download the content of the file located on the remote share as described in the LOLBAS entry.","Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.","Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack","Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID","Detects usage of findstr with the \"EVERYONE\" or \"BUILTIN\" keywords.\nThis was seen being used in combination with \"icacls\" and other utilities to spot misconfigured files or folders permissions.","Detects execution of \"findstr\" to search for common names of security tools. Attackers often pipe the results of recon commands such as \"tasklist\" or \"whoami\" to \"findstr\" in order to filter out the results.\nThis detection focuses on the keywords that the attacker might use as a filter.","Detects execution of findstr with the \"s\" and \"i\" flags for a \"subfolder\" and \"insensitive\" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.","Detects usage of \"findstr\" with the argument \"385201\". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).","Detects execution of the \"finger.exe\" utility.\nFinger.EXE or \"TCPIP Finger Command\" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon.\nDue to the old nature of this utility and the rareness of machines having the finger service. Any execution of \"finger.exe\" can be considered \"suspicious\" and worth investigating.","Detect filter driver unloading activity via fltmc.exe","Detects possible Sysmon filter driver unloaded via fltmc.exe","Detects the execution of \"forfiles\" from a non-default location, in order to potentially spawn a custom \"cmd.exe\" from the current working directory.","Detects the execution of \"forfiles\" with the \"/c\" flag.\nWhile this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary.\nCan be used to bypass application whitelisting.","Detects the execution of FSharp Interpreters \"FsiAnyCpu.exe\" and \"FSi.exe\"\nBoth can be used for AWL bypass and to execute F# code via scripts or inline.","Attackers may leverage fsutil to enumerated connected drives.","Detects the modification of NTFS symbolic link behavior using fsutil, which could be used to enable remote to local or remote to remote symlinks for potential attacks.","Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).\nMight be used by ransomwares during the attack (seen by NotPetya and others).","Detects execution of \"ftp.exe\" script with the \"-s\" or \"/s\" flag and any child processes ran by \"ftp.exe\".","Detects execution of \"git\" in order to clone a remote repository that contain suspicious keywords which might be suspicious","Detects GitHub self-hosted runners executing workflows on local infrastructure that could be abused for persistence and code execution.\nShai-Hulud is an npm supply chain worm targeting CI/CD environments.\nIt installs runners on compromised systems to maintain access after credential theft, leveraging their access to secrets and internal networks.","Detects usage of Gpg4win to decrypt files","Detects usage of Gpg4win to encrypt files","Detects the execution of \"gpg.exe\" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data.","Detects usage of Gpg4win to encrypt/decrypt files located in potentially suspicious locations.","Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.","Detects the execution of \"hh.exe\" to open \".chm\" files.","Detects the usage of \"hh.exe\" to execute/download remotely hosted \".chm\" files.","Detects a suspicious execution of a Microsoft HTML Help (HH.exe)","Detects command line parameters used by Bloodhound and Sharphound hack tools","Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments.","Detects Certipy execution, a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.","Detects use of Cobalt Strike commands accidentally entered in the CMD shell","Detects Cobalt Strike module/commands accidentally entered in CMD shell","Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.","Detects potential process patterns related to Cobalt Strike beacon activity","Detects the use of CoercedPotato, a tool for privilege escalation","The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.","Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine","Detects the execution of the Doppelanger hacktool which is used to dump LSASS memory via process cloning while evading common detection methods","Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory","Detects execution of EDR-Freeze, a tool that exploits the MiniDumpWriteDump function and WerFaultSecure.exe to suspend EDR and Antivirus processes on Windows.\nEDR-Freeze leverages a race-condition attack to put security processes into a dormant state by suspending WerFaultSecure at the moment it freezes the target process.\nThis technique does not require kernel-level exploits or BYOVD, but instead abuses user-mode functionality to temporarily disable monitoring by EDR or Antimalware solutions.","Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.","Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed","Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed","Detects the execution GMER tool based on image and hash fields.","Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same","Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework","Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively","Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool","Detects the use of Jlaive to execute assemblies in a copied PowerShell","Detects command line parameters used by Koadic hack tool","Detects the use of KrbRelay, a Kerberos relaying tool","Detects the use of RemoteKrbRelay, a Kerberos relaying tool via CommandLine flags and PE metadata.","Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced","Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples","Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff","Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files","Detects the execution of the PurpleSharp adversary simulation tool","Detects the execution of the hacktool Rubeus via PE information of command line parameters","Detects the execution of the hacktool SafetyKatz via PE information and default Image name","Detects the execution of SecurityXploded Tools","Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent","Detects usage of the Sharp Chisel via the commandline arguments","Detects the execution of the SharpDPAPI tool based on CommandLine flags and PE metadata.\nSharpDPAPI is a C# port of some DPAPI functionality from the Mimikatz project.","Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively","Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects.","Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms","Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs","Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller","Detects the execution of SharpMove, a .NET utility performing multiple tasks such as \"Task Creation\", \"SCM\" query, VBScript execution using WMI via its PE metadata and command line options.","Detects the execution of SharpSuccessor, a tool used to exploit the BadSuccessor attack for privilege escalation in WinServer 2025 Active Directory environments.\nSuccessful usage of this tool can let the attackers gain the domain admin privileges by exploiting the BadSuccessor vulnerability.","Detects the use of SharpUp, a tool for local privilege escalation","Detects SILENTTRINITY stager use via PE metadata","Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.","Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120","Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.","Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata","Detects the use of Windows Credential Editor (WCE), a popular post-exploitation tool used to extract plaintext passwords, hash, PIN code and Kerberos tickets from memory.\nIt is often used by threat actors for credential dumping and lateral movement within compromised networks.","WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz","Detects execution of WSASS, a tool used to dump LSASS memory on Windows systems by leveraging WER's\n(Windows Error Reporting) WerFaultSecure.EXE to bypass PPL (Protected Process Light) protections.","Detects the tampering of Hypervisor-protected Code Integrity (HVCI) related registry values via command line tool reg.exe.\nHVCI uses virtualization-based security to protect code integrity by ensuring that only trusted code can run in kernel mode.\nAdversaries may tamper with HVCI to load malicious or unsigned drivers, which can be used to escalate privileges, maintain persistence, or evade security mechanisms.","Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files","Detects execution of the IEExec utility to download and execute files","Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations.\nThis behavior has been observed in-the-wild by different threat actors.","Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)","Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords","Detects suspicious IIS native-code module installations via command line","Detects usage of \"appcmd\" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells.","Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.","Detects attempts to delete Internet Information Services (IIS) log files via command line utilities, which is a common defense evasion technique used by attackers to cover their tracks.\nThreat actors often abuse vulnerabilities in web applications hosted on IIS servers to gain initial access and later delete IIS logs to evade detection.","Detects the use of \"Ilasm.EXE\" in order to compile C# intermediate (IL) code to EXE or DLL.","Detects usage of \"IMEWDBLD.exe\" to download arbitrary files","Detects use of .NET InstallUtil.exe in order to download arbitrary files. The files will be written to \"%LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE\\\"","Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)","Detects the execution of the \"jsc.exe\" (JScript Compiler).\nAttacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting.","Detects execution of the Windows Kernel Debugger \"kd.exe\".","Detects potentially suspicious child processes of KeyScrambler.exe","Detects password change for the computer's domain account or host principal via \"ksetup.exe\"","Detects password change for the logged-on user's via \"ksetup.exe\"","Detects the execution of \"ldifde.exe\" in order to export organizational Active Directory structure.","Detects the execution of \"Ldifde.exe\" with the import flag \"-i\". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.","Detects the execution of \"lodctr.exe\" to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions.","Detects the execution of \"logman\" utility in order to disable or delete Windows trace sessions","Detects when a user performs data exfiltration by using DataSvcUtil.exe","Download or Copy file with Extrac32","Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy","Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories","Detects potential abuse of the \"manage-bde.wsf\" script as a LOLBIN to proxy execution","Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary","Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting","Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.","Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.","Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files.","The \"ScriptRunner.exe\" binary can be abused to proxy execution through it and bypass possible whitelisting","Detects using SettingSyncHost.exe to run hijacked binary","Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.","Detects potential DLL injection and execution using \"Tracker.exe\"","Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe)","Detect usage of the \"unregmp2.exe\" binary as a proxy to launch a custom version of \"wmpnscfg.exe\"","VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.","The \"VSIISExeLauncher.exe\" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries","The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules.","Detects potential abuse of the \"register_app.vbs\" script that is part of the Windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution.","Detects modification of LSA PPL protection settings via CommandLine.\nIt may indicate an attempt to disable protection and enable credential dumping tools to access LSASS process memory.","Detects the use of the Group Policy Management Editor (GPME) to modify Default Domain or Default Domain Controllers Group Policy Objects (GPOs).\nAdversaries may leverage GPME to make stealthy changes in these default GPOs to deploy malicious GPOs configurations across the domain without raising suspicion.","Detects malicious behavior where the MMC utility (`mmc.exe`) executes files with reversed extensions caused by Right-to-Left Override (RLO) abuse, disguising them as document formats.","Detects a CodePage modification using the \"mode.com\" utility to Russian language.\nThis behavior has been used by threat actors behind Dharma ransomware.","Detects execution of the \"mofcomp\" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline.\nThe \"mofcomp\" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.\nAttackers abuse this utility to install malicious MOF scripts","Detects the use of Windows Defender MpCmdRun.EXE to download files","Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files","Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process","Detects processes leveraging the \"ms-msdt\" handler or the \"msdt.exe\" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability","Detects execution of msdt.exe using the \"cab\" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190","Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation","Detects usage of \"msedge_proxy.exe\" to download arbitrary files","Detects execution of the \"mshta\" utility with an argument containing the \"http\" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file","Detects execution of javascript code using \"mshta.exe\".","Detects a suspicious process spawning from an \"mshta.exe\" process, which could be indicative of a malicious HTA script execution","Detects execution of mshta.exe with file types that looks like they do not typically represent HTA (HTML Application) content,\nsuch as .png, .jpg, .zip, .pdf, and others, which are often polyglots. MSHTA is a legitimate Windows utility for executing HTML Applications\ncontaining VBScript or JScript. Threat actors often abuse this lolbin utility to download and\nexecute malicious scripts disguised as benign files or hosted under misleading extensions to evade detection.","Detects suspicious mshta process execution patterns","Detects MsiExec loading a DLL and calling its DllUnregisterServer function","Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads","Detects usage of Msiexec.exe to install packages hosted remotely quietly","Detects the execution of msiexec.exe from an uncommon directory","Detects execution of Advanced Installer MSIX Package Support Framework (PSF) components, specifically AI_STUBS executables with original filename 'popupwrapper.exe'.\nThis activity may indicate malicious MSIX packages build with Advanced Installer leveraging the Package Support Framework to bypass application control restrictions.","Detects usage of \"MSOHTMED\" to download arbitrary files","Detects usage of \"MSPUB\" (Microsoft Publisher) to download arbitrary files","Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics","This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.","This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.","Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.","Detects the usage of \"mstsc.exe\" with the \"/v\" flag to initiate a connection to a remote server.\nAdversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.","Detects potential RDP connection via Mstsc using a local \".rdp\" file","Detects potential RDP connection via Mstsc using a local \".rdp\" file located in suspicious locations.","Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE\nCheck if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)","Detects the usage of the \"net.exe\" command to start a service using the \"start\" flag","Detects the stopping of a Windows service via the \"net\" utility.","Detects when an admin share is mounted using net.exe","Detects when an internet hosted webdav share is mounted using the \"net.exe\" utility","Detects when a share is mounted using the \"net.exe\" utility","Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.","Detects a when net.exe is called with a password in the command line","Identifies the creation of local users via the net.exe command.","Detects creation of local users via the net.exe command with the option \"never expire\"","Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc","Detects attempts to enumerate file shares, printer shares and sessions using \"net.exe\" with the \"view\" flag.","Detects the addition of a new rule to the Windows firewall via netsh","Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall","Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware","Detects the removal of a port or application rule in the Windows Firewall configuration using netsh","Detects netsh commands that turns off the Windows firewall","Adversaries may modify system firewalls in order to bypass controls limiting network usage","Detects execution of netsh with the \"advfirewall\" and the \"set\" option in order to set new values for properties of a existing rule","Detects the execution of netsh with \"add helper\" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.","Detects the execution of netsh with the \"trace\" flag in order to start a network capture","Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule","Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule","Detect the harvesting of wifi credentials using netsh.exe","Detects nltest commands that can be used for information discovery","Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records","Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc.","Detects execution of \"odbcconf\" with \"INSTALLDRIVER\" which installs a new ODBC driver. Attackers abuse this to install and run malicious DLLs.","Detects execution of \"odbcconf\" with the \"INSTALLDRIVER\" action where the driver doesn't contain a \".dll\" extension. This is often used as a defense evasion method.","Detects execution of \"odbcconf\" where the path of the DLL being registered is located in a potentially suspicious location.","Detects execution of \"odbcconf\" with \"REGSVR\" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs.","Detects execution of \"odbcconf\" with the \"REGSVR\" action where the DLL in question doesn't contain a \".dll\" extension. Which is often used as a method to evade defenses.","Detects execution of \"odbcconf\" with the \"-f\" flag in order to load a response file which might contain a malicious action.","Detects execution of \"odbcconf\" with the \"-f\" flag in order to load a response file with a non-\".rsp\" extension.","Detects potential arbitrary file download using a Microsoft Office application","Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the \"ActivateMicrosoftApp\" Excel DCOM object.","Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code.","Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.","Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)","Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag.","Detects execution of Windows Defender \"OfflineScannerShell.exe\" from its non standard directory.\nThe \"OfflineScannerShell.exe\" binary is vulnerable to DLL side loading and will load any DLL named \"mpclient.dll\" from the current working directory.","Detect use of PDQ Deploy remote admin tool","Detects execution of perl using the \"-e\"/\"-E\" flags. This is could be used as a way to launch a reverse shell or execute live perl code.","Detects execution of php using the \"-r\" flag. This is could be used as a way to launch a reverse shell or execute live php code.","Detects execution of PktMon, a tool that captures network packets.","Detects suspicious Plink tunnel port forwarding to a local port","Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout","Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)","Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains","Detects base64 encoded strings used in hidden malicious PowerShell command lines","Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls","Detects calls to base64 encoded WMI class such as \"Win32_ShadowCopy\", \"Win32_ScheduledJob\", etc.","Detects usage of the \"ConvertTo-SecureString\" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity","Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers","Detects the PowerShell command lines with special characters","Detects the execution of obfuscated PowerShell commands that attempt to install MSI packages via the Windows Installer COM object (`WindowsInstaller.Installer`).\nThe technique involves manipulating strings to hide functionality, such as constructing class names using string insertion (e.g., 'indowsInstaller.Installer'.Insert(0,'W')) and correcting\nmalformed URLs (e.g., converting 'htps://' to 'https://') at runtime. This behavior is commonly associated with malware loaders or droppers that aim to bypass static detection\nby hiding intent in runtime-generated strings and using legitimate tools for code execution. The use of `InstallProduct` and COM object creation, particularly combined with\nhidden window execution and suppressed UI, indicates an attempt to install software (likely malicious) without user interaction.","Detects the execution of PowerShell commands that attempt to install MSI packages via the\nWindows Installer COM object (`WindowsInstaller.Installer`) hosted remotely.\nThis could be indication of malicious software deployment or lateral movement attempts using Windows Installer functionality.\nAnd the usage of WindowsInstaller COM object rather than msiexec could be an attempt to bypass the detection.","Detects PowerShell commands that decrypt an \".LNK\" \"file to drop the next stage of the malware.","Detects attackers attempting to disable Windows Defender using Powershell","Detects attempts to disable the Windows Firewall using PowerShell","Detects a Powershell process that contains download commands in its command line string","Detects potentially suspicious file downloads from file sharing domains using PowerShell.exe","Detects specific combinations of encoding methods in PowerShell via the commandline","Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access","Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location","Detects suspicious Kerberos ticket requests via command line using System.IdentityModel.Tokens.KerberosRequestorSecurityToken class.\nThreat actors may use command line interfaces to request Kerberos tickets for service accounts in order to\nperform offline password cracking attacks commonly known as Kerberoasting or other Kerberos ticket abuse\ntechniques like silver ticket attacks.","Detects non-interactive PowerShell activity by looking at the \"powershell\" process with a non-user GUI process such as \"explorer.exe\" as a parent.","Detects usage of the \"TcpClient\" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang \"Invoke-PowerShellTcpOneLine\" reverse shell and other.","Detects suspicious powershell invocations from interpreters or unusual programs","Detects suspicious DACL modifications via the \"Set-Service\" cmdlet using the \"SecurityDescriptorSddl\" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable","Detects PowerShell execution to set the ACL of a file or a folder","Detects changing the PowerShell script execution policy to a potentially insecure level using the \"-ExecutionPolicy\" flag.","Detects the use of the PowerShell \"Set-Service\" cmdlet to change the startup type of a service to \"disabled\" or \"manual\"","Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27","Detects the stopping of a Windows service via the PowerShell Cmdlet \"Stop-Service\"","Detects a suspicious or uncommon parent processes of PowerShell","Detects the use of PowerShell with Uninstall-WindowsFeature or Remove-WindowsFeature cmdlets to disable or remove the Windows Defender GUI feature, a common technique used by adversaries to evade defenses.","Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques","Detects presence of a potentially xor encoded powershell command","Detects usage of \"PresentationHost\" which is a utility that runs \".xbap\" (Browser Applications) files to download arbitrary files","Detects the execution of \".xbap\" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious \".xbap\" files any bypass AWL","Detects usage of \"ProtocolHandler\" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE)","Detects the use of 3proxy, a tiny free proxy server","Detects execution of Adfind.exe utility, which can be used for reconnaissance in an Active Directory environment","Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.","Detects the use of Advanced Port Scanner.","Detects the execution of AdvancedRun utility","Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics.","Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative","Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.","Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.","Detects the use of IOX - a tool for port forwarding and intranet proxy purposes","Detects execution of the Kernel Driver Utility (KDU) tool.\nKDU can be used to bypass driver signature enforcement and load unsigned or malicious drivers into the Windows kernel.\nPotentially allowing for privilege escalation, persistence, or evasion of security controls.","In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool \"Mouse Lock\" as being used for both credential access and collection in security incidents.","Detects usage of SoftPerfect's \"netscan.exe\". An application for scanning networks.\nIt is actively used in-the-wild by threat actors to inspect and understand the network architecture of a victim.","Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.","Detects usage of NimScan, a portscanner utility.\nIn early 2025, adversaries were observed using this utility to scan for open ports on remote hosts in a compromised environment.\nThis rule identifies the execution of NimScan based on the process image name and specific hash values associated with different versions of the tool.","Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity","Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation","Detects the use of NPS, a port forwarding and intranet penetration proxy server","Detects the use of NSudo tool for command execution","Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level.","Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level via a script located in a potentially suspicious or uncommon location.","Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc).\nProcess Hacker is a tool to view and manipulate processes, kernel options and other low level options.\nThreat actors abused older vulnerable versions to manipulate system processes.","Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines","Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.","Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc","Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters","Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations","Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera","Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)","Detects Python one-liners that use base64 decoding functions in command line executions.\nMalicious scripts or attackers often use python one-liners to decode and execute base64-encoded payloads, which is a common technique for obfuscation and evasion.","Detects execution of python using the \"-c\" flag. This is could be used as a way to launch a reverse shell or execute live python code.","Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes","Detects enabling or disabling of Remote Desktop Protocol (RDP) using alternate methods such as WMIC or PowerShell.\nIn PowerShell one-liner commands, the \"SetAllowTSConnections\" method of the \"Win32_TerminalServiceSetting\" class may be used to enable or disable RDP.\nIn WMIC, the \"rdtoggle\" alias or \"Win32_TerminalServiceSetting\" class may be used for the same purpose.","Detects the use of the Microsoft Windows Resource Leak Diagnostic tool \"rdrleakdiag.exe\" to dump process memory","Detects attempts to disable windows recovery environment using Reagentc.\nReAgentc.exe is a command-line tool in Windows used to manage the Windows Recovery Environment (WinRE).\nIt allows users to enable, disable, and configure WinRE, which is used for troubleshooting and repairing common boot issues.","Detects execution of \"reg.exe\" commands with the \"add\" or \"copy\" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not","Detects deletion of the RunMRU registry key, which stores the history of commands executed via the Run dialog.\nIn the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands.\nAdversaries may delete this key to cover their tracks after executing commands.","Detects execution of \"reg.exe\" commands with the \"delete\" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products","Detects execution of \"reg.exe\" commands with the \"delete\" flag on services registry key. Often used by attacker to remove AV software services","Detects the execution of \"reg.exe\" to alter registry keys that would replace the user's desktop background.\nThis is a common technique used by malware to change the desktop background to a ransom note or other image.","Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.","Detects the use of reg.exe to disable the Event Tracing for Windows (ETW) Autologger session for Windows Defender API and Audit events.\nBy setting the 'Start' value to '0' for the 'DefenderApiLogger' or 'DefenderAuditLogger' session, an attacker can prevent these critical security events\nfrom being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique.","Detects the usage of \"reg.exe\" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives.","Detects the enabling of the Windows Recall feature via registry manipulation.\nWindows Recall can be enabled by deleting the existing \"DisableAIDataAnalysis\" value, or setting it to 0.\nAdversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.\nThis rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.","Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility","Detects the usage of \"reg.exe\" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software.","Detects the execution of \"reg.exe\" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\\Control\\Terminal Server' values","Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys","Detects the usage of Reg.Exe to query system language settings.\nAttackers may discover the system language to determine the geographic location of victims, customize payloads for specific regions,\nor avoid targeting certain locales to evade detection.","Detects the usage of \"reg.exe\" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection","Detects the execution of \"RegAsm.exe\" without a commandline flag or file, which might indicate potential process injection activity.\nUsually \"RegAsm.exe\" should point to a dedicated DLL file or call the help with the \"/?\" flag.","Detects potentially suspicious execution of the Regasm/Regsvcs utilities with an uncommon extension.","Detects potentially suspicious execution of the Regasm/Regsvcs utilities from a potentially suspicious location","Detects the export of a crital Registry key to a file.","Detects the export of the target Registry key to a file.","Detects the import of the specified file to the registry with regedit.exe.","Detects the import of a alternate datastream to the registry with regedit.exe.","Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.","Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.","Detects the use of reg.exe to export registry paths associated with third-party credentials.\nCredential stealers have been known to use this technique to extract sensitive information from the registry.","Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address.","Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers.","Detects REGSVR32.exe to execute DLL hosted on remote shares","Detects execution of regsvr32 where the DLL is located in a potentially suspicious location.","Detects execution of regsvr32 where the DLL is located in a highly suspicious locations","Detects the execution of REGSVR32.exe with DLL files masquerading as other files","Detects a \"regsvr32\" execution where the DLL doesn't contain a common file extension.","Detects the execution of an AnyDesk binary with a version prior to 8.0.8.\nPrior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors.\nUse this rule to detect instances of older versions of Anydesk using the compromised certificate\nThis is recommended in order to avoid attackers leveraging the certificate and signing their binaries to bypass detections.","Detects execution of client32.exe (NetSupport RAT) from an unusual location (outside of 'C:\\Program Files')","Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent.\nRMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management.\nHowever, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.","Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\\Program Files')","Detects the execution of a system command via the ScreenConnect RMM service.","Detects potentially suspicious child processes launched via the ScreenConnect client service.","Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.","Detects execution of a renamed autohotkey.exe binary based on PE metadata fields","Detects the execution of a renamed AutoIt2.exe or AutoIt3.exe.\nAutoIt is a scripting language and automation tool for Windows systems. While primarily used for legitimate automation tasks, it can be misused in cyber attacks.\nAttackers can leverage AutoIt to create and distribute malware, including keyloggers, spyware, and botnets. A renamed AutoIt executable is particularly suspicious.","Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.","Detects the execution of a renamed BOINC binary.","Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)","Detects the execution of a renamed \"cloudflared\" binary.","Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory","Detects the execution of a renamed \"CURL.exe\" binary based on the PE metadata fields","Detects a renamed \"dctask64.exe\" execution, a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central.\nThis binary can be abused for DLL injection, arbitrary command and process execution.","Detects the execution of a renamed \"ftp.exe\" binary based on the PE metadata fields","Detects the execution of a renamed \"gpg.exe\". Often used by ransomware and loaders to decrypt/encrypt data.","Detects the execution of a renamed \"jusched.exe\" as seen used by the cobalt group","Detects the execution of a renamed version of the \"Mavinject\" process. Which can be abused to perform process injection using the \"/INJECTRUNNING\" flag","Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.","Detects the execution of a renamed \"Msdt.exe\" binary","Detects the execution of a renamed Microsoft Teams binary.","Detects the execution of a renamed \"client32.exe\" (NetSupport RAT) via Imphash, Product and OriginalFileName strings","Detects the execution of a renamed \"NirCmd.exe\" binary based on the PE metadata fields.","Detects the execution of a renamed office binary","Detects execution of renamed version of PAExec. Often used by attackers","Detects the execution of a renamed \"PingCastle\" binary based on the PE metadata fields.","Detects the execution of a renamed version of the Plink binary","Detects renamed execution of \"Microsoft.NodejsTools.PressAnyKey.exe\", which can be abused as a LOLBIN to execute arbitrary binaries","Detects execution of renamed Remote Utilities (RURAT) via Product PE header field","Detects the execution of renamed schtasks.exe binary, which is a legitimate Windows utility used for scheduling tasks.\nOne of the very common persistence techniques is schedule malicious tasks using schtasks.exe.\nSince, it is heavily abused, it is also heavily monitored by security products. To evade detection, threat actors may rename the schtasks.exe binary to schedule their malicious tasks.","Detects suspicious renamed SysInternals DebugView execution","Detects the execution of a renamed ProcDump executable.\nThis often done by attackers or malware in order to evade defensive mechanisms.","Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators","Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)","Detects renamed vmnat.exe or portable version that can be used for DLL side-loading","Detects the execution of whoami that has been renamed to a different name to avoid detection","Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.","Detects execution of ruby using the \"-e\" flag. This is could be used as a way to launch a reverse shell or execute live ruby code.","Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).","Detects execution of \"rundll32\" calling \"advpack.dll\" with potential obfuscated ordinal calls in order to leverage the \"RegisterOCX\" function","An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver","Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)","Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service","Detects execution of \"rundll32\" with potential obfuscated ordinal calls","Detects execution of \"rundll32.exe\" with a parent process of Explorer.exe. This has been observed by variants of Raspberry Robin, as first reported by Red Canary.","Detects a process memory dump via \"comsvcs.dll\" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)","load malicious registered COM objects","setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.","Detects shell32.dll executing a DLL in a suspicious directory","Detects potential \"ShellDispatch.dll\" functionality abuse to execute arbitrary binaries via \"ShellExecute\"","Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way","Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities","Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits","Detects the execution of Rundll32.exe with DLL files masquerading as image files","Detects suspicious call to the \"ShellExec_RunDLL\" exported function of SHELL32.DLL through the ordinal number to launch other commands.\nAdversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine.","Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file.\nThreat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.","Detects rundll32 execution where the DLL is located on a remote location (share)","Detects the execution of rundll32 with a command line that doesn't contain a common extension","Detects a suspicious call to the user32.dll function that locks the user workstation","Detects \"svchost.exe\" spawning \"rundll32.exe\" with command arguments like \"C:\\windows\\system32\\davclnt.dll,DavSetCookie\".\nThis could be an indicator of exfiltration or use of WebDav to launch code (hosted on a WebDav server).","Detects \"svchost.exe\" spawning \"rundll32.exe\" with command arguments like C:\\windows\\system32\\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397","This rule detects the execution of Run Once task as configured in the registry","Detect the use of \"sc.exe\" to change the startup type of a service to \"disabled\" or \"demand\"","Detects the enumeration and query of interesting and in some cases sensitive services on the system via \"sc.exe\".\nAttackers often try to enumerate the services currently running on a system in order to find different attack vectors.","Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.","Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.","Detects usage of the \"sc.exe\" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.","Detection of sc.exe utility adding a new service with special permission which hides that service.","Detects the stopping of a Windows service via the \"sc.exe\" utility","Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware","Detects scheduled task creations that have suspicious action command and folder combinations","Detects scheduled task creation events that include suspicious actions, and is run once at 00:00","Detects the creation of new scheduled tasks via commandline, using Schtasks.exe. This rule detects tasks creating that call OpenSSH, which may indicate the creation of reverse SSH tunnel to the attacker's server.","Detects manual execution of the \"Microsoft Compatibility Appraiser\" task via schtasks.\nIn order to trigger persistence stored in the \"\\AppCompatFlags\\TelemetryController\" registry key.","Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell \"Get-Variable\" technique as seen being used in Colibri Loader","Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell.","Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell.","Detects scheduled task creations or modification on a suspicious schedule type","Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type","Detects the creation of a scheduled task using the \"-XML\" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence","Detects the creation of scheduled tasks that involve system processes, which may indicate malicious actors masquerading as or abusing these processes to execute payloads or maintain persistence.","Detects installation of a new shim using sdbinst.exe.\nAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims","Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe.\nAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims","Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy","Detects execution of JavaScript or JSC files using NodeJs binary node.exe, that could be potentially suspicious.\nNode.js is a popular open-source JavaScript runtime that runs code outside browsers and is widely used for both frontend and backend development.\nAdversaries have been observed abusing Node.js to disguise malware as legitimate processes, evade security defenses, and maintain persistence within target systems.\nBecause Node.js is commonly used, this rule may generate false positives in some environments. However, if such activity is unusual in your environment, it is highly suspicious and warrants immediate investigation.","Detects service principal name (SPN) enumeration used for Kerberoasting","Detects the execution of \"Setup16.EXE\" and old installation utility with a custom \".lst\" file.\nThese \".lst\" file can contain references to external program that \"Setup16.EXE\" will execute.\nAttackers and adversaries might leverage this as a living of the land utility.","Detects suspicious print spool service (spoolsv.exe) child processes.","Detect usage of the \"sqlite\" binary to query databases in Chromium-based browsers for potential data stealing.","Detect usage of the \"sqlite\" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.","Detect usage of the \"ssh.exe\" binary as a proxy to launch other programs.","Detection of unusual child processes by different system processes","Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege","Detects attackers using tooling with bad opsec defaults.\nE.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.\nOne trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.","Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts","Detects potential commandline obfuscation using unicode characters.\nAdversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.","Detects suspicious usage of the cmd.exe 'for /f' loop combined with the 'tokens=' parameter and a recursive directory listing.\nThis pattern may indicate an attempt to discover and execute system binaries dynamically, for example powershell, a technique sometimes used by attackers to evade detection.\nThis behavior has been observed in various malicious lnk files.","Detects a copy command or a copy utility execution to or from an Admin share or remote","Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk.\nOften used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations.","Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations.","Detect execution of suspicious double extension files in ParentCommandLine","Detects Windows Installer service (msiexec.exe) spawning \"cmd\" or \"powershell\"","Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.","Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges from a uncommon parent location.","Detects the clearing or configuration tampering of EventLog using utilities such as \"wevtutil\", \"powershell\" and \"wmic\".\nThis technique were seen used by threat actors and ransomware strains in order to evade defenses.","Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs.\nThis technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.","Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe","Detects potentially suspicious inline JavaScript execution using Node.js with specific keywords in the command line.","Detects exploitation of LNK file command-line length discrepancy, where attackers hide malicious commands beyond the 260-character UI limit while the actual command-line argument field supports 4096 characters using whitespace padding (e.g., 0x20, 0x09-0x0D).\nAdversaries insert non-printable whitespace characters (e.g., Line Feed \\x0A, Carriage Return \\x0D) to pad the visible section of the LNK file, pushing malicious commands past the UI-visible boundary.\nThe hidden payload, executed at runtime but invisible in Windows Explorer properties, enables stealthy execution and evasion—commonly used for social engineering attacks.\nThis rule flags suspicious use of such padding observed in real-world attacks.","Local accounts, System Owner/User discovery using operating systems utilities","Detects LOLBINs executing from an abnormal or uncommon drive such as a mounted ISO.","Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection","Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll.\nThis detection assumes that PowerShell commands are passed via the CommandLine.","Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.","Adversaries may search for private key certificate files on compromised systems for insecurely stored credential","Detects registry modifications to the 'ms-settings' protocol handler, which is frequently targeted for UAC bypass or persistence.\nAttackers can modify this registry to execute malicious code with elevated privileges by hijacking the command execution path.","Detects a suspicious script execution in temporary folders or folders accessible by environment variables","Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts","Shadow Copies creation using operating systems utilities, possible credential access","Shadow Copies deletion using operating systems utilities","Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.","Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)","Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces\nAdversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe","Detects a suspicious child process of userinit","Detects a suspicious process that is masquerading as the legitimate \"svchost.exe\" by naming its binary \"svchost.exe\" and executing from an uncommon location.\nAdversaries often disguise their malicious binaries by naming them after legitimate system processes like \"svchost.exe\" to evade detection.","Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)","Detects the usage of the \"Accesschk\" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges","Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.","Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database to a suspicious directory. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.","Detects execution of LiveKD based on PE metadata or image name","Detects execution of LiveKD with the \"-m\" flag to potentially dump the kernel memory","Detects user accept agreement execution in psexec commandline","Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution","Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs","Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering","Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes","Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses","Detects the use of SDelete to erase a file not the free space","Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely","Detects the removal of Sysmon, which could be a potential attempt at defense evasion","Detects binaries that use the same name as legitimate sysinternals tools to evade detection.\nThis rule looks for the execution of binaries that are named similarly to Sysinternals tools.\nAdversary may rename their malicious tools as legitimate Sysinternals tools to evade detection.","Detects usage of the \"systeminfo\" command to retrieve information","Detects when a user enable developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.","Detects execution of \"tar.exe\" in order to create a compressed file.\nAdversaries may abuse various utilities to compress or encrypt data before exfiltration.","Detects execution of \"tar.exe\" in order to extract compressed file.\nAdversaries may abuse various utilities in order to decompress data to avoid detection.","Detects the enumeration of a specific DLL or EXE being used by a binary via \"tasklist.exe\".\nThis is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question.\nIn order to dump the process memory or perform other nefarious actions.","Detects execution of \"Tpmvscmgr.exe\" to create a new virtual smart card.","Detects potential RDP Session Hijacking activity on Windows systems","Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)","Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files","Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)","Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in","Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface","Detects the \"IDiagnosticProfileUAC\" UAC bypass technique","Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)","Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)","Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)","Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.","An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks","Detects modifications to User Shell Folders registry values via reg.exe or PowerShell, which could indicate persistence attempts.\nAttackers may modify User Shell Folders registry values to point to malicious executables or scripts that will be executed during startup.\nThis technique is often used to maintain persistence on a compromised system by ensuring that malicious payloads are executed automatically.","List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe","Detects when verclsid.exe is used to run COM object via GUID","Detects execution of the \"VMwareToolBoxCmd.exe\" with the \"script\" and \"set\" flag to setup a specific script to run for a specific VM state","Detects execution of the \"VMwareToolBoxCmd.exe\" with the \"script\" and \"set\" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state","Detects suspicious child process creations of VMware Tools process which may indicate persistence setup","Detects Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel","Detects the execution of a shell (powershell, bash, wsl...) via Visual Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel and execute arbitrary commands on the system.","Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel","Detects execution of \"VSDiagnostics.exe\" with the \"start\" command in order to launch and proxy arbitrary binaries.","Detects the invocation of vshadow.exe with the -exec parameter that executes a specified script or command after the shadow copies are created but before the VShadow tool exits.\nVShadow is a command-line tool that you can use to create and manage volume shadow copies. While legitimate backup or administrative scripts may use this flag,\nattackers can leverage this parameter to proxy the execution of malware.","Detects tampering of the Vulnerable Driver Blocklist registry via command line tools such as PowerShell or REG.EXE.\nThe Vulnerable Driver Blocklist is a security feature that helps prevent the loading of known vulnerable drivers.\nDisabling this feature may indicate an attempt to bypass security controls, often targeted by threat actors\nto facilitate the installation of malicious or vulnerable drivers, particularly in scenarios involving Endpoint Detection and Response","When configured with suitable command line arguments, w32tm can act as a delay mechanism","Detects the deletion of all backups or system state backups via \"wbadmin.exe\".\nThis technique is used by numerous ransomware families and actors.\nThis may only be successful on server platforms that have Windows Backup enabled.","Detects the deletion of backups or system state backups via \"wbadmin.exe\".\nThis technique is used by numerous ransomware families and actors.\nThis may only be successful on server platforms that have Windows Backup enabled.","Detects the dump of highly sensitive files such as \"NTDS.DIT\" and \"SECURITY\" hive.\nAttackers can leverage the \"wbadmin\" utility in order to dump sensitive files that might contain credential or sensitive information.","Detects the recovery of files from backups via \"wbadmin.exe\".\nAttackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials.","Detects certain command line parameters often used during reconnaissance activity via web shells","Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation","Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass","Detects execution of \"WerFault.exe\" with the \"-pr\" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow","Detects potential abuse of WerFaultSecure.exe to dump Protected Process Light (PPL) processes like LSASS or to freeze security solutions (EDR/antivirus).\nThis technique is used by tools such as EDR-Freeze and WSASS to bypass PPL protections and access sensitive information or disable security software.\nDistinct command line patterns help identify the specific tool:\n- WSASS usage typically shows: \"WSASS.exe WerFaultSecure.exe [PID]\" in ParentCommandLine\n- EDR-Freeze usage typically shows: \"EDR-Freeze_[version].exe [PID] [timeout]\" in ParentCommandLine\nLegitimate debugging operations using WerFaultSecure are rare in production environments and should be investigated.","Detects potentially suspicious file downloads directly from IP addresses using Wget.exe","Detects potentially suspicious file downloads from file sharing domains using wget.exe","Detects potentially suspicious file downloads directly from IP addresses and stored in suspicious locations using Wget.exe","Detects the execution of \"whoami.exe\" with the \"/all\" flag","Detects the execution of \"whoami.exe\" by privileged accounts that are often abused by threat actors","Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes.","Detects the execution of \"whoami.exe\" with the \"/FO\" flag to choose CSV as output format or with redirection options to export the results to a file for later use.","Detects the execution of whoami.exe with suspicious parent processes.","Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.","Detects usage of winget to add new additional download sources","Detects usage of winget to add a new insecure (http) download source.\nWinget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)","Detects usage of winget to add new potentially suspicious download sources","Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them.\nThe manifest option enables you to install an application by passing in a YAML file directly to the client.\nWinget can be used to download and install exe, msi or msix files later.","Detects execution of WinRAR in order to compress a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration.","Detects potentially suspicious child processes of WinRAR.exe.","Detects a suspicious WinRAR execution in a folder which is not the default installation folder","Detects an attempt to execute code or create service on remote host via winrm.vbs.","Detects the execution of Winrs.exe where it is used to execute commands locally.\nCommands executed this way are launched under Winrshost.exe and can represent proxy execution used for defense evasion or lateral movement.","Detects the execution of \"Wlrmdr.exe\" with the \"-u\" command line flag which allows anything passed to it to be an argument of the ShellExecute API, which would allow an attacker to execute arbitrary binaries.\nThis detection also focuses on any uncommon child processes spawned from \"Wlrmdr.exe\" as a supplement for those that posses \"ParentImage\" telemetry.","Detects the use of wmic.exe to modify user account settings and explicitly disable password expiration.","Detects potential tampering with Windows Defender settings such as adding exclusion using wmic","Detects new process creation using WMIC via the \"process call create\" flag","Detects execution of wmic utility with the \"computersystem\" flag in order to obtain information about the machine such as the domain, username, model, etc.","Detects the execution of WMIC with the \"csproduct\" which is used to obtain information such as hardware models and vendor information","Detects the execution of \"wmic\" with the \"group\" flag.\nAdversaries may attempt to find local system groups and permission settings.\nThe knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.","Detects the execution of wmic with the \"qfe\" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts","Detects the execution of \"wmic\" with the \"process\" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches.","Detects the execution of WMIC in order to get a list of firewall and antivirus products","Detects the execution of WMIC in order to get a list of firewall, antivirus and antispywware products.\nAdversaries often enumerate security products installed on a system to identify security controls and potential ways to evade detection or disable protection mechanisms.\nThis information helps them plan their next attack steps and choose appropriate techniques to bypass security measures.","An adversary might use WMI to check if a certain remote service is running on a remote device.\nWhen the test completes, a service information will be displayed on the screen if it exists.\nA common feedback message is that \"No instance(s) Available\" if the service queried is not running.\nA common error message is \"Node - (provided IP or default) ERROR Description =The RPC server is unavailable\" if the provided remote host is unreachable","Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,\nincluding OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS,\nand GPU driver products/versions.\nSome of these commands were used by Aurora Stealer in late 2022/early 2023.","Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts","An adversary might use WMI to discover information about the system, such as the volume name, size,\nfree space, and other disk information. This can be done using the 'wmic' command-line utility and has been\nobserved being used by threat actors such as Volt Typhoon.","Detects the execution of WMIC to query information on a remote system","Detects usage of wmic to start or stop a service","Detects potential execution of the SquiblyTwo technique that leverages Windows Management Instrumentation (WMI)\nto execute malicious code remotely. This technique bypasses application whitelisting by using wmic.exe to process\nmalicious XSL (eXtensible Stylesheet Language) scripts that can contain embedded JScript or VBScript.\nThe attack typically works by fetching XSL content from a remote source (using HTTP/HTTPS) and executing it\nwith full trust privileges directly in memory, avoiding disk-based detection mechanisms. This is a common\nLOLBin (Living Off The Land Binary) technique used for defense evasion and code execution.","Detects the usage of wmic.exe to manipulate Windows registry via the WMI StdRegProv class.\nThis behaviour could be potentially suspicious because it uses an alternative method to modify registry keys instead of legitimate registry tools like reg.exe or regedit.exe.\nAttackers specifically choose this technique to evade detection and bypass security monitoring focused on traditional registry modification commands.","Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).","Detects calls to the \"terminate\" function via wmic in order to kill an application","Detects the removal or uninstallation of an application via \"Wmic.EXE\".","Detects the execution of WMIC with the \"format\" flag to potentially load local XSL files.\nAdversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.\nExtensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files.","Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI.","Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension","Detects installation of Kali Linux distribution through Windows Subsystem for Linux (WSL).\nAttackers may use Kali Linux WSL to leverage its penetration testing tools and capabilities for malicious purposes.","Detects the execution of Windows binaries from within a WSL instance.\nThis could be used to masquerade parent-child relationships","Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution.","Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags","Detects the execution of Xwizard tool from a non-default directory.\nWhen executed from a non-default directory, this utility can be abused in order to side load a custom version of \"xwizards.dll\".","Identifies when a process is created and immediately accessed from an unknown memory code region and by the same parent\nprocess. This may indicate a code injection attempt.","The following analytic identifies the execution of `outlook.exe` writing a `.zip` file to the disk.\nIt leverages data from the Endpoint data model, specifically monitoring process and filesystem activities.\nThis behavior can be significant as it may indicate the use of Outlook to deliver malicious payloads or exfiltrate data via compressed files.\nIf confirmed malicious, this activity could lead to unauthorized data access, data exfiltration, or the delivery of malware, potentially compromising the security of the affected system and network.","The following analytic detects the execution of processes with file or code signing attributes from known remote access software within the environment. It leverages Sysmon EventCode 1 data and cross-references a lookup table of remote access utilities such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. This activity is significant as adversaries often use these tools to maintain unauthorized remote access. If confirmed malicious, this could allow attackers to persist in the environment, potentially leading to data exfiltration or further compromise of the network.","The following analytic detects instances of DLLHost.exe running without\ncommand line arguments while establishing a network connection.\nThis behavior is identified using Endpoint Detection and Response (EDR) telemetry,\nfocusing on process execution and network activity data.\nIt is significant because DLLHost.exe typically runs with specific arguments,\nand its absence can indicate malicious activity, such as Cobalt Strike usage.\nIf confirmed malicious, this activity could allow attackers to execute code,\nmove laterally, or exfiltrate data, posing a severe threat to the network's security.","The following analytic detects excessive usage of the `sc.exe` service utility on a host machine. It leverages Sysmon EventCode 1 logs to identify instances where `sc.exe` is executed more frequently than normal within a 15-minute window. This behavior is significant as it is commonly associated with ransomware, cryptocurrency miners, and other malware attempting to create, modify, delete, or disable services, potentially related to security applications or for privilege escalation. If confirmed malicious, this activity could allow attackers to manipulate critical services, leading to system compromise or disruption of security defenses.","The following analytic detects the execution of gpupdate.exe without command line arguments and with an active network connection. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process execution and network traffic data. It is significant because gpupdate.exe typically runs with specific arguments, and its execution without them, especially with network activity, is often associated with malicious software like Cobalt Strike. If confirmed malicious, this activity could indicate an attacker leveraging gpupdate.exe for lateral movement, command and control, or other nefarious purposes, potentially leading to system compromise.","The following analytic identifies processes referencing plist files that determine which applications are re-opened when a user reboots their MacOS machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent processes related to \"com.apple.loginwindow.\" This activity is significant because it can indicate attempts to persist across reboots, a common tactic used by attackers to maintain access. If confirmed malicious, this could allow an attacker to execute code or maintain persistence on the affected system, potentially leading to further compromise.","The following analytic detects PowerShell processes launched with command-line arguments indicative of obfuscation techniques. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and complete command-line executions. This activity is significant because obfuscated PowerShell commands are often used by attackers to evade detection and execute malicious scripts. If confirmed malicious, this activity could lead to unauthorized code execution, privilege escalation, or persistent access within the environment, posing a significant security risk.","The following analytic identifies the creation of suspicious .aspx files in specific directories associated with Exchange exploitation by the HAFNIUM group and the ProxyShell vulnerability. It detects this activity by monitoring the MSExchangeMailboxReplication.exe process, which typically does not write .aspx files. This behavior is significant as it may indicate an active exploitation attempt on Exchange servers. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, or maintain persistence within the environment. Immediate investigation and remediation are crucial to prevent further compromise.","The following analytic detects outbound network connections from Java processes to default ports used by LDAP and RMI protocols, which may indicate exploitation of the CVE-2021-44228-Log4j vulnerability.\nThis detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and network traffic logs.\nMonitoring this activity is crucial as it can signify an attacker's attempt to perform JNDI lookups and retrieve malicious payloads.\nIf confirmed malicious, this activity could lead to remote code execution and further compromise of the affected server.","The following analytic identifies a process attempting to delete its own file path, a behavior often associated with defense evasion techniques. This detection leverages Sysmon EventCode 1 logs, focusing on command lines executed via cmd.exe that include deletion commands. This activity is significant as it may indicate malware, such as Clop ransomware, trying to evade detection by removing its executable file if certain conditions are met. If confirmed malicious, this could allow the attacker to persist undetected, complicating incident response and remediation efforts.","The following analytic detects the execution of rundll32.exe without command line arguments, followed by a network connection. This behavior is identified using Endpoint Detection and Response (EDR) telemetry and network traffic data. It is significant because rundll32.exe typically requires arguments to function, and its absence is often associated with malicious activity, such as Cobalt Strike. If confirmed malicious, this activity could indicate an attempt to establish unauthorized network connections, potentially leading to data exfiltration or further compromise of the system.","The following analytic detects instances of searchprotocolhost.exe running without command line arguments but with an active network connection. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process execution and network traffic data. It is significant because searchprotocolhost.exe typically runs with specific command line arguments, and deviations from this norm can indicate malicious activity, such as Cobalt Strike usage. If confirmed malicious, this activity could allow attackers to establish network connections for command and control, potentially leading to data exfiltration or further system compromise.","The following analytic detects the creation of image files in the AppData folder by processes that also have a file reference in the same folder. It leverages data from the Endpoint.Processes and Endpoint.Filesystem datamodels to identify this behavior. This activity is significant because it is commonly associated with malware, such as the Remcos RAT, which captures screenshots and stores them in the AppData folder before exfiltrating them to a command-and-control server. If confirmed malicious, this activity could indicate unauthorized data capture and exfiltration, compromising sensitive information and user privacy.","The following analytic detects when a process other than explorer.exe writes to the Windows Recycle Bin. It leverages the Endpoint.Filesystem and Endpoint.Processes data models in Splunk to identify any process writing to the \"*$Recycle.Bin*\" file path, excluding explorer.exe. This activity is significant because it may indicate an attacker attempting to hide their actions, potentially leading to data theft, ransomware, or other malicious outcomes. If confirmed malicious, this behavior could allow an attacker to persist in the environment and evade detection by security tools.","The following analytic identifies a non-lsass.exe process making an outbound connection on port 88, which is typically used by the Kerberos authentication protocol. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and network traffic logs. This activity is significant because, under normal circumstances, only the lsass.exe process should interact with the Kerberos Distribution Center. If confirmed malicious, this behavior could indicate an adversary attempting to abuse the Kerberos protocol, potentially leading to unauthorized access or lateral movement within the network.","The following analytic detects instances where Java, or Tomcat\nprocesses spawn a Linux shell, which may indicate exploitation attempts, such as\nthose related to CVE-2021-44228 (Log4Shell). This detection leverages Endpoint Detection\nand Response (EDR) telemetry, focusing on process names and parent-child process\nrelationships. This activity is significant as it can signify a compromised Java\napplication, potentially leading to unauthorized shell access. If confirmed malicious,\nattackers could execute arbitrary commands, escalate privileges, or maintain persistent\naccess, posing a severe threat to the environment.","The following analytic detects the execution of suspicious processes on systems identified as web servers. It leverages the Splunk data model \"Endpoint.Processes\" to search for specific process names such as \"whoami\", \"ping\", \"iptables\", \"wget\", \"service\", and \"curl\". This activity is significant because these processes are often used by attackers for reconnaissance, persistence, or data exfiltration. If confirmed malicious, this could lead to data theft, deployment of additional malware, or even ransomware attacks. Immediate investigation is required to determine the legitimacy of the activity and mitigate potential threats.","The following analytic detects the use of unusual browser flags, specifically --mute-audio and --do-not-elevate, which deviate from standard browser launch behavior. These flags may indicate automated scripts, testing environments, or attempts to modify browser functionality for silent operation or restricted privilege execution. Detection focuses on non-standard launch parameters, unexpected process behavior, or deviations from baseline configurations. Monitoring such flag usage helps identify potentially suspicious activity, misconfigurations, or policy violations, enabling security teams to investigate anomalies, ensure system compliance, and differentiate legitimate administrative or testing uses from unusual or unauthorized operations.","The following analytic detects the spawning of ComputerDefaults.exe, a Windows system process used to manage default application associations. While normally legitimate, this process can be exploited by attackers to bypass User Account Control (UAC) and execute unauthorized code with elevated privileges. Detection focuses on abnormal execution patterns, unusual parent-child process relationships, or deviations from standard paths. Such behavior may indicate attempts to modify system defaults or run malicious scripts undetected. Monitoring ComputerDefaults.exe is critical to identify potential security threats, prevent privilege escalation, and maintain system integrity by distinguishing normal operations from suspicious activity.","Detects DNS-based Kerberos coercion attacks where adversaries inject marshaled credential structures into DNS records to spoof SPNs and redirect authentication such as in CVE-2025-33073. This detection leverages process creation events looking for specific CREDENTIAL_TARGET_INFORMATION structures.","The following analytic identifies modifications to the TranscodedWallpaper file in the wallpaper theme directory, excluding changes made by explorer.exe. This detection leverages the Endpoint.Processes and Endpoint.Filesystem data models to correlate process activity with file modifications. This activity is significant as it may indicate an adversary attempting to deface or change the desktop wallpaper of a targeted host, a tactic often used to signal compromise or deliver a message. If confirmed malicious, this could be a sign of unauthorized access and tampering, potentially leading to further system compromise or data exfiltration.","This detection monitors the creation or modification of the Default.rdp file by non mstsc.exe process, typically found in the user's Documents folder. This file is automatically generated or updated by the Remote Desktop Connection client (mstsc.exe) when a user initiates an RDP session. It stores connection settings such as the last-used hostname, screen size, and other preferences. The presence or update of this file strongly suggests that an RDP session has been launched from the system. Since this file is commonly overlooked, it can serve as a valuable artifact in identifying remote access activity, including potential lateral movement or attacker-controlled sessions.","This detection identifies the use of attrib.exe to remove hidden (-h) or system (-s) attributes from the Default.rdp file, which is automatically created in a user's Documents folder when a Remote Desktop Protocol (RDP) session is initiated using mstsc.exe. The Default.rdp file stores session configuration details such as the remote host address and screen settings. Unhiding this file is uncommon in normal user behavior and may indicate that an attacker or red team operator is attempting to access or manipulate RDP connection history that was previously hidden—either by default or as part of an earlier anti-forensics effort. This activity may represent part of a broader pattern of reconnaissance or staging for credential reuse, lateral movement, or forensic analysis evasion. Monitoring for this behavior can help uncover suspicious manipulation of user artifacts and highlight interactive attacker activity on a compromised host.","The following analytic detects the deletion of registry keys by non-critical processes. It leverages Endpoint Detection and Response (EDR) data, focusing on registry deletion events and correlating them with processes not typically associated with system or program files. This activity is significant as it may indicate malware, such as the Double Zero wiper, attempting to evade defenses or cause destructive payload impacts. If confirmed malicious, this behavior could lead to significant system damage, loss of critical configurations, and potential disruption of services.","The following analytic detects the use of the taskkill command in a process command line to terminate several known browser processes, a technique commonly employed by the Braodo stealer malware to steal credentials. By forcefully closing browsers like Chrome, Edge, and Firefox, the malware can unlock files that store sensitive information, such as passwords and login data. This detection focuses on identifying taskkill commands targeting these browsers, signaling malicious intent. Early detection allows security teams to investigate and prevent further credential theft and system compromise.","The following analytic detects the creation of a suspicious registry entry by Qakbot malware, characterized by 8 random registry value names with encrypted binary data. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry modifications under the \"SOFTWARE\\\\Microsoft\\\\\" path by processes like explorer.exe. This activity is significant as it indicates potential Qakbot infection, which uses the registry to store malicious code or configuration data. If confirmed malicious, this could allow attackers to maintain persistence and execute arbitrary code on the compromised system.","The following analytic detects Microsoft Office applications dropping or creating executables or scripts on a Windows OS. It leverages process creation and file system events from the Endpoint data model to identify Office applications like Word or Excel generating files with extensions such as \".exe\", \".dll\", or \".ps1\". This behavior is significant as it is often associated with spear-phishing attacks where malicious files are dropped to compromise the host. If confirmed malicious, this activity could lead to code execution, privilege escalation, or persistent access, posing a severe threat to the environment.","The following analytic detects the creation of a DLL file by an outlook.exe process in the AppData\\Local\\Microsoft\\FORMS directory. This detection leverages data from the Endpoint.Processes and Endpoint.Filesystem datamodels, focusing on process and file creation events. This activity is significant as it may indicate an attempt to exploit CVE-2024-21378, where a custom MAPI form loads a potentially malicious DLL. If confirmed malicious, this could allow an attacker to execute arbitrary code, leading to further system compromise or data exfiltration.","The following analytic detects when a process running with low or medium integrity from a user account spawns an elevated process with high or system integrity in suspicious locations.\nThis behavior is identified using process execution data from Windows process monitoring.\nThis activity is significant as it may indicate a threat actor successfully elevating privileges, which is a common tactic in advanced attacks.\nIf confirmed malicious, this could allow the attacker to execute code with higher privileges, potentially leading to full system compromise and persistent access.","The following analytic detects any system integrity level process spawned by a non-system account. It leverages Sysmon EventID 1, focusing on process integrity and parent user data. This behavior is significant as it often indicates successful privilege escalation to SYSTEM from a user-controlled process or service. If confirmed malicious, this activity could allow an attacker to gain full control over the system, execute arbitrary code, and potentially compromise the entire environment.","The following analytic detects when a process with low, medium, or high integrity spawns a system integrity process from a user-controlled location.\nThis behavior is indicative of privilege escalation attempts where attackers elevate their privileges to SYSTEM level from a user-controlled process or service.\nThe detection leverages Sysmon data, specifically Event ID 15, to identify such transitions.\nMonitoring this activity is crucial as it can signify an attacker gaining SYSTEM-level access, potentially leading to full control over the affected system, unauthorized access to sensitive data, and further malicious activities.","This analytic is used to identify when a removable media device is attached to a machine and then a process is executed from the same drive letter assigned to the removable media device. Adversaries and Insider Threats may use removable media devices for several malicious activities, including initial access, execution, and exfiltration.","This detection identifies the execution of the Windows Remote Desktop Client (mstsc.exe) with the \"/v\" and /admin command-line arguments. The \"/v\" flag specifies the remote host to connect to, while the /admin flag initiates a connection to the target system’s console session, often used for administrative purposes. This combination may indicate that a user or attacker is performing privileged remote access, potentially to manage a system without disrupting existing user sessions. While such usage may be legitimate for IT administrators, it is less common in typical user behavior. Threat actors may abuse this capability during lateral movement to maintain stealthy access to high-value systems. Monitoring for this pattern can help detect interactive hands-on-keyboard activity, privilege abuse, or attempts to access critical infrastructure without leaving typical login traces associated with non-admin RDP sessions.","The following analytic identifies instances where the PowerShell executable has been renamed and executed under an alternate filename. This behavior is commonly associated with attempts to evade security controls or bypass logging mechanisms that monitor standard PowerShell usage. While rare in legitimate environments, renamed PowerShell binaries are frequently observed in malicious campaigns leveraging Living-off-the-Land Binaries (LOLBins) and fileless malware techniques. This detection flags executions of PowerShell where the process name does not match the default powershell.exe or pwsh.exe, especially when invoked from unusual paths or accompanied by suspicious command-line arguments.","This detection identifies instances where rundll32.exe is used to load a DLL from a temporary directory, such as C:\\Users\\<User>\\AppData\\Local\\Temp\\ or C:\\Windows\\Temp\\. While rundll32.exe is a legitimate Windows utility used to execute functions exported from DLLs, its use to load libraries from temporary locations is highly suspicious. These directories are commonly used by malware and red team tools to stage payloads or execute code in-memory without writing it to more persistent locations. This behavior often indicates defense evasion, initial access, or privilege escalation, especially when the DLL is unsigned, recently written, or executed shortly after download. In normal user workflows, DLLs are not typically loaded from Temp paths, making this a high-fidelity indicator of potentially malicious activity. Monitoring this pattern is essential for detecting threats that attempt to blend in with native system processes while bypassing traditional application controls.","The following analytic detects the execution of rundll32.exe with command-line arguments loading davclnt.dll and the davsetcookie function to access a remote WebDav instance. It uses data from Endpoint Detection and Response (EDR) agents, correlating process execution and network traffic data. This activity is significant as it may indicate exploitation of CVE-2023-23397, a known vulnerability. If confirmed malicious, this could allow an attacker to establish unauthorized remote connections, potentially leading to data exfiltration or further network compromise.","The following analytic detects when a process spawns an executable known for User Account Control (UAC) bypass exploitation and subsequently monitors for any child processes with a higher integrity level than the original process.\nThis detection leverages Sysmon EventID 1 data, focusing on process integrity levels and known UAC bypass executables.\nThis activity is significant as it may indicate an attacker has successfully used a UAC bypass exploit to escalate privileges.\nIf confirmed malicious, the attacker could gain elevated privileges, potentially leading to further system compromise and persistent access.","The following analytic detects instances of the 3CXDesktopApp.exe with a FileVersion of 18.12.x, leveraging Sysmon logs. This detection focuses on identifying vulnerable versions 18.12.407 and 18.12.416 of the 3CX desktop app. Monitoring this activity is crucial as these specific versions have known vulnerabilities that could be exploited by attackers. If confirmed malicious, exploitation of this vulnerability could lead to unauthorized access, code execution, or further compromise of the affected system, posing significant security risks.","The following analytic detects instances of Winlogon.exe, a critical Windows process, connecting to public IP addresses. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on network connections made by Winlogon.exe. Under normal circumstances, Winlogon.exe should not connect to public IPs, and such activity may indicate a compromise, such as the BlackLotus bootkit attack. This detection is significant as it highlights potential system integrity breaches. If confirmed malicious, attackers could maintain persistence, bypass security measures, and compromise the system at a fundamental level.","This analytic detects the use of WMIC to delete volume shadow copies, which is a common technique used by ransomware actors to prevent system recovery. Ransomware like Cactus often delete shadow copies before encrypting files to ensure victims cannot recover their data without paying the ransom. This behavior is particularly concerning as it indicates potential ransomware activity or malicious actors attempting to prevent system recovery.","Detects a typical pattern of a CobaltStrike BOF which inject into other processes","Detects process access requests from hacktool processes based on their default image name","Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles","Detects the process injection of a LittleCorporal generated Maldoc.","Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon","Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.","Detects LSASS process access requests from a source process with the \"dump\" keyword in its image name.","Detects process access requests to the LSASS process with specific call trace calls and access masks.\nThis behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.","Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.","Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.","Detects suspicious access to LSASS handle via a call trace to \"seclogon.dll\" with a suspicious access right.","Detects process access requests to LSASS process with potentially suspicious access flags","Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.","Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference","Detects process access request to uncommon target images with a \"PROCESS_ALL_ACCESS\" access mask.","Detects suspicious process access to LSASS.exe from processes located in uncommon locations with dbgcore.dll or dbghelp.dll in the call trace.\nThese DLLs contain functions like MiniDumpWriteDump that can be abused for credential dumping purposes. While modern tools like Mimikatz have moved to using ntdll.dll,\ndbgcore.dll and dbghelp.dll are still used by basic credential dumping utilities and legacy tools for LSASS memory access and process suspension techniques.","Detects potential calls to NtOpenProcess directly from NTDLL.","Detects when a process tries to access the memory of svchost to potentially dump credentials.","Detects suspicious access to the \"svchost\" process such as that used by Invoke-Phantom to kill the thread of the Windows event logging service.","Detects function calls from the EditionUpgradeManager COM interface. Which is an interface that is not used by standard executables.","Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)","Detects process access events where WerFaultSecure accesses MsMpEng.exe with dbgcore.dll or dbghelp.dll in the call trace, indicating potential EDR freeze techniques.\nThis technique leverages WerFaultSecure.exe running as a Protected Process Light (PPL) with WinTCB protection level to call MiniDumpWriteDump and suspend EDR/AV processes, allowing malicious activity to execute undetected during the suspension period.","Identifies suspicious access to LSASS handle from a call trace pointing to seclogon.dll and with a suspicious access\nrights value. This may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in\npreparation for credential access.","Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate\nan attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.","Identifies access attempts to LSASS handle, this may indicate an attempt to dump credentials from Lsass memory.","Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export\nthe MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access.","Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are\nperformed by the same process and target two different instances of LSASS. This may indicate an attempt to evade\ndetection and dump LSASS memory for credential access.","Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook\nuserland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass\nhooked functions by writing malicious functions that call syscalls directly.","The following analytic detects attempts to dump the LSASS process memory, a common technique in credential dumping attacks. It leverages Sysmon logs, specifically EventCode 10, to identify suspicious call traces to dbgcore.dll and dbghelp.dll associated with lsass.exe. This activity is significant as it often precedes the theft of sensitive login credentials, posing a high risk of unauthorized access to systems and data. If confirmed malicious, attackers could gain access to critical credentials, enabling further compromise and lateral movement within the network.","The following analytic detects attempts to read LSASS memory, indicative of credential dumping. It leverages Sysmon EventCode 10, filtering for specific access permissions (0x1010 and 0x1410) on the lsass.exe process. This activity is significant because it suggests an attacker is trying to extract credentials from LSASS memory, potentially leading to unauthorized access, data breaches, and compromise of sensitive information. If confirmed malicious, this could enable attackers to escalate privileges, move laterally within the network, or exfiltrate data. Extensive triage is necessary to differentiate between malicious and benign activities.","The following analytic detects a process accessing the winlogon.exe system process, indicative of the Rubeus tool attempting to export Kerberos tickets from memory. This detection leverages Sysmon EventCode 10 logs, focusing on processes obtaining a handle to winlogon.exe with specific access rights. This activity is significant as it often precedes pass-the-ticket attacks, where adversaries use stolen Kerberos tickets to move laterally within an environment. If confirmed malicious, this could allow attackers to bypass normal access controls, escalate privileges, and persist within the network, posing a severe security risk.","The following analytic detects suspicious process access by spoolsv.exe, potentially indicating exploitation of the PrintNightmare vulnerability (CVE-2021-34527). It leverages Sysmon EventCode 10 to identify when spoolsv.exe accesses critical system files or processes like rundll32.exe with elevated privileges. This activity is significant as it may signal an attempt to gain unauthorized privilege escalation on a vulnerable machine. If confirmed malicious, an attacker could achieve elevated privileges, leading to further system compromise, persistent access, or unauthorized control over the affected environment.","The following analytic detects a process attempting to access winlogon.exe to duplicate its handle. This is identified using Sysmon EventCode 10, focusing on processes targeting winlogon.exe with specific access rights. This activity is significant because it is a common technique used by adversaries to escalate privileges by leveraging the high privileges and security tokens associated with winlogon.exe. If confirmed malicious, this could allow an attacker to gain elevated privileges, potentially leading to full system compromise and unauthorized access to sensitive information.","The following analytic detects a process attempting to duplicate the handle of winlogon.exe from an uncommon or public source path. This is identified using Sysmon EventCode 10, focusing on processes targeting winlogon.exe with specific access rights and excluding common system paths. This activity is significant because it may indicate an adversary trying to escalate privileges by leveraging the high-privilege tokens associated with winlogon.exe. If confirmed malicious, this could allow the attacker to gain elevated access, potentially leading to full system compromise and persistent control over the affected host.","The following analytic detects suspicious handle duplication activity targeting known Windows utilities such as ComputerDefaults.exe, Eventvwr.exe, and others. This technique is commonly used to escalate privileges or bypass UAC by inheriting or injecting elevated tokens or handles. The detection focuses on non-standard use of DuplicateHandle or token duplication where process, thread, or token handles are copied into the context of trusted, signed utilities. Such behavior may indicate attempts to execute with elevated rights without user consent. Alerts enable rapid triage using process trees, handle data, token attributes, command-lines, and binary hashes.","The following analytic identifies processes attempting to access Lsass.exe, which may indicate credential dumping or applications needing credential access. It leverages Sysmon EventCode 10 to detect such activities by analyzing fields like TargetImage, GrantedAccess, and SourceImage. This behavior is significant as unauthorized access to Lsass.exe can lead to credential theft, posing a severe security risk. If confirmed malicious, attackers could gain access to sensitive credentials, potentially leading to privilege escalation and further compromise of the environment.","The following analytic identifies non-SYSTEM accounts requesting access to lsass.exe. This detection leverages Sysmon EventCode 10 logs to monitor access attempts to the Local Security Authority Subsystem Service (lsass.exe) by non-SYSTEM users. This activity is significant as it may indicate credential dumping attempts or unauthorized access to sensitive credentials. If confirmed malicious, an attacker could potentially extract credentials from memory, leading to privilege escalation or lateral movement within the network. Immediate investigation is required to determine the legitimacy of the access request and to mitigate any potential threats.","The following analytic detects potential credential dumping by identifying specific GrantedAccess permission requests and CallTrace DLLs targeting the LSASS process. It leverages Sysmon EventCode 10 logs, focusing on access requests to lsass.exe and call traces involving debug and native API DLLs like dbgcore.dll, dbghelp.dll, and ntdll.dll. This activity is significant as credential dumping can lead to unauthorized access to sensitive credentials. If confirmed malicious, attackers could gain elevated privileges and persist within the environment, posing a severe security risk.","The following analytic detects process injection into executables that are commonly abused using Sysmon EventCode 10. It identifies suspicious GrantedAccess requests (0x40 and 0x1fffff) to processes such as notepad.exe, wordpad.exe and calc.exe, excluding common system paths like System32, Syswow64, and Program Files. This behavior is often associated with the SliverC2 framework by BishopFox. Monitoring this activity is crucial as it may indicate an initial payload attempting to execute malicious code. If confirmed malicious, this could allow attackers to execute arbitrary code, potentially leading to privilege escalation or persistent access within the environment.","The following analytic detects process injection into Notepad.exe using Sysmon EventCode 10. It identifies suspicious GrantedAccess requests (0x40 and 0x1fffff) to Notepad.exe, excluding common system paths like System32, Syswow64, and Program Files. This behavior is often associated with the SliverC2 framework by BishopFox. Monitoring this activity is crucial as it may indicate an initial payload attempting to execute malicious code within Notepad.exe. If confirmed malicious, this could allow attackers to execute arbitrary code, potentially leading to privilege escalation or persistent access within the environment.","The following analytic detects a suspicious process attempting to terminate the Lsass.exe process. It leverages Sysmon EventCode 10 logs to identify processes granted PROCESS_TERMINATE access to Lsass.exe. This activity is significant because Lsass.exe is a critical process responsible for enforcing security policies and handling user credentials. If confirmed malicious, this behavior could indicate an attempt to perform credential dumping, privilege escalation, or evasion of security policies, potentially leading to unauthorized access and persistence within the environment.","The following analytic detects potential WMI token impersonation activities in a process or command. It leverages Sysmon EventCode 10 to identify instances where `wmiprvse.exe` has a duplicate handle or full granted access in a target process. This behavior is significant as it is commonly used by malware like Qakbot for privilege escalation or defense evasion. If confirmed malicious, this activity could allow an attacker to gain elevated privileges, evade defenses, and maintain persistence within the environment.","Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\nUsed to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.","Detects the creation of a named pipe as used by CobaltStrike","Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles","Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles","Detects the pattern of a pipe name as used by the hack tool CoercedPotato","Detects creation of default named pipe used by the DiagTrackEoP POC, a tool that abuses \"SeImpersonate\" privilege.","Detects the pattern of a pipe name as used by the hack tool EfsPotato","Detects well-known credential dumping tools execution via specific named pipe creation","Detects creation of default named pipes used by the Koh tool","Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe","Detects the execution of PowerShell via the creation of a named pipe starting with PSHost","Detects default CSExec pipe creation","Detects PAExec default named pipe","Detects default RemCom pipe creation","Detects the WMI Event Consumer service scrcons.exe creating a named pipe","Detects the creation of a named pipe seen used by known APTs or malware.","Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack","Identifies a privilege escalation attempt via rogue named pipe impersonation. An adversary may abuse this technique by\nmasquerading as a known named pipe and manipulating a privileged process to connect to it.","The following analytic detects the creation or connection to a named pipe associated with Trickbot malware. It leverages Sysmon EventCodes 17 and 18 to identify named pipes with the pattern \"\\\\pipe\\\\*lacesomepipe\". This activity is significant as Trickbot uses named pipes for communication with its command and control (C2) servers, facilitating data exfiltration and command execution. If confirmed malicious, this behavior could allow attackers to maintain persistence, execute arbitrary commands, and exfiltrate sensitive information from the compromised system.","The following analytic detects the creation or connection of anonymous pipes for inter-process communication (IPC) within a Windows environment. Anonymous pipes are commonly used by legitimate system processes, services, and applications to transfer data between related processes. However, adversaries frequently abuse anonymous pipes to facilitate stealthy process injection, command-and-control (C2) communication, credential theft, or privilege escalation. This detection monitors for unusual anonymous pipe activity, particularly involving non-system processes, unsigned executables, or unexpected parent-child process relationships. While legitimate use cases exist—such as Windows services, software installers, or security tools—unusual or high-frequency anonymous pipe activity should be investigated for potential malware, persistence mechanisms, or lateral movement techniques.","The following analytic detects a suspicious process creating or connecting to a potential Qakbot named pipe. It leverages Sysmon EventCodes 17 and 18, focusing on specific processes known to be abused by Qakbot and identifying randomly generated named pipes in GUID form. This activity is significant as Qakbot malware uses named pipes for inter-process communication after code injection, facilitating data theft. If confirmed malicious, this behavior could indicate a Qakbot infection, leading to unauthorized data access and potential exfiltration from the compromised host.","The following analytic detects the wermgr.exe process creating or connecting to a named pipe. It leverages Sysmon EventCodes 17 and 18 to identify these actions. This activity is significant because wermgr.exe, a legitimate Windows OS Problem Reporting application, is often abused by malware such as Trickbot and Qakbot to execute malicious code. If confirmed malicious, this behavior could indicate that an attacker has injected code into wermgr.exe, potentially allowing them to communicate covertly, escalate privileges, or persist within the environment.","The following analytic detects the use of default or publicly known named pipes associated with the RMX remote admin tool. It leverages Sysmon EventCodes 17 and 18 to identify named pipe creation and connection events. This activity is significant as the RMX tool has been abused by adversaries and malware like Azorult to collect data from targeted hosts. If confirmed malicious, this could indicate unauthorized remote administration capabilities, leading to data exfiltration or further compromise of the affected system. Immediate investigation is required to determine the legitimacy of this tool's presence.","The following analytic detects the creation or connection to named pipes  used by potentially unwanted applications (PUAs) like VPNs or utilities like PsExec.\nIt leverages Sysmon EventCodes 17 and 18.\nIf confirmed malicious, this could allow an attacker to abuse these to potentially gain persistence, command and control, or further system compromise.","The following analytic detects the creation or connection to known suspicious named pipes, which is a technique often used by offensive tools.\nIt leverages Sysmon EventCodes 17 and 18 to identify  known default pipe names used by RMM tools.\nIf confirmed malicious,  this could allow an attacker to abuse these to potentially gain persistence, command and control, or further system compromise.","The following analytic detects the creation or connection to known suspicious C2 named pipes.\nIt leverages Sysmon EventCodes 17 and 18 to identify known default pipe names used by C2 tools.\nIf confirmed malicious, this could allow an attacker to abuse these to potentially gain persistence, command and control, or further system compromise.","The following analytic detects the creation or connection to known suspicious named pipes.\nIt leverages Sysmon EventCodes 17 and 18 to identify known default pipe names used by malicious or suspicious tools.\nIf confirmed malicious, this could allow an attacker to abuse these to potentially gain privilege escalation,\npersistence, c2 communications, or further system compromise.","Detects suspicious processes logging on with explicit credentials","The following analytic identifies a source user failing to authenticate with 30 unique users using explicit credentials on a host. It leverages Windows Event 4648, which is generated when a process attempts an account logon by explicitly specifying account credentials. This detection is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges within an Active Directory environment. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information.","The following analytic identifies a source user failing to authenticate with multiple users using explicit credentials on a host. It leverages Windows Event Code 4648 and calculates the standard deviation for each host, using the 3-sigma rule to detect anomalies. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, or further compromise of the Active Directory environment.","This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent.","This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\SOFTWARE\\Microsoft\\ADHealthAgent.\nMake sure you set the SACL to propagate to its sub-keys.","Potential adversaries accessing the microphone and webcam in an endpoint.","Detects potential mimikatz-like tools accessing LSASS from non system account","Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host","Detects handles requested to SAM registry hive","Detects non-system users failing to get a handle of the SCM database.","Detects files that have extensions commonly seen while SDelete is used to wipe files.","Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN","Detects process handle on LSASS process with certain access mask","Detects handle requests and access operations to specific registry keys to calculate the SysKey","Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security.","Identifies handle requests for the Local Security Authority Subsystem Service (LSASS) object access with specific access\nmasks that many tools with a capability to dump memory to disk use (0x1fffff, 0x1010, 0x120089). This rule is tool\nagnostic as it has been validated against a host of various LSASS dump tools such as SharpDump, Procdump, Mimikatz,\nComsvcs etc. It detects this behavior at a low level and does not depend on a specific tool or dump file name.","Detects the mount of an ISO image on an endpoint","Detects \"read access\" requests on the services registry key.\nAdversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.","Detects access to Signal Desktop's sensitive data files: db.sqlite and config.json.\nThe db.sqlite file in Signal Desktop stores all locally saved messages in an encrypted SQLite database, while the config.json contains the decryption key needed to access that data.\nSince the key is stored in plain text, a threat actor who gains access to both files can decrypt and read sensitive messages without needing the users credentials.\nCurrently the rule only covers the default Signal installation path in AppData\\Roaming. Signal Portable installations may use different paths based on user configuration. Additional paths can be added to the selection as needed.","Potential threat actor tampering with Sysmon manifest and eventually disabling it","Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.","The following analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1708 vulnerability using Windows SACL EventCode 4663. It identifies path traversal attacks by monitoring file system events related to the ScreenConnect service. This activity is significant as it allows unauthorized access to sensitive files and directories, potentially leading to data exfiltration or arbitrary code execution. If confirmed malicious, attackers could gain unauthorized access to critical data or execute harmful code, compromising the integrity and security of the affected system. Immediate remediation by updating to version 23.9.8 or above is recommended.","The following analytic detects a non-Chrome process accessing files in the Chrome user default folder. It leverages Windows Security Event logs, specifically event code 4663, to identify unauthorized access attempts. This activity is significant because the Chrome default folder contains sensitive user data such as login credentials, browsing history, and cookies. If confirmed malicious, this behavior could indicate an attempt to exfiltrate sensitive information, often associated with RATs, trojans, and advanced persistent threats like FIN7. Such access could lead to data theft and further compromise of the affected system.","The following analytic detects non-Firefox processes accessing the Firefox profile directory, which contains sensitive user data such as login credentials, browsing history, and cookies. It leverages Windows Security Event logs, specifically event code 4663, to monitor access attempts. This activity is significant because it may indicate attempts by malware, such as RATs or trojans, to harvest user information. If confirmed malicious, this behavior could lead to data exfiltration, unauthorized access to user accounts, and further compromise of the affected system.","The following analytic detects attempts to access the SAM, SYSTEM, or SECURITY database files within the `windows\\system32\\config` directory using Windows Security EventCode 4663. This detection leverages Windows Security Event logs to identify unauthorized access attempts. Monitoring this activity is crucial as it indicates potential credential access attempts, possibly exploiting vulnerabilities like CVE-2021-36934. If confirmed malicious, an attacker could extract user passwords, leading to unauthorized access, privilege escalation, and further compromise of the system.","The following analytic identifies a possible non-common browser process accessing its browser user data profile. This tactic/technique has been observed in various Trojan Stealers, such as SnakeKeylogger, which attempt to gather sensitive browser information and credentials as part of their exfiltration strategy. Detecting this anomaly can serve as a valuable pivot for identifying processes that access lists of browser user data profiles unexpectedly. This detection uses a lookup file `browser_app_list` that maintains a list of well known browser applications and the browser paths that are allowed to access the browser user data profiles.","The following analytic detects non-Chrome processes attempting to access the Chrome extensions file. It leverages Windows Security Event logs, specifically event code 4663, to identify this behavior. This activity is significant because adversaries may exploit this file to extract sensitive information from the Chrome browser, posing a security risk. If confirmed malicious, this could lead to unauthorized access to stored credentials and other sensitive data, potentially compromising the security of the affected system and broader network.","The following analytic detects non-Chrome processes accessing the Chrome \"Local State\" file, which contains critical settings and information. It leverages Windows Security Event logs, specifically event code 4663, to identify this behavior. This activity is significant because threat actors can exploit this file to extract the encrypted master key used for decrypting saved passwords in Chrome. If confirmed malicious, this could lead to unauthorized access to sensitive information, posing a severe security risk. Monitoring this anomaly helps identify potential threats and safeguard browser-stored data.","The following analytic identifies non-Chrome processes accessing the Chrome user data file \"login data.\" This file is an SQLite database containing sensitive information, including saved passwords. The detection leverages Windows Security Event logs, specifically event code 4663, to monitor access attempts. This activity is significant as it may indicate attempts by threat actors to extract and decrypt stored passwords, posing a risk to user credentials. If confirmed malicious, attackers could gain unauthorized access to sensitive accounts and escalate their privileges within the environment.","This Analytic detects the execution of a process attempting to access the hosts file.\nThe hosts file is a critical file for network configuration and DNS resolution.\nIf an attacker gains access to it, they can redirect traffic to malicious websites, serve fake content or block legitimate security websites.","This analytic detects an increase in modifications to AD groups or objects. Frequent changes to AD groups or objects can indicate potential security risks, such as unauthorized access attempts, impairing defences or establishing persistence. By monitoring AD logs for unusual modification patterns, this detection helps identify suspicious behavior that could compromise the integrity and security of the AD environment.","The following analytic detects non-Discord applications accessing the Discord LevelDB database. It leverages Windows Security Event logs, specifically event code 4663, to identify file access attempts to the LevelDB directory by processes other than Discord. This activity is significant as it may indicate attempts to steal Discord credentials or access sensitive user data. If confirmed malicious, this could lead to unauthorized access to user profiles, messages, and other critical information, potentially compromising the security and privacy of the affected users.","This Analytic detects the execution of a process attempting to access the registry for product key recovery purposes.\nThis behavior could be significant as it might indicate potential malware activity or attempts to bypass security measures or data exfiltration.","The following analytic detects a suspicious process accessing the registry entries for default internet browsers. It leverages Windows Security Event logs, specifically event code 4663, to identify access attempts to these registry paths. This activity is significant because adversaries can exploit this registry key to gather information about installed browsers and their settings, potentially leading to the theft of sensitive data such as login credentials and browsing history. If confirmed malicious, this behavior could enable attackers to exfiltrate sensitive information and compromise user accounts.","The following analytic detects an access request on the uninstall registry key. It leverages Windows Security Event logs, specifically event code 4663. This activity is significant because adversaries or malware can exploit this key to gather information about installed applications, aiding in further attacks. If confirmed malicious, this behavior could allow attackers to map out installed software, potentially identifying vulnerabilities or software to exploit, leading to further system compromise.","The following analytic detects unauthorized access to Outlook credentials stored in the Windows registry. It leverages Windows Security Event logs, specifically EventCode 4663, to identify access attempts to registry paths associated with Outlook profiles. This activity is significant as it may indicate attempts to steal sensitive email credentials, which could lead to unauthorized access to email accounts. If confirmed malicious, this could allow attackers to exfiltrate sensitive information, impersonate users, or execute further unauthorized actions within Outlook, posing a significant security risk.","The following analytic identifies processes accessing FileZilla XML config files such as recentservers.xml and sitemanager.xml. It leverages Windows Security Event logs, specifically monitoring EventCode 4663, which tracks object access events. This activity is significant because it can indicate unauthorized access or manipulation of sensitive configuration files used by FileZilla, a popular FTP client. If confirmed malicious, this could lead to data exfiltration, credential theft, or further compromise of the system.","The following analytic identifies processes accessing Intelliform Storage Registry keys used by Internet Explorer. It leverages Windows Security Event logs, specifically monitoring EventCode 4663, which tracks object access events. This activity is significant because it can indicate unauthorized access or manipulation of sensitive registry keys used for storing form data in Internet Explorer. If confirmed malicious, this could lead to data exfiltration, credential theft, or further compromise of the system.","Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.","The following analytic identifies a computer account creating a new computer account with a specific Service Principal Name (SPN) \"RestrictedKrbHost\". This detection leverages Windows Security Event Logs, specifically EventCode 4741, to identify such activities. This behavior is significant as it may indicate an attempt to establish unauthorized Kerberos authentication channels, potentially leading to lateral movement or privilege escalation. If confirmed malicious, this activity could allow an attacker to impersonate services, access sensitive information, or maintain persistence within the network.","The following analytic detects the addition of Service Principal Names (SPNs) HOST and RestrictedKrbHost to a computer account, indicative of KrbRelayUp behavior. This detection leverages Windows Security Event Logs, specifically EventCode 4741, to identify changes in SPNs. This activity is significant as it is commonly associated with Kerberos-based attacks, which can be used to escalate privileges or perform lateral movement within a network. If confirmed malicious, this behavior could allow an attacker to impersonate services, potentially leading to unauthorized access to sensitive resources.","Detects suspicious Kerberos TGT requests with pre-authentication disabled (Pre-Authentication Type = 0) and Ticket Encryption Type (0x17) i.e, RC4-HMAC.\nThis may indicate an AS-REP Roasting attack, where attackers request AS-REP messages for accounts without pre-authentication and attempt to crack the encrypted ticket offline to recover user passwords.","Detect suspicious Kerberos TGT requests.\nOnce an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes.\nOne way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus.\nThis request will generate a 4768 event with some unusual fields depending on the environment.\nThis analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.","Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.","The following analytic detects a Kerberos Ticket Granting Ticket (TGT) request using RC4-HMAC encryption (type 0x17) by leveraging Event 4768. This encryption type is outdated and its presence may indicate an OverPass The Hash attack. Monitoring this activity is crucial as it can signify credential theft, allowing adversaries to authenticate to the Kerberos Distribution Center (KDC) using a stolen NTLM hash. If confirmed malicious, this could enable unauthorized access to systems and resources, potentially leading to lateral movement and further compromise within the network.","The following analytic detects an unusual number of Kerberos Ticket Granting Ticket (TGT) requests for non-existing users from a single source endpoint. It leverages Event ID 4768 and identifies anomalies using the 3-sigma statistical rule. This behavior is significant as it may indicate an adversary performing a user enumeration attack against Active Directory. If confirmed malicious, the attacker could validate a list of usernames, potentially leading to further attacks such as brute force or credential stuffing, compromising the security of the environment.","The following analytic detects a suspicious Kerberos Ticket Granting Ticket (TGT) request, identified by Event Code 4768. This detection leverages Windows Security Event Logs to identify TGT requests with unusual fields, which may indicate the use of tools like Rubeus following the exploitation of CVE-2021-36942 (PetitPotam). This activity is significant as it can signal an attacker leveraging a compromised certificate to request Kerberos tickets, potentially leading to unauthorized access. If confirmed malicious, this could allow attackers to escalate privileges and persist within the environment, posing a severe security risk.","The following analytic detects a computer account requesting a Kerberos ticket, which is unusual as typically user accounts request these tickets. This detection leverages Windows Security Event Logs, specifically EventCode 4768, to identify instances where the TargetUserName ends with a dollar sign ($), indicating a computer account. This activity is significant because it may indicate the use of tools like KrbUpRelay or other Kerberos-based attacks. If confirmed malicious, this could allow attackers to impersonate computer accounts, potentially leading to unauthorized access and lateral movement within the network.","The following analytic detects a single source endpoint failing to authenticate with 30 unique disabled domain users using the Kerberos protocol within 5 minutes. It leverages Windows Security Event 4768, focusing on failure code `0x12`, indicating revoked credentials. This activity is significant as it may indicate a Password Spraying attack targeting disabled accounts, a tactic used by adversaries to gain initial access or elevate privileges. If confirmed malicious, this could lead to unauthorized access or privilege escalation within the Active Directory environment, posing a severe security risk.","The following analytic identifies a source endpoint failing to authenticate with 30 unique invalid domain users using the Kerberos protocol. This detection leverages EventCode 4768, specifically looking for failure code 0x6, indicating the user is not found in the Kerberos database. This activity is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this could lead to unauthorized access or privilege escalation within the Active Directory environment, posing a significant security risk.","The following analytic detects when a suspicious certificate with a Subject Alternative Name (SAN) is issued using Active Directory Certificate Services (AD CS) and then immediately used for authentication. This detection leverages Windows Security Event Logs, specifically EventCode 4887, to identify the issuance and subsequent use of the certificate. This activity is significant because improperly configured certificate templates can be exploited for privilege escalation and environment compromise. If confirmed malicious, an attacker could gain unauthorized access, escalate privileges, and potentially compromise the entire environment.","The following analytic identifies a source endpoint failing to authenticate with multiple disabled domain users using the Kerberos protocol. It leverages EventCode 4768, which is generated when the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT) and detects failure code `0x12` (credentials revoked). This behavior is significant as it may indicate a Password Spraying attack targeting disabled accounts, potentially leading to initial access or privilege escalation. If confirmed malicious, attackers could gain unauthorized access or elevate privileges within the Active Directory environment.","The following analytic identifies a source endpoint failing to authenticate with multiple invalid domain users using the Kerberos protocol. It leverages Event ID 4768, which is generated when the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT) and detects failure code 0x6, indicating the user is not found in the Kerberos database. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access and potential privilege escalation within the Active Directory environment.","This rule will collect the data needed to start looking into possible kerberoasting activity.\nFurther analysis or computation within the query is needed focusing on requests from one specific host/IP towards multiple service names within a time period of 5 seconds.\nYou can then set a threshold for the number of requests and time between the requests to turn this into an alert.","Detects service ticket requests using RC4 encryption type","The following analytic detects potential Kerberoasting attacks by identifying Kerberos service ticket requests with RC4 encryption through Event ID 4769. It leverages specific Ticket_Options values commonly used by Kerberoasting tools. This activity is significant as Kerberoasting allows attackers to request service tickets for domain accounts, typically service accounts, and crack them offline to gain privileged access. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and further compromise of the Active Directory environment.","The following analytic detects Kerberos service ticket requests using RC4 encryption, leveraging Kerberos Event 4769. This method identifies potential Golden Ticket attacks, where adversaries forge Kerberos Granting Tickets (TGT) using the Krbtgt account NTLM password hash to gain unrestricted access to an Active Directory environment. Monitoring for RC4 encryption usage is significant as it is rare in modern networks, indicating possible malicious activity. If confirmed malicious, attackers could move laterally and execute code on remote systems, compromising the entire network. Note: This detection may be bypassed if attackers use the AES key instead of the NTLM hash.","The following analytic detects suspicious Kerberos Service Ticket (TGS) requests where the requesting account name matches the service name, potentially indicating an exploitation attempt of CVE-2021-42278 and CVE-2021-42287. This detection leverages Event ID 4769 from Domain Controller and Kerberos events. Such activity is significant as it may represent an adversary attempting to escalate privileges by impersonating a domain controller. If confirmed malicious, this could allow an attacker to take control of the domain controller, leading to complete domain compromise and unauthorized access to sensitive information.","The following analytic identifies an unusual number of computer service ticket requests from a single source, leveraging Event ID 4769, \"A Kerberos service ticket was requested.\" It uses statistical analysis, including standard deviation and the 3-sigma rule, to detect anomalies in service ticket requests. This activity is significant as it may indicate malicious behavior such as lateral movement, malware staging, or reconnaissance. If confirmed malicious, an attacker could gain unauthorized access to multiple endpoints, facilitating further compromise and potential data exfiltration.","The following analytic identifies an unusual number of Kerberos service ticket requests, potentially indicating a kerberoasting attack. It leverages Kerberos Event 4769 and calculates the standard deviation for each host, using the 3-sigma rule to detect anomalies. This activity is significant as kerberoasting allows adversaries to request service tickets and crack them offline, potentially gaining privileged access to the domain. If confirmed malicious, this could lead to unauthorized access to sensitive accounts and escalation of privileges within the Active Directory environment.","The following analytic detects a high volume of Kerberos service ticket requests, specifically more than 30, from a single source within a 5-minute window. It leverages Event ID 4769, which logs when a Kerberos service ticket is requested, focusing on requests with computer names as the Service Name. This behavior is significant as it may indicate malicious activities such as lateral movement, malware staging, or reconnaissance. If confirmed malicious, an attacker could gain unauthorized access to multiple endpoints, potentially compromising the entire network.","The following analytic identifies a single source endpoint failing to authenticate with 30 unique users using the Kerberos protocol. It leverages EventCode 4771 with Status 0x18, indicating wrong password attempts, and aggregates these events over a 5-minute window. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges in an Active Directory environment. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information.","The following analytic identifies a source endpoint failing to authenticate multiple valid users using the Kerberos protocol, potentially indicating a Password Spraying attack. It leverages Event 4771, which is generated when the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT) due to a wrong password (failure code 0x18). This detection uses statistical analysis, specifically the 3-sigma rule, to identify unusual authentication failures. If confirmed malicious, this activity could allow an attacker to gain initial access or elevate privileges within an Active Directory environment.","The following analytic detects a single source endpoint failing to authenticate with 30 unique invalid users using the NTLM protocol. It leverages EventCode 4776 from Domain Controller logs, focusing on error code 0xC0000064, which indicates non-existent usernames. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information within the Active Directory environment.","The following analytic identifies a single source endpoint failing to authenticate with 30 unique valid users using the NTLM protocol. It leverages EventCode 4776 from Domain Controller logs, focusing on error code 0xC000006A, which indicates a bad password. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access to sensitive information or further compromise of the Active Directory environment.","The following analytic identifies a source endpoint failing to authenticate with multiple invalid users using the NTLM protocol. It leverages EventCode 4776 and calculates the standard deviation for each host, using the 3-sigma rule to detect anomalies. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access or privilege escalation, posing a significant threat to the Active Directory environment. This detection is focused on domain controllers.","The following analytic identifies a source endpoint failing to authenticate multiple valid users using the NTLM protocol, potentially indicating a Password Spraying attack. It leverages Event 4776 from Domain Controllers, calculating the standard deviation for each host and applying the 3-sigma rule to detect anomalies. This activity is significant as it may represent an adversary attempting to gain initial access or elevate privileges. If confirmed malicious, the attacker could compromise multiple accounts, leading to unauthorized access and potential lateral movement within the network.","Detects access to ADMIN$ network share","The following analytic detects access to Windows administrative SMB shares (Admin$, IPC$, C$) using the 'dir' command. It leverages Windows Security Event Logs with EventCode 5140 to identify this activity. This behavior is significant as it is commonly used by tools like PsExec/PaExec for staging binaries before creating and starting services on remote endpoints, a technique often employed by adversaries for lateral movement and remote code execution. If confirmed malicious, this activity could allow attackers to propagate malware, such as IcedID, across the network, leading to widespread infection and potential data breaches.","Detects creation of WMI event subscription persistence method","Detects suspicious encoded payloads in WMI Event Consumers","Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers","The following analytic identifies the creation of WMI permanent event subscriptions, which can be used to establish persistence or perform privilege escalation. It leverages Sysmon data, specifically EventCodes 19, 20, and 21, to detect the creation of WMI EventFilters, EventConsumers, and FilterToConsumerBindings. This activity is significant as it may indicate an attacker setting up mechanisms to execute code with elevated SYSTEM privileges when specific events occur. If confirmed malicious, this could allow the attacker to maintain persistence, escalate privileges, and execute arbitrary code, posing a severe threat to the environment.","Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement","Detects the use of smbexec.py tool by detecting a specific service installation","Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references","Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)","Detects well-known credential dumping tools execution via service execution events","Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation","Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report","Detects powershell script installed as a Service","Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.","Detects CSExec service installation and execution events","Detects installation or execution of services","Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers","Detects NetSupport Manager service installation on the target system.","Detects PAExec service installation","Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines.\nPDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines","Detects PDQDeploy service installation on the target system.\nWhen a package is deployed via PDQDeploy it installs a remote service on the target machine with the name \"PDQDeployRunner-X\" where \"X\" is an integer starting from 1","Detects a ProcessHacker tool that elevated privileges to a very high level","Detects RemCom service installation and execution events","Detects service installation of different remote access tools software. These software are often abused by threat actors to perform","Detects Remote Utilities Host service installation on the target system.","Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands","Detects a service installed by a client which has PID 0 or whose parent has PID 0","Detects suspicious service installation commands","Detects PsExec service installation and execution events","Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool.","Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques","Detects uncommon service installation commands by looking at suspicious or uncommon image path values containing references to encoded powershell commands, temporary paths, etc.","Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse","Detects service installation in suspicious folder appdata","Detects service installation with suspicious folder patterns","Detects suspicious service installation scripts","Identifies the creation of a new Windows service with suspicious Service command values. Windows services typically run\nas SYSTEM and can be used for privilege escalation and persistence.","The following analytic identifies the creation of a service with a known name used by CLOP ransomware for persistence and high-privilege code execution. It detects this activity by monitoring Windows Event Logs (EventCode 7045) for specific service names (\"SecurityCenterIBM\", \"WinCheckDRVs\"). This activity is significant because the creation of such services is a common tactic used by ransomware to maintain control over infected systems. If confirmed malicious, this could allow attackers to execute code with elevated privileges, maintain persistence, and potentially disrupt or encrypt critical data.","The following analytic identifies the execution of malicious PowerShell commands or payloads via the Windows SC.exe utility. It detects this activity by analyzing Windows System logs (EventCode 7045) and filtering for specific PowerShell-related patterns in the ImagePath field. This behavior is significant because it indicates potential abuse of the Windows Service Control Manager to run unauthorized or harmful scripts, which could lead to system compromise. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment.","The following analytic detects the installation of a Windows Service with a suspicious, high-entropy name, indicating potential malicious activity. It leverages Event ID 7045 and the `ut_shannon` function from the URL ToolBox Splunk application to identify services with random names. This behavior is significant as adversaries often use randomly named services for lateral movement and remote code execution. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment.","Identifies the creation of a Windows service named \"BluetoothService\" with a binary path in user-writable directories, particularly %AppData%\\Bluetooth.\nThis technique was observed in the Lotus Blossom Chrysalis backdoor campaign, where attackers created a service named \"BluetoothService\" pointing to a malicious binary (renamed Bitdefender Submission Wizard) in a hidden AppData directory.\nWhile legitimate Bluetooth services exist in Windows, they are system services with binaries in System32.\nAny BluetoothService created with a binary path in user directories (AppData, Temp, Downloads) is highly suspicious and indicates potential malware persistence.","The following analytic detects the loading of new Kernel Mode Drivers from non-standard paths using Windows EventCode 7045. It identifies drivers not located in typical directories like Windows, Program Files, or SystemRoot. This activity is significant because adversaries may use these non-standard paths to load malicious or vulnerable drivers, potentially bypassing security controls. If confirmed malicious, this could allow attackers to execute code at the kernel level, escalate privileges, or maintain persistence within the environment, posing a severe threat to system integrity and security.","The following analytic detects the creation of a service with the default name \"KrbSCM\" associated with the KrbRelayUp tool. It leverages Windows System Event Logs, specifically EventCode 7045, to identify this activity. This behavior is significant as KrbRelayUp is a known tool used for privilege escalation attacks. If confirmed malicious, this activity could allow an attacker to escalate privileges, potentially gaining unauthorized access to sensitive systems and data.","The following analytic detects the creation of the RemComSvc service on a Windows endpoint, typically indicating lateral movement using RemCom.exe. It leverages Windows EventCode 7045 from the System event log, specifically looking for the \"RemCom Service\" name. This activity is significant as it often signifies unauthorized lateral movement within the network, which is a common tactic used by attackers to spread malware or gain further access. If confirmed malicious, this could lead to unauthorized access to sensitive systems, data exfiltration, or further compromise of the network.","The following analytic detects the creation of a Windows service named \"Sliver\" with the description \"Sliver Implant,\" indicative of SliverC2 lateral movement using the PsExec module. It leverages Windows EventCode 7045 from the System Event log to identify this activity. This behavior is significant as it may indicate an adversary's attempt to establish persistence or execute commands remotely. If confirmed malicious, this activity could allow attackers to maintain control over the compromised system, execute arbitrary code, and further infiltrate the network.","The following analytic detects the creation of a Windows Service with a known suspicious or malicious name using Windows Event ID 7045. It leverages logs from the `wineventlog_system` to identify these services installations. This activity is significant as adversaries, including those deploying Clop ransomware, often create malicious services for lateral movement, remote code execution, persistence, and execution. If confirmed malicious, this could allow attackers to maintain persistence, execute arbitrary code, and potentially escalate privileges, posing a severe threat to the environment.","The following analytic detects the creation of a Windows Service with a binary path located in uncommon directories, using Windows Event ID 7045. It leverages logs from the `wineventlog_system` to identify services installed outside typical system directories. This activity is significant as adversaries, including those deploying Clop ransomware, often create malicious services for lateral movement, remote code execution, persistence, and execution. If confirmed malicious, this could allow attackers to maintain persistence, execute arbitrary code, and potentially escalate privileges, posing a severe threat to the environment.","The following analytic detects the creation of a new service named WerFaultSvc with a binary path in the Windows WinSxS directory. It leverages Windows System logs, specifically EventCode 7045, to identify this activity. This behavior is significant because it indicates the presence of Snake malware, which uses this service to maintain persistence by blending in with legitimate Windows services. If confirmed malicious, this activity could allow an attacker to execute Snake malware components, leading to potential data exfiltration, system compromise, and long-term persistence within the environment.","The following analytic detects the loading of known vulnerable Windows drivers, which may indicate potential persistence or privilege escalation attempts. It leverages Windows System service install EventCode 7045 to identify driver loading events and cross-references them with a list of vulnerable drivers. This activity is significant as attackers often exploit vulnerable drivers to gain elevated privileges or maintain persistence on a system. If confirmed malicious, this could allow attackers to execute arbitrary code with high privileges, leading to further system compromise and potential data exfiltration. This detection is a Windows Event Log adaptation of the Sysmon driver loaded detection written by Michael Haag.","The following analytic detects a user authenticating with special privileges on 30 or more remote endpoints within a 5-minute window. It leverages Event ID 4672 from Windows Security logs to identify this behavior. This activity is significant as it may indicate lateral movement or remote code execution by an adversary. If confirmed malicious, the attacker could gain extensive control over the network, potentially leading to privilege escalation, data exfiltration, or further compromise of the environment. Security teams should adjust detection thresholds based on their specific environment.","Detects non-system users performing privileged operation os the SCM database","Identifies attempts to use the SeIncreaseBasePriorityPrivilege privilege by an unusual process. This could be related to\nhijack execution flow of a process via threats priority manipulation.","Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.","Identifies the assignment of the SeEnableDelegationPrivilege sensitive \"user right\" to a user. The\nSeEnableDelegationPrivilege \"user right\" enables computer and user accounts to be trusted for delegation. Attackers can\nabuse this right to compromise Active Directory accounts and elevate their privileges.","This analytic detects modifications to privileged groups in Active Directory, including addition, creation, deletion, and changes to various types of groups such as local, global, universal, and LDAP query groups.\nIt specifically monitors for changes to high-privilege groups like \"Administrators\", \"Domain Admins\", \"Enterprise Admins\", and \"ESX Admins\", among others.\nThis detection is particularly relevant in the context of potential exploitation of vulnerabilities like the VMware ESXi Active Directory Integration Authentication Bypass (CVE-2024-37085), where attackers may attempt to manipulate privileged groups to gain unauthorized access to systems.","Detects raw disk access using uncommon tools or tools that are located in suspicious locations (heavy filtering is required), which could indicate possible defense evasion attempts","The following analytic detects suspicious raw access reads to the device disk partition of a host machine. It leverages Sysmon EventCode 9 logs to identify processes attempting to read or write to the boot sector, excluding legitimate system processes. This activity is significant as it is commonly associated with destructive actions by adversaries, such as wiping, encrypting, or overwriting the boot sector, as seen in attacks involving malware like HermeticWiper. If confirmed malicious, this behavior could lead to severe impacts, including system inoperability, data loss, or compromised boot integrity.","The following analytic detects suspicious raw access reads to the drive containing the Master Boot Record (MBR). It leverages Sysmon EventCode 9 to identify processes attempting to read or write to the MBR sector, excluding legitimate system processes. This activity is significant because adversaries often target the MBR to wipe, encrypt, or overwrite it as part of their impact payload. If confirmed malicious, this could lead to system instability, data loss, or a complete system compromise, severely impacting the organization's operations.","Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash","Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers","Detects the download of suspicious file type from a well-known file and paste sharing domain","Detects the creation of a named file stream with the imphash of a well-known hack tool","Exports the target Registry key and hides it in the specified alternate data stream.","Detects the download of suspicious file type from URLs with IP","Detects potential suspicious winget package installation from a suspicious source.","Detects the download of a file with a potentially suspicious extension from a .zip top level domain.","The following analytic detects suspicious file downloads by the Telegram application on a Windows system. It leverages Sysmon EventCode 15 to identify instances where Telegram.exe creates files with a Zone.Identifier, indicating a download. This activity is significant as it may indicate an adversary using Telegram to download malicious tools, such as network scanners, for further exploitation. If confirmed malicious, this behavior could lead to network mapping, lateral movement, and potential compromise of additional systems within the network.","The following analytic detects the creation of Alternate Data Streams (ADS) with Base64 content on Windows systems. It leverages Sysmon EventID 15, which captures file creation events, including the content of named streams. ADS can conceal malicious payloads, making them significant for SOC monitoring. This detection identifies hidden streams that may contain executables, scripts, or configuration data, often used by malware to evade detection. If confirmed malicious, this activity could allow attackers to hide and execute payloads, persist in the environment, or access sensitive information without being easily detected.","The following analytic detects the writing of data with an IMPHASH value to an Alternate Data Stream (ADS) in the NTFS file system. It leverages Sysmon Event ID 15 and regex to identify files with a Portable Executable (PE) structure. This activity is significant as it may indicate a threat actor staging malicious code in hidden areas for persistence or future execution. If confirmed malicious, this could allow attackers to execute hidden code, maintain persistence, or escalate privileges within the environment.","Detects potential installation or installation attempts of known malicious appx packages","Detects the installation of MSIX/AppX packages with full trust privileges which run with elevated privileges outside normal AppX container restrictions","The following analytic detects the installation of MSIX/AppX packages with full trust privileges. This detection leverages Windows event logs from the AppXDeployment-Server, specifically focusing on EventCode 400 which indicates a package deployment operation. Full trust packages are significant as they run with elevated privileges outside the normal AppX container restrictions, allowing them to access system resources that regular AppX packages cannot. Adversaries have been observed leveraging full trust MSIX packages to deliver malware, as documented in recent threat intelligence reports. If confirmed malicious, these packages could allow attackers to execute arbitrary code with elevated privileges, establish persistence, or deliver malware while evading traditional detection mechanisms.","Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by \"wevtutil cl\" command execution","Rule to detect the Hybrid Connection Manager service installation.","Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation","Detects Windows Pcap driver installation based on a list of associated .sys files.","Detects the installation of a well-known TAP driver service. This could be a sign of potential preparation for data exfiltration using tunnelling techniques.","Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator\nprivileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from\nadministrator to SYSTEM.","Identifies a process running with a non-SYSTEM account that enables the SeDebugPrivilege privilege. Adversaries may\nenable this privilege to debug and modify other processes, typically reserved for system-level tasks, to escalate\nprivileges and bypass access controls.","The following analytic detects a process enabling the \"SeDebugPrivilege\" privilege token. It leverages Windows Security Event Logs with EventCode 4703, filtering out common legitimate processes. This activity is significant because SeDebugPrivilege allows a process to inspect and modify the memory of other processes, potentially leading to credential dumping or code injection. If confirmed malicious, an attacker could gain extensive control over system processes, enabling them to escalate privileges, persist in the environment, or access sensitive information.","Detects the creation of a local hidden user account which should not happen for event ID 4720.","Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.","Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs.","The following analytic detects the rapid creation and deletion of Windows accounts within a short time frame of 1 hour. It leverages the \"Change\" data model in Splunk, specifically monitoring events with result IDs 4720 (account creation) and 4726 (account deletion). This behavior is significant as it may indicate an attacker attempting to create and remove accounts quickly to evade detection or gain unauthorized access. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, or further malicious actions within the environment. Immediate investigation of flagged events is crucial to mitigate potential damage.","The following analytic detects the creation of a new local user account on a Windows system. It leverages Windows Security Audit logs, specifically event ID 4720, to identify this activity. Monitoring the creation of local accounts is crucial for a SOC as it can indicate unauthorized access or lateral movement within the network. If confirmed malicious, this activity could allow an attacker to establish persistence, escalate privileges, or gain unauthorized access to sensitive systems and data.","Detects activity when a security-enabled global group is deleted","This analytic detects creation, deletion, or modification of the \"ESX Admins\" group in Active Directory. These events may indicate attempts to exploit the VMware ESXi Active Directory Integration Authentication Bypass vulnerability (CVE-2024-37085).","Detects a Windows Filtering Platform (WFP) blocked connection event involving common Endpoint Detection and Response (EDR) agents.\nAdversaries may use WFP filters to prevent Endpoint Detection and Response (EDR) agents from reporting security events.","Identifies multiple Windows Filtering Platform block events and where the process name is related to an endpoint\nsecurity software. Adversaries may add malicious WFP rules to prevent Endpoint security from sending telemetry.","Detects a network connection initiated by the Add-In deployment cache updating utility \"AddInutil.exe\".\nThis could indicate a potential command and control communication as this tool doesn't usually initiate network activity.","Detects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management.","Detects a network connection initiated by the certutil.exe utility.\nAttackers can abuse the utility in order to download malware or additional payloads.","Detects a network connection initiated by Cmstp.EXE\nIts uncommon for \"cmstp.exe\" to initiate an outbound network connection. Investigate the source of such requests to determine if they are malicious.","Detects outbound network connection initiated by Microsoft Dialer.\nThe Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer.\nThis is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is \"Rhadamanthys\"","Detects an initiated network connection by a non browser process on the system to \"azurewebsites.net\". The latter was often used by threat actors as a malware hosting and exfiltration site.","Detects network connections to BTunnels domains initiated by a process on the system.\nAttackers can abuse that feature to establish a reverse shell or persistence on a machine.","Detects network connections to Cloudflared tunnels domains initiated by a process on the system.\nAttackers can abuse that feature to establish a reverse shell or persistence on a machine.","Detects initiated network connections to crypto mining pools","Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.\nIn this context attackers leverage known websites such as \"facebook\", \"youtube\", etc. In order to pass through undetected.","Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.","Detects an executable that isn't dropbox but communicates with the Dropbox API","Detects external IP address lookups by non-browser processes via services such as \"api.ipify.org\". This could be indicative of potential post compromise internet test activity.","Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)","Detects an executable initiating a network connection to \"LocaltoNet\" tunneling sub-domains.\nLocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet.\nAttackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.","Detects a network connection initiated by a binary to \"api.mega.co.nz\".\nAttackers were seen abusing file sharing websites similar to \"mega.nz\" in order to upload/download additional payloads.","Detects an executable initiating a network connection to \"ngrok\" domains.\nAttackers were seen using this \"ngrok\" in order to store their second stage payloads and malware.\nWhile communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.","Detects an executable initiating a network connection to \"ngrok\" tunneling domains.\nAttackers were seen using this \"ngrok\" in order to store their second stage payloads and malware.\nWhile communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.","Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as \"OffensiveNotion C2\"","Detects an executable accessing the portmap.io domain, which could be a sign of forbidden C2 traffic or data exfiltration by malicious actors","Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2","Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.","Detects network connections from the Equation Editor process \"eqnedt32.exe\".","Detects network connections via finger.exe, which can be abused by threat actors to retrieve remote commands for execution on Windows devices.\nIn one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server.\nSince the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion.\nInvestigating such network connections can also help identify potential malicious infrastructure used by threat actors","Detects a network connection initiated by IMEWDBLD.EXE. This might indicate potential abuse of the utility as a LOLBIN in order to download arbitrary files or additional payloads.","Detects a network connection that is initiated by the \"notepad.exe\" process.\nThis might be a sign of process injection from a beacon process or something similar.\nNotepad rarely initiates a network communication except when printing documents for example.","Detects an office application (Word, Excel, PowerPoint)  that initiate a network connection to a non-private IP addresses.\nThis rule aims to detect traffic similar to one seen exploited in CVE-2021-42292.\nThis rule will require an initial baseline and tuning that is specific to your organization.","Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports.","Detects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server.","Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement.\nAn initial baseline is required before using this utility to exclude third party RDP tooling that you might use.","Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389","Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443","Detects \"RegAsm.exe\" initiating a network connection to public IP adresses","Detects a network connection initiated by \"Regsvr32.exe\"","Detects incoming connections to AnyDesk. This could indicate a potential remote attacker trying to connect to a listening instance of AnyDesk and use it as potential command and control channel.","Detects a rundll32 that communicates with public IP addresses","Detects a possible remote connections to Silenttrinity c2","Detects suspicious network connections made by a well-known Windows binary run with no command line parameters","Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.","Detects a network connection initiated by programs or processes running from suspicious or uncommon files system locations.","Detects programs that connect to known malware callback ports based on statistical analysis from two different sandbox system databases","Detects programs that connect to uncommon destination ports","Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.","Detects suspicious connections from Microsoft Sync Center to non-private IPs.","Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.\nThe data may also be sent to an alternate network location from the main command and control server.","Detects a process that initiated a network connection over ports 5985 or 5986 from a non-network service account.\nThis could potentially indicates a remote PowerShell connection.","Detects a \"winlogon.exe\" process that initiate network communications with public IP addresses","Detects a network connection initiated by \"wordpad.exe\" over uncommon destination ports.\nThis might indicate potential process injection activity from a beacon or similar mechanisms.","Detects a script interpreter (Wscript/Cscript) initiating a local network connection to download or execute a script hosted on a shared folder.","Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.","Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making network connections.\nOne could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.","The following analytic detects the execution of regasm.exe establishing a network connection to a public IP address, excluding private IP ranges. This detection leverages Sysmon EventID 3 logs to identify such behavior. This activity is significant as regasm.exe is a legitimate Microsoft-signed binary that can be exploited to bypass application control mechanisms. If confirmed malicious, this behavior could indicate an adversary's attempt to establish a remote Command and Control (C2) channel, potentially leading to privilege escalation and further malicious actions within the environment.","The following analytic identifies instances of Regsvcs.exe establishing a network connection to a public IP address, excluding private IP ranges. This detection leverages Sysmon EventID 3 logs to monitor network connections initiated by Regsvcs.exe. This activity is significant as Regsvcs.exe, a legitimate Microsoft-signed binary, can be exploited to bypass application control mechanisms and establish remote Command and Control (C2) channels. If confirmed malicious, this behavior could allow an attacker to escalate privileges, persist in the environment, and exfiltrate sensitive data. Immediate investigation and remediation are recommended.","The following analytic identifies the use of Living Off the Land Binaries and Scripts (LOLBAS) with network traffic. It leverages data from the Network Traffic data model to detect when native Windows binaries, often abused by adversaries, initiate network connections. This activity is significant as LOLBAS are frequently used to download malicious payloads, enabling lateral movement, command-and-control, or data exfiltration. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe threat to organizational security.","The following analytic identifies network traffic directed to the Active Directory Web Services Protocol (ADWS) on port 9389. It leverages network traffic logs, focusing on source and destination IP addresses, application names, and destination ports. This activity is significant as ADWS is used to manage Active Directory, and unauthorized access could indicate malicious intent. If confirmed malicious, an attacker could manipulate Active Directory, potentially leading to privilege escalation, unauthorized access, or persistent control over the environment.","The following analytic detects when an application is used to connect a large number of unique ports/targets within a short time frame. Network enumeration may be used by adversaries as a method of discovery, lateral movement, or remote execution. This analytic may require significant tuning depending on the organization and applications being actively used, highly recommended to pre-populate the filter macro prior to activation.","The following analytic detects FTP connections initiated by processes located in non-standard installation paths on Windows systems. It leverages Sysmon EventCode 3 to identify network connections where the process image path does not match common directories like \"Program Files\" or \"Windows\\System32\". This activity is significant as FTP is often used by adversaries and malware, such as AgentTesla, for Command and Control (C2) communications to exfiltrate stolen data. If confirmed malicious, this could lead to unauthorized data transfer, exposing sensitive information and compromising the integrity of the affected host.","The following analytic detects a Windows application establishing an SMTP connection from a non-common installation path. It leverages Sysmon EventCode 3 to identify processes not typically associated with email clients (e.g., Thunderbird, Outlook) making SMTP connections. This activity is significant as adversaries, including malware like AgentTesla, use such connections for Command and Control (C2) communication to exfiltrate stolen data. If confirmed malicious, this behavior could lead to unauthorized data exfiltration, including sensitive information like desktop screenshots, browser data, and system details, compromising the affected host.","The following analytic detects executables running from public or temporary locations that are communicating over Windows domain authentication ports/protocols such as LDAP (389), LDAPS (636), and Kerberos (88). It leverages network traffic data to identify processes originating from user-controlled directories. This activity is significant because legitimate applications rarely run from these locations and attempt domain authentication, making it a potential indicator of compromise. If confirmed malicious, attackers could leverage this to access domain resources, potentially leading to further exploitation and lateral movement within the network.","The following analytic identifies potential Remote Desktop Protocol (RDP) brute force attacks by monitoring network traffic for RDP application activity. This query detects potential RDP brute force attacks by identifying source IPs that have made more than 10 connection attempts to the same RDP port on a host within a one-hour window. The results are presented in a table that includes the source and destination IPs, destination port, number of attempts, and the times of the first and last connection attempts, helping to prioritize IPs based on the intensity of activity.","Detects the creation of an \"Active Directory Schema Cache File\" (.sch) file by an uncommon tool.","Detects AnyDesk writing binary files to disk other than \"gcapi.dll\".\nAccording to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll,\nwhich is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)","Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS\nserver, creates a file with suspicious file type, indicating that it may be an executable, script file,\nor otherwise unusual.","Detects the creation of new DLL assembly files by \"aspnet_compiler.exe\", which could be a sign of \"aspnet_compiler\" abuse to proxy execution through a build provider.","Detects default file names outputted by the BloodHound collection tool SharpHound","Detects the creation of potentially suspicious files by OpenEDR's ITSMService process.\nThe ITSMService is responsible for remote management operations and can create files on the system through the Process Explorer or file management features.\nWhile legitimate for IT operations, creation of executable or script files could indicate unauthorized file uploads, data staging, or malicious file deployment.","Detects the creation of new files with the \".evtx\" extension in non-common or non-standard location.\nThis could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within.\nNote that backup software and legitimate administrator might perform similar actions during troubleshooting.","Detects creation of specific system DLL files that are  usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes.\nPhantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs.\nThus, the creation of such DLLs may indicate preparation for phantom DLL hijacking attacks.","Detects Deno writing a file from a direct HTTP(s) call and writing to the appdata folder or bringing it's own malicious DLL.\nThis behavior may indicate an attempt to execute remotely hosted, potentially malicious files through deno.","Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.","Detects the creation of a file with the \".dll\" extension that has the name of a System DLL in uncommon or unsuspected locations. (Outisde of \"System32\", \"SysWOW64\", etc.).\nIt is highly recommended to perform an initial baseline before using this rule in production.","Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).\nIt is highly recommended to perform an initial baseline before using this rule in production.","Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.\nAdversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.","Files with well-known filenames (parts of credential dump software or files produced by them) creation","Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe","Detects default CSExec service filename which indicates CSExec service installation and execution","When C# is compiled dynamically, a .cmdline file will be created as a part of the process.\nCertain processes are not typically observed compiling C# code, but can do so without touching disk.\nThis can be used to unpack a payload for execution","Detects potential DLL hijack of \"iertutil.dll\" found in the DCOM InternetExplorer.Application Class over the network","Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.","Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)\nbut with a space in order to trick DLL load search order and perform a \"DLL Search Order Hijacking\" attack","Detects the creation of a file with the \".dmp\"/\".hdmp\" extension by a shell or scripting application such as \"cmd\", \"powershell\", etc. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash.","Detects creation of a file named \"ErrorHandler.cmd\" in the \"C:\\WINDOWS\\Setup\\Scripts\\\" directory which could be used as a method of persistence\nThe content of C:\\WINDOWS\\Setup\\Scripts\\ErrorHandler.cmd is read whenever some tools under C:\\WINDOWS\\System32\\oobe\\ (e.g. Setup.exe) fail to run for any reason.","Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder","Detects suspicious file type dropped by an Exchange component in IIS","Detects when the Notepad++ updater (gup.exe) creates files in suspicious or uncommon locations.\nThis could indicate potential exploitation of the updater component to deliver unwanted malware or unwarranted files.","Detects file creation events with filename patterns used by CrackMapExec.","Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory","Detects files written by the different tools that exploit HiveNightmare","Detects the presence and execution of Inveigh via dropped artefacts","Detects the creation of file with specific names used by RemoteKrbRelay SMB Relay attack module.","Detects the creation of files created by mimikatz such as \".kirbi\", \"mimilsa.log\", etc.","Detects file creation events indicating NetExec (nxc.exe) execution on the local machine.\nNetExec is a PyInstaller-bundled binary that extracts its embedded data files to a \"_MEI<random>\" directory\nunder the Temp folder upon execution. Files dropped under the \"\\nxc\\\" sub-directory of that\nextraction path are unique to NetExec and serve as reliable on-disk indicators of execution.\nNetExec (formerly CrackMapExec) is a widely used post-exploitation and lateral movement tool used for\nActive Directory enumeration, credential harvesting, and remote code execution.","Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file","Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation.\nIn it's default mode, it builds a self deleting .bat file which executes malicious command.\nThe detection rule relies on creation of the malicious bat file (debug.bat by default).","Detects a dump file written by QuarksPwDump password dumper","Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.","Detects default lsass dump filename generated by SafetyKatz.","Detects file creation events with filename patterns used by Impacket.","Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.","TeamViewer_Desktop.exe is create during install","Detects creation of a malicious DLL file in the location where the OneDrive or Team applications\nUpon execution of the Teams or OneDrive application, the dropped malicious DLL file (\"iphlpapi.dll\") is sideloaded","Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.","Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks.\nThis can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.","Detects creation of files which are the results of executing the built-in reconnaissance script \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\".","Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.","Detects the presence of an LSASS dump file in the \"CrashDumps\" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.","Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials","Detects javaw.exe in AppData folder as used by Adwind / JRAT","Detects Octopus Scanner Malware.","Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities","Detects the creation of files with scripting or executable extensions by Mysql daemon.\nWhich could be an indicator of \"User Defined Functions\" abuse to download malware.","Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.","Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs","Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an \".SCR\" file using \"rundll32.exe desk.cpl,InstallScreenSaver\" for example.","Detects creation of new \".dll\" files inside the plugins directory of a notepad++ installation by a process other than \"gup.exe\". Which could indicates possible persistence","Detects creation of a file named \"ntds.dit\" (Active Directory Database)","Detects creation of a file named \"ntds.dit\" (Active Directory Database) by an uncommon parent process or directory","Detects creation of a file named \"ntds.dit\" (Active Directory Database) by an uncommon process or a process located in a suspicious directory","Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration.","Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).","Detects the creation of a new office macro files on the systems","Detects the creation of a new office macro files on the system via an application (browser, mail client).\nThis can help identify potential malicious activity, such as the download of macro-enabled documents that could be used for exploitation.","Detects the creation of a office macro file from a a suspicious process","Detects creation of files with the \".one\"/\".onepkg\" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments","Detects suspicious files created via the OneNote application. This could indicate a potential malicious \".one\"/\".onepkg\" file was executed as seen being used in malware activity in the wild","Detects the creation of a macro file for Outlook.","Detects the creation of a new Outlook form which can contain malicious code","Detects the creation of files with suspicious file extensions in the temporary directory that Outlook uses when opening attachments.\nThis can be used to detect spear-phishing campaigns that use suspicious files as attachments, which may contain malicious code.","Detects creation of files with the \".pub\" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents","Detects creation of Microsoft Office files inside of one of the default startup folders in order to achieve persistence.","Detects the creation of files with an executable or script extension by an Office application.","Detects the creation of a file with an uncommon extension in an Office application startup folder","Detects processes creating temp files related to PCRE.NET package","Detects suspicious file based on their extension being created in \"C:\\PerfLogs\\\". Note that this directory mostly contains \".etl\" files","Detects PowerShell creating a binary executable or a script file.","Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence.","Detects the creation of known offensive powershell scripts used for exploitation","Detects the creation of a new PowerShell module \".psm1\", \".psd1\", \".dll\", \".ps1\", etc.","Detects the creation of a new PowerShell module in the first folder of the module directory structure \"\\WindowsPowerShell\\Modules\\malware\\malware.psm1\". This is somewhat an uncommon practice as legitimate modules often includes a version folder.","Detects the creation of a new PowerShell module \".psm1\", \".psd1\", \".dll\", \".ps1\", etc. by a non-PowerShell process","Detects PowerShell writing startup shortcuts.\nThis procedure was highlighted in Red Canary Intel Insights Oct. 2021, \"We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.\nAccordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.\nIn the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL\"","Detects the creation of the \"PSScriptPolicyTest\" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.","Detects Rclone config files being created","Detects creation of a file with an \".rdp\" extension by an application that doesn't commonly create such files.","Detects files dropped by Winnti as described in RedMimicry Winnti playbook","Detects the creation of a file with the \".pdf\" extension by the \"RegEdit.exe\" process.\nThis indicates that a user is trying to print/save a registry key as a PDF in order to potentially extract sensitive information and bypass defenses.","Detects default RemCom service filename which indicates RemCom service installation and execution","Detects the creation of files in a specific location by ScreenConnect RMM.\nScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to \":\\Users\\<username>\\Documents\\ConnectWiseControl\\Temp\\\" before execution.","Detects a phishing attack which expands a ZIP file containing a malicious shortcut.\nIf the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder.\nAdditionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.","Detects the creation of files that look like exports of the local SAM (Security Account Manager)","Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location.\nThese files are used by the \"iexpress.exe\" utility in order to create self extracting packages.\nAttackers were seen abusing this utility and creating PE files with embedded \".sed\" entries.","Detects Windows shells and scripting applications that write files to suspicious folders","Detects Windows executables that write files with suspicious extensions","A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.","Once executed, colorcpl.exe will copy the arbitrary file to c:\\windows\\system32\\spool\\drivers\\color\\","This rule detects suspicious files created by Microsoft Sync Center (mobsync)","Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder","Ransomware create txt file in the user Desktop","Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension","Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location)","Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that Windows hide default extensions by default.","Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates.","Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation","Detect creation of suspicious executable file names.\nSome strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.","Detects suspicious file writes to the root directory of web applications, particularly Apache web servers or Tomcat servers.\nThis may indicate an attempt to deploy malicious files such as web shells or other unauthorized scripts.","Detects suspicious file writes to SharePoint layouts directory which could indicate webshell activity or post-exploitation.\nThis behavior has been observed in the exploitation of SharePoint vulnerabilities such as CVE-2025-49704, CVE-2025-49706 or CVE-2025-53770.","Get-Variable is a valid PowerShell cmdlet\nWindowsApps is by default in the path where PowerShell is executed.\nSo when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.","Detects the creation of hidden file/folder with the \"::$index_allocation\" stream. Which can be used as a technique to prevent access to folder and files from tooling such as \"explorer.exe\" and \"powershell.exe\"","Detects programs on a Windows system that should not write an archive to disk","Detects programs on a Windows system that should not write executables to disk","Detects legitimate applications writing any type of file to uncommon or suspicious locations that are not typical for application data storage or execution.\nAdversaries may leverage legitimate applications (Living off the Land Binaries - LOLBins) to drop or download malicious files to uncommon locations on the system to evade detection by security solutions.","Detects programs on a Windows system that should not write scripts to disk","Detects the creation of files with an \"LNK\" as a second extension. This is sometimes used by malware as a method to abuse the fact that Windows hides the \"LNK\" extension by default.","Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence","Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder.\nThis driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.","Detects the creation of a file with a suspicious extension in the public folder, which could indicate potential malicious activity.","Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware","Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.","Detects the creation of suspcious binary files inside the \"\\windows\\system32\\spool\\drivers\\color\\\" as seen in the blog referenced below","Detects the creation of potentially malicious script and executable files in Windows startup folders, which is a common persistence technique used by threat actors.\nThese files (.ps1, .vbs, .js, .bat, etc.) are automatically executed when a user logs in, making the Startup folder an attractive target for attackers.\nThis technique is frequently observed in malvertising campaigns and malware distribution where attackers attempt to maintain long-term access to compromised systems.","Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context","Detects the creation of tasks from processes executed from suspicious locations","Detects the creation of log files during a TeamViewer remote session","Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence","Detects suspicious Windows Defender Application Control (WDAC) policy file creation from abnormal processes that could be abused by attacker to block EDR/AV components while allowing their own malicious code to run on the system.","Detects the creation or modification of the Windows Terminal Profile settings file \"settings.json\" by an uncommon process.","Detects the creation of binaries in the WinSxS folder by non-system processes","Detects the dual use tool ADExplorer writing a complete AD snapshot into a .dat file. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.","Detects the creation of a file that has the same name as the default LiveKD kernel memory dump.","Detects the creation of the LiveKD driver, which is used for live kernel debugging","Detects the creation of the LiveKD driver by a process image other than \"livekd.exe\".","Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself.\nHack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards.","Detects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself.","Detects default PsExec service filename which indicates PsExec service installation and execution","Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system","Detects potential privilege escalation attempt via the creation of the \"*.Exe.Local\" folder inside the \"System32\" directory in order to sideload \"comctl32.dll\"","Detects the creation of an \"lsass.dmp\" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager.","Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder","Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)","Detects the pattern of a UAC bypass using Windows Event Viewer","Detects the creation of a file by \"dllhost.exe\" in System32 directory part of \"IDiagnosticProfileUAC\" UAC bypass technique","Detects creation of \".vhd\"/\".vhdx\" files by browser processes.\nMalware can use mountable Virtual Hard Disk \".vhd\" files to encapsulate payloads and evade security controls.","Detects the creation of file by the \"node.exe\" process in the \".vscode-server\" directory. Could be a sign of remote file creation via VsCode tunnel feature","Detects the creation of a file with the name \"code_tunnel.json\" which indicate execution and usage of VsCode tunneling utility by an \"Image\" or \"Process\" other than VsCode.","Detects the creation of files with certain extensions on a static web site. This can be indicative of potential uploads of a web shell.","Detects the creation of a file named \"WerFault.exe\" or \"wer.dll\" in an uncommon folder, which could be a sign of WerFault DLL hijacking.","Detects WinRAR creating files in Windows startup locations, which may indicate an attempt to establish persistence by adding malicious files to the Startup folder.\nThis kind of behaviour has been associated with exploitation of WinRAR path traversal vulnerability CVE-2025-6218 or CVE-2025-8088.","Detects file writes of WMI script event consumer","Detects the creation of the default output filename used by the wmiexec tool","Detects creation of a file named \"wpbbin\" in the \"%systemroot%\\system32\\\" directory. Which could be indicative of UEFI based persistence method","Aversaries may use to interact with a remote network share using Server Message Block (SMB).\nThis technique is used by post-exploitation frameworks.","The following analytic detects email files (.pst or .ost) being created outside the standard Outlook directories. It leverages the Endpoint.Filesystem data model to identify file creation events and filters for email files not located in \"C:\\Users\\*\\My Documents\\Outlook Files\\*\" or \"C:\\Users\\*\\AppData\\Local\\Microsoft\\Outlook*\". This activity is significant as it may indicate data exfiltration or unauthorized access to email data. If confirmed malicious, an attacker could potentially access sensitive email content, leading to data breaches or further exploitation within the network.","The following analytic detects the creation of a batch file (.bat) within the Windows system directory tree, specifically in the System32 or SysWOW64 folders. It leverages data from the Endpoint datamodel, focusing on process and filesystem events to identify this behavior. This activity is significant because writing batch files to system directories can be indicative of malicious intent, such as persistence mechanisms or system manipulation. If confirmed malicious, this could allow an attacker to execute arbitrary commands with elevated privileges, potentially compromising the entire system.","The following analytic detects modifications to files with extensions commonly associated with ransomware. It leverages the Endpoint.Filesystem data model to identify changes in file extensions that match known ransomware patterns. This activity is significant because it suggests an attacker is attempting to encrypt or alter files, potentially leading to severe data loss and operational disruption. If confirmed malicious, this activity could result in the encryption of critical data, rendering it inaccessible and causing significant damage to the organization's data integrity and availability.","The following analytic detects the creation of files with names commonly associated with ransomware notes.\nIt leverages file-system activity data from the Endpoint Filesystem data model, typically populated by endpoint detection and response (EDR) tools or Sysmon logs.\nThis activity is significant because ransomware notes indicate a potential ransomware attack, which can lead to data encryption and extortion.\nIf confirmed malicious, this activity could result in significant data loss, operational disruption, and financial impact due to ransom demands.\nNote that this analytic relies on a lookup table (ransomware_notes_lookup) that contains known ransomware note file names.\nEnsure that this lookup table is regularly updated to include new ransomware note file names as they are identified in the threat landscape.\nAlso this analytic leverages a sub-search to enhance performance. sub-searches have limitations on the amount of data they can return. Keep this in mind if you have an extensive list of ransomware note file names.","The following analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1708 vulnerability, which allows path traversal attacks by manipulating file_path and file_name parameters in the URL. It leverages the Endpoint datamodel Filesystem node to identify suspicious file system events, specifically targeting paths and filenames associated with ScreenConnect. This activity is significant as it can lead to unauthorized access to sensitive files and directories, potentially resulting in data exfiltration or arbitrary code execution. If confirmed malicious, attackers could gain unauthorized access and control over the host system, posing a severe security risk.","The following analytic detects the creation of an lsass.exe process dump using Windows Task Manager. It leverages Sysmon EventID 11 to identify file creation events where the target filename matches *lsass*.dmp. This activity is significant because creating an lsass dump can be a precursor to credential theft, as the dump file contains sensitive information such as user passwords. If confirmed malicious, an attacker could use the lsass dump to extract credentials and escalate privileges, potentially compromising the entire network.","The following analytic detects the creation of specific AzureHound-related files, such as `*-azurecollection.zip` and various `.json` files, on disk. It leverages data from the Endpoint.Filesystem datamodel, focusing on file creation events with specific filenames. This activity is significant because AzureHound is a tool used to gather information about Azure environments, similar to SharpHound for on-premises Active Directory. If confirmed malicious, this activity could indicate an attacker is collecting sensitive Azure environment data, potentially leading to further exploitation or privilege escalation within the cloud infrastructure.","The following analytic detects the use of the Certipy tool to enumerate Active Directory Certificate Services (AD CS) environments by identifying unique file modifications. It leverages endpoint process and filesystem data to spot the creation of files with specific names or extensions associated with Certipy's information gathering and exfiltration activities. This activity is significant as it indicates potential reconnaissance and data exfiltration efforts by an attacker. If confirmed malicious, this could lead to unauthorized access to sensitive AD CS information, enabling further attacks or privilege escalation within the network.","The following analytic identifies the creation of suspicious .aspx files in known drop locations for Exchange exploitation, specifically targeting paths associated with HAFNIUM group and vulnerabilities like ProxyShell and ProxyNotShell. It leverages data from the Endpoint datamodel, focusing on process and filesystem events. This activity is significant as it may indicate a web shell deployment, a common method for persistent access and remote code execution. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary commands, and potentially escalate privileges within the Exchange environment.","The following analytic detects the writing of files from known remote access software to disk within the environment.\nIt leverages data from Endpoint Detection and Response (EDR) agents, focusing on file path, file name, and user information.\nThis activity is significant as adversaries often use remote access tools like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer to maintain unauthorized access.\nIf confirmed malicious, this could allow attackers to persist in the environment, potentially leading to data exfiltration, further compromise, or complete control over affected systems.\nIt is best to update both the remote_access_software_usage_exception.csv lookup and the remote_access_software lookup with any known or approved remote access software to reduce false positives and increase coverage.\nIn order to enhance performance, the detection filters for specific file names extensions / names that are used in the remote_access_software lookup.\nIf add additional entries, consider updating the search filters to include those file names / extensions as well, if not alread covered.","The following analytic identifies the use of the right-to-left override\n(RTLO) character in file names. It leverages data from the Endpoint.Filesystem datamodel,\nspecifically focusing on file creation events and file names containing the RTLO\ncharacter (U+202E). This activity is significant because adversaries use RTLO to\ndisguise malicious files as benign by reversing the text that follows the character.\nIf confirmed malicious, this technique can deceive users and security tools, leading\nto the execution of harmful files and potential system compromise.","The following analytic detects the creation of files typically associated with SharpHound, a reconnaissance tool used for gathering domain and trust data. It leverages file modification events from the Endpoint.Filesystem data model, focusing on default file naming patterns like `*_BloodHound.zip` and various JSON files. This activity is significant as it indicates potential domain enumeration, which is a precursor to more targeted attacks. If confirmed malicious, an attacker could gain detailed insights into the domain structure, facilitating lateral movement and privilege escalation.","The following analytic detects the dropping of a suspicious file named \"license.dat\" in %appdata% or %programdata%. This behavior is associated with the IcedID malware, which uses this file to inject its core bot into other processes for banking credential theft. The detection leverages Sysmon EventCode 11 to monitor file creation events in these directories. This activity is significant as it indicates a potential malware infection aiming to steal sensitive banking information. If confirmed malicious, the attacker could gain unauthorized access to financial data, leading to significant financial loss and data breaches.","The following analytic identifies the creation of executables or scripts in suspicious file paths on Windows systems.\nIt leverages the Endpoint.Filesystem dataset to detect files with specific extensions (e.g., .exe, .dll, .ps1) created in uncommon directories (e.g., \\windows\\fonts\\, \\users\\public\\).\nThis activity can be significant as adversaries often use these paths to evade detection and maintain persistence.\nIf confirmed malicious, this behavior could allow attackers to execute unauthorized code, escalate privileges, or persist within the environment, posing a significant security threat.","The following analytic identifies the creation of executables or scripts in temporary file paths on Windows systems.\nIt leverages the Endpoint.Filesystem data set to detect files with specific extensions (e.g., .exe, .dll, .ps1) created in temporary directories (e.g., \\windows\\Temp\\, \\AppData\\Local\\Temp\\).\nThis activity can be significant as adversaries often use these paths to evade detection and maintain persistence.\nIf confirmed malicious, this behavior could allow attackers to execute unauthorized code, escalate privileges, or persist within the environment, posing a significant security threat.","The following analytic detects file writes with extensions indicative of a SamSam ransomware attack.\nIt leverages file-system activity data to identify file names ending in .stubbin, .berkshire, .satoshi, .sophos, or .keyxml.\nThis activity is significant because SamSam ransomware is highly destructive, leading to file encryption and ransom demands.\nIf confirmed malicious, the impact includes significant financial losses, operational disruptions, and reputational damage.\nImmediate actions should include isolating affected systems, restoring files from backups, and investigating the attack source to prevent further incidents.","The following analytic hunts for any creations or modifications to GitHub Actions workflow YAML files across the organization's Linux or Windows endpoints.\nThis hunting query tracks all workflow file activity under .github/workflows directories to help defenders establish baselines of legitimate CI/CD workflow creation patterns, identify unusual or unauthorized changes, and detect anomalies that may indicate supply chain compromise.\nGitHub Actions workflows execute with privileged access to secrets and deployment credentials, making them high-value targets for attackers.\nBy monitoring workflow file modifications over time, defenders can identify suspicious patterns such as unexpected workflow creation on developer workstations, modifications outside normal change windows, or activity in repositories that don't typically contain workflows.\nThis data is essential for detecting supply chain attacks like Shai-Hulud that inject malicious workflows across multiple repositories.","The following analytic detects the creation of suspicious files named passff.tar and cookie.tar, which are indicative of archived stolen browser information such as history and cookies on a machine compromised with IcedID. It leverages Sysmon EventCode 11 to identify these specific filenames. This activity is significant because it suggests that sensitive browser data has been exfiltrated, which could lead to further exploitation or data breaches. If confirmed malicious, this could allow attackers to access personal information, conduct further phishing attacks, or escalate their presence within the network.","Detects the creation of Large Language Model (LLM) files on Windows endpoints by monitoring file creation events for specific model file formats and extensions commonly used by local AI frameworks.\nThis detection identifies potential shadow AI deployments, unauthorized model downloads, and rogue LLM infrastructure by detecting file creation patterns associated with quantized models (.gguf, .ggml), safetensors model format files, and Ollama Modelfiles.\nThese file types are characteristic of local inference frameworks such as Ollama, llama.cpp, GPT4All, LM Studio, and similar tools that enable running LLMs locally without cloud dependencies.\nOrganizations can use this detection to identify potential data exfiltration risks, policy violations related to unapproved AI usage, and security blind spots created by decentralized AI deployments that bypass enterprise governance and monitoring.","The following analytic detects the suspicious creation of msmpeng.exe or mpsvc.dll in non-default Windows Defender folders. It leverages the Endpoint.Filesystem datamodel to identify instances where these files are created outside their expected directories. This activity is significant because it is associated with the REvil ransomware, which uses DLL side-loading to execute malicious payloads. If confirmed malicious, this could lead to ransomware deployment, resulting in data encryption, system compromise, and potential data loss or extortion.","The following analytic detects modifications to Windows accessibility binaries such as sethc.exe, utilman.exe, osk.exe, Magnify.exe, Narrator.exe, DisplaySwitch.exe, and AtBroker.exe. It leverages filesystem activity data from the Endpoint.Filesystem data model to identify changes to these specific files. This activity is significant because adversaries can exploit these binaries to gain unauthorized access or execute commands without logging in. If confirmed malicious, this could allow attackers to bypass authentication mechanisms, potentially leading to unauthorized system access and further compromise of the environment.","The following analytic detects a process creating a `.lnk` file in suspicious locations such as `C:\\User*` or `*\\Local\\Temp\\*`.\nIt leverages filesystem and process activity data from the Endpoint data model to identify this behavior.\nThis activity can be significant because creating `.lnk` files in these directories is a common indicator of spear phishing tools to establish persistence or execute malicious payloads.\nIf confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary code, or further compromise the system.","The following analytic detects a process writing the dynwrapx.dll file to disk and registering it in the registry. It leverages data from the Endpoint datamodel, specifically monitoring process and filesystem events. This activity is significant because DynamicWrapperX is an ActiveX component often used in scripts to call Windows API functions, and its presence in non-standard locations is highly suspicious. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence within the environment. Immediate investigation of parallel processes and registry modifications is recommended.","The following analytic identifies the bulk creation of ransomware notes (e.g., .txt, .html, .hta files) on an infected machine. It leverages Sysmon EventCode 11 to detect multiple instances of these file types being created within a short time frame. This activity is significant as it often indicates an active ransomware attack, where the attacker is notifying the victim of the encryption. If confirmed malicious, this behavior could lead to widespread data encryption, rendering critical files inaccessible and potentially causing significant operational disruption.","The following analytic detects the creation of files in the Remcos folder within the AppData directory, specifically targeting keylog and clipboard log files. It leverages the Endpoint.Filesystem data model to identify .dat files created in paths containing \"remcos.\" This activity is significant as it indicates the presence of the Remcos RAT, which performs keylogging, clipboard capturing, and audio recording. If confirmed malicious, this could lead to unauthorized data exfiltration and extensive surveillance capabilities for the attacker.","The following analytic detects a rundll32 process creating executable (.exe) or dynamic link library (.dll) files. It leverages Sysmon EventCode 11 to identify instances where rundll32.exe generates these file types. This activity is significant because rundll32 is often exploited by malware, such as IcedID, to drop malicious payloads in directories like Temp, AppData, or ProgramData. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, establish persistence, or escalate privileges within the environment.","The following analytic identifies the presence of files containing the keyword \"Ryuk\" in any folder on the C drive, indicative of Ryuk ransomware activity. It leverages the Endpoint Filesystem data model to detect file paths matching this pattern. This activity is significant as Ryuk ransomware is known for its destructive impact, encrypting critical files and demanding ransom. If confirmed malicious, this could lead to significant data loss, operational disruption, and financial damage due to ransom payments and recovery efforts. Immediate investigation and response are crucial to mitigate potential damage.","The following analytic detects the creation of a file named \"test.txt\" within the Windows system directory, indicative of Samsam ransomware propagation. It leverages file-system activity data from the Endpoint data model, specifically monitoring file paths within the Windows System32 directory. This activity is significant as it aligns with known Samsam ransomware behavior, which uses such files for propagation and execution. If confirmed malicious, this could lead to ransomware deployment, resulting in data encryption, system disruption, and potential data loss. Immediate investigation and remediation are crucial to prevent further damage.","The following analytic detects an application attempting to connect and create an ADSI object to perform an LDAP query. It leverages Sysmon EventCode 11 to identify changes in the Active Directory Schema cache files located in %LOCALAPPDATA%\\Microsoft\\Windows\\SchCache or %systemroot%\\SchCache. This activity is significant as it can indicate the presence of suspicious applications, such as ransomware, using ADSI object APIs for LDAP queries. If confirmed malicious, this behavior could allow attackers to gather sensitive directory information, potentially leading to further exploitation or lateral movement within the network.","Detects creation of exfiltration artifact files associated with Shai-Hulud 2.0 npm supply\nchain malware. The malware creates cloud.json, contents.json, environment.json, truffleSecrets.json,\nand actionsSecrets.json files containing harvested credentials from AWS, Azure, GCP, GitHub secrets,\nand environment variables. These files are staged before being pushed to attacker-controlled repositories.","Detects creation or deletion of malicious GitHub Actions workflow files associated with\nShai-Hulud worm variants on Linux or Windows endpoints. This includes the original shai-hulud-workflow.yml,\nthe 2.0 backdoor discussion.yaml (enables command injection via GitHub Discussions on self-hosted\nrunners named SHA1HULUD), and the secrets exfiltration workflow formatter_*.yml pattern. These\nfiles are used to exfiltrate credentials and propagate across repositories.","The following analytic detects the creation of shim database files (.sdb) in default directories using the sdbinst.exe application. It leverages filesystem activity data from the Endpoint.Filesystem data model to identify file writes to the Windows\\AppPatch\\Custom directory. This activity is significant because shims can intercept and alter API calls, potentially allowing attackers to bypass security controls or execute malicious code. If confirmed malicious, this could lead to unauthorized code execution, privilege escalation, or persistent access within the environment.","The following analytic detects a sharp increase in the number of files written to a specific host. It leverages the Endpoint.Filesystem data model, focusing on 'created' actions and comparing current file write counts against historical averages and standard deviations. This activity is significant as a sudden spike in file writes can indicate malicious activities such as ransomware encryption or data exfiltration. If confirmed malicious, this behavior could lead to significant data loss, system compromise, or further propagation of malware within the network.","The following analytic detects `spoolsv.exe` writing a `.dll` file, which is unusual behavior and may indicate exploitation of vulnerabilities like CVE-2021-34527 (PrintNightmare). This detection leverages Sysmon EventID 11 to monitor file creation events in the `\\spool\\drivers\\x64\\` directory. This activity is significant because `spoolsv.exe` typically does not write DLL files, and such behavior could signify an ongoing attack. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence on the compromised system.","The following analytic detects the creation of sqlite3.dll files in the %temp% folder. It leverages Sysmon EventCode 11 to identify when these files are written to the temporary directory. This activity is significant because it is associated with IcedID malware, which uses the sqlite3 module to parse browser databases and steal sensitive information such as banking details, credit card information, and credentials. If confirmed malicious, this behavior could lead to significant data theft and compromise of user accounts.","The following analytic detects the wermgr.exe process creating an executable file. It leverages Sysmon EventCode 11 to identify instances where wermgr.exe generates a .exe file. This behavior is unusual because wermgr.exe is typically associated with error reporting, not file creation. Such activity is significant as it may indicate TrickBot malware, which injects code into wermgr.exe to execute malicious actions like downloading additional payloads. If confirmed malicious, this could lead to further malware infections, data exfiltration, or system compromise.","The following analytic identifies the creation of a suspicious file named 'win.dat' in the root directory (C:\\). It leverages data from the Endpoint.Filesystem datamodel to detect this activity. This behavior is significant as it is commonly used by malware like NjRAT to check for administrative privileges on a compromised host. If confirmed malicious, this activity could indicate that the malware has administrative access, allowing it to perform high-privilege actions, potentially leading to further system compromise and persistence.","The following analytic detects the creation of archived files in a temporary folder, which may contain collected data. This behavior is often associated with malicious activity, where attackers compress sensitive information before exfiltration. The detection focuses on monitoring specific directories, such as temp folders, for the presence of newly created archive files (e.g., .zip, .rar, .tar). By identifying this pattern, security teams can quickly respond to potential data collection and exfiltration attempts, minimizing the risk of data breaches and improving overall threat detection.","The following analytic detects the creation of files in the Windows %startup% folder, a common persistence technique. It leverages the Endpoint.Filesystem data model to identify file creation events in this specific directory. This activity is significant because adversaries often use the startup folder to ensure their malicious code executes automatically upon system boot or user logon. If confirmed malicious, this could allow attackers to maintain persistence on the host, potentially leading to further system compromise and unauthorized access to sensitive information.","The following analytic detects .cab files being written to disk. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on events where the file name is '*.cab' and the action is 'write'. This activity is significant as .cab files can be used to deliver malicious payloads, including embedded .url files that execute harmful code. If confirmed malicious, this behavior could lead to unauthorized code execution and potential system compromise. Analysts should review the file path and associated artifacts for further investigation.","The following analytic detects the copying of Chrome's Local State and Login Data files into temporary folders, a tactic often used by the Braodo stealer malware. These files contain encrypted user credentials, including saved passwords and login session details. The detection monitors for suspicious copying activity involving these specific Chrome files, particularly in temp directories where malware typically processes the stolen data. Identifying this behavior enables security teams to act quickly, preventing attackers from decrypting and exfiltrating sensitive browser credentials and mitigating the risk of unauthorized access.","The following analytic detects the creation of files containing passwords, cookies, and saved login account information by the Braodo stealer malware in temporary folders. Braodo often collects these credentials from browsers and applications, storing them in temp directories before exfiltration. This detection focuses on monitoring for the creation of files with patterns or formats commonly associated with stolen credentials. By identifying these activities, security teams can take needed action to prevent sensitive login data from being leaked, reducing the risk of unauthorized access to user accounts and systems.","This analytic detects the creation of files without extensions in critical Windows system and driver-related directories, including but not limited to System32\\Drivers, Windows\\WinSxS, and other known Windows driver storage and loading paths. The detection has been expanded to comprehensively cover all commonly abused and legitimate Windows driver folder locations, increasing visibility into attempts to stage or deploy kernel-mode components. The analytic leverages telemetry from the Endpoint.Filesystem data model, with a focus on file creation events and file path analysis. File creation activity in these directories—particularly involving extensionless files—is highly suspicious, as it may indicate the presence of destructive or stealthy malware. This behavior is consistent with malware families such as HermeticWiper, which deploy kernel driver components into trusted Windows driver directories to obtain low-level access and execute destructive payloads. If confirmed malicious, this activity can result in severe system compromise, including the deployment of malicious drivers, boot-sector or filesystem destruction, and ultimately system inoperability and irreversible data loss.","The following analytic detects the creation of .iso.lnk files in the %USER%\\AppData\\Local\\Temp\\<random folder name>\\ path, indicating that an ISO file has been mounted and accessed. This detection leverages the Endpoint.Filesystem data model, specifically monitoring file creation events in the Windows Recent folder. This activity is significant as it may indicate the delivery and execution of potentially malicious payloads via ISO files. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further system compromise.","The following analytic identifies the creation of Dynamic Link Libraries (DLLs) with a known history of exploitation in atypical locations. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and filesystem events. This activity is significant as it may indicate DLL search order hijacking or sideloading, techniques used by attackers to execute arbitrary code, maintain persistence, or escalate privileges. If confirmed malicious, this activity could allow attackers to blend in with legitimate operations, posing a severe threat to system integrity and security.","The following analytic detects the creation of files with extensions commonly associated with the Mimikatz Crypto module. It leverages the Endpoint.Filesystem data model to identify specific file names indicative of certificate export activities. This behavior is significant as it may indicate the use of Mimikatz to export cryptographic keys, which is a common tactic for credential theft. If confirmed malicious, this activity could allow an attacker to exfiltrate sensitive cryptographic material, potentially leading to unauthorized access and further compromise of the environment.","The following analytic detects the creation of new ASPX files in the MOVEit Transfer application's \"wwwroot\" directory. It leverages endpoint data on process and filesystem activity to identify processes responsible for creating these files. This activity is significant as it may indicate exploitation of a critical zero-day vulnerability in MOVEit Transfer, used by threat actors to install malicious ASPX files. If confirmed malicious, this could lead to exfiltration of sensitive data, including user credentials and file metadata, posing a severe risk to the organization's security.","The following analytic identifies instances of `mshta.exe` writing files to world-writable directories. It leverages Sysmon EventCode 11 logs to detect file write operations by `mshta.exe` to directories like `C:\\Windows\\Tasks` and `C:\\Windows\\Temp`. This activity is significant as it often indicates an attempt to establish persistence or execute malicious code, deviating from the utility's legitimate use. If confirmed malicious, this behavior could lead to the execution of multi-stage payloads, potentially resulting in full system compromise and unauthorized access to sensitive information.","The following analytic detects the creation of files associated with the NirSoft\ntool bundles on Windows endpoints.\nNirSoft is a well-known provider of free, portable utilities that can be used for various system and network tasks. However, threat actors often leverage these tools for malicious purposes, such as credential harvesting, network reconnaissance, and data exfiltration.\nThe detection focuses on the creation of specific NirSoft tool bundle files, which may indicate that an attacker is preparing to use these utilities on a compromised system.\nSecurity teams should investigate any instances of these files being created, especially if they are found in unexpected locations or on systems that should not be using such tools.","The following analytic detects the creation of RAR Self-Extracting (SFX) files by monitoring the generation of file related to rar sfx .tmp file creation during sfx installation. This method leverages a heuristic to identify RAR SFX archives based on specific markers that indicate a combination of executable code and compressed RAR data. By tracking such activity, the analytic helps pinpoint potentially unauthorized or suspicious file creation events, which are often associated with malware packaging or data exfiltration. Legitimate usage may include custom installers or compressed file delivery.","The following analytic detects the creation of an Outlook Macro (VbaProject.OTM) by a suspicious process. This file is normally created when you create a macro from within Outlook. If this file is created by a process other than Outlook.exe it may be maliciously created. This detection leverages data from the Filesystem datamodel, specifically looking for the file creation event for VbaProject.OTM. This activity is significant as it is commonly associated with some malware infections, indicating potential malicious intent to harvest email information.","The following analytic detects the creation of an .exe file along with its corresponding .exe.config and a .dll in the same directory, which is a common pattern indicative of potential AppDomain hijacking or CLR code injection attempts. This behavior may signal that a malicious actor is attempting to load a rogue assembly into a legitimate application's AppDomain, allowing code execution under the context of a trusted process.","The following analytic identifies a process writing a .txt file to a world writable path. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on file creation events within specific directories. This activity is significant as adversaries often use such techniques to deliver payloads to a system, which is uncommon for legitimate processes. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a significant security risk.","This detection identifies the creation of Remote Desktop Protocol (RDP) bitmap cache files on a Windows system, typically located in the user’s profile under the Terminal Server Client cache directory. These files (*.bmc, cache*.bin) are generated when a user initiates an RDP session using the built-in mstsc.exe client. Their presence can indicate interactive remote access activity and may be useful in detecting lateral movement or unauthorized RDP usage. Monitoring this behavior is especially important, as attackers may attempt to delete or suppress these artifacts to evade forensic analysis.","The following analytic detects the creation or dropping of executable or script files in the root directory of a removable drive. It leverages data from the Endpoint.Filesystem datamodel, focusing on specific file types and their creation paths. This activity is significant as it may indicate an attempt to spread malware, such as ransomware, via removable media. If confirmed malicious, this behavior could lead to unauthorized code execution, lateral movement, or persistence within the network, potentially compromising sensitive data and systems.","The following analytic detects the creation of screen capture files by the Braodo stealer malware. This stealer is known to capture screenshots of the victim's desktop as part of its data theft activities. The detection focuses on identifying unusual screen capture activity, especially when images are saved in directories often used by malware, such as temporary or hidden folders. Monitoring for these files helps to quickly identify malicious screen capture attempts, allowing security teams to respond and mitigate potential information exposure before sensitive data is compromised.","This detection identifies the creation or modification of the \"spinstall0.aspx\" webshell file in Microsoft SharePoint directories. This file is a known indicator of compromise associated with the exploitation of CVE-2025-53770 (ToolShell vulnerability). Attackers exploit the vulnerability to drop webshells that provide persistent access to compromised SharePoint servers, allowing them to execute arbitrary commands, access sensitive data, and move laterally within the network.","The following analytic identifies the creation of a .crmlog file within the %windows%\\Registration directory, typically with a format of <RANDOM_GUID>.<RANDOM_GUID>.crmlog. This detection leverages the Endpoint.Filesystem datamodel to monitor file creation events in the specified directory. This activity is significant as it is associated with the Snake malware, which uses this file for its operations. If confirmed malicious, this could indicate the presence of Snake malware, leading to potential data exfiltration, system compromise, and further malicious activities. Immediate investigation is required to mitigate the threat.","The following analytic detects the creation of the comadmin.dat file in the %windows%\\system32\\Com directory, which is associated with Snake Malware. This detection leverages the Endpoint.Filesystem data model to identify file creation events matching the specified path and filename. This activity is significant because the comadmin.dat file is part of Snake Malware's installation process, which includes dropping a kernel driver and a custom DLL. If confirmed malicious, this activity could allow an attacker to load a malicious driver, potentially leading to privilege escalation and persistent access to the compromised system.","The following analytic detects the creation of new .sys files on disk. It leverages the Endpoint.Filesystem data model to identify and log instances where .sys files are written to the filesystem. This activity is significant because .sys files are often used as kernel mode drivers, and their unauthorized creation can indicate malicious activity such as rootkit installation. If confirmed malicious, this could allow an attacker to gain kernel-level access, leading to full system compromise, persistent control, and the ability to bypass security mechanisms.","The following analytic detects the creation URL shortcut files, often used by malware like CHAOS ransomware. It leverages the Endpoint.Filesystem datamodel to identify \".url\" files created outside common directories, such as \"Program Files\". This activity can be significant as \".URL\" files can be used as mean to trick the user into visiting certain websites unknowingly, or when placed in certain locations such as \"\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\\", it may allow the execution of malicious code upon system reboot. If confirmed malicious, this could allow an attacker to achieve persistence and execute harmful payloads, potentially leading to further system compromise and data loss.","Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence.\nThe disk cleanup manager is part of the operating system. It displays the dialog box […]\nThe user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\nAlthough Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\nInstead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\nAny developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.","Sysmon registry detection of a local hidden user account.","Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.","Detects modifications or creations of Windows Defender's default threat action settings based on severity to 'allow' or take 'no action'.\nThis is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level,\nallowing malicious software to run unimpeded. An attacker might use this technique to bypass defenses before executing payloads.","Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stop writing events.","Detects potential malicious modification of the property value of IsCredGuardEnabled from\nHKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to disable Cred Guard on a system.\nThis is usually used with UseLogonCredential to manipulate the caching credentials.","Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\VSS\\\\Diag\\\\VolSnap\\\\Volume are captured.","Detects the use of Windows Credential Editor (WCE)","Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.","Detects the presence of a registry key created during Azorult execution","Detects a registry key used by IceID in a campaign that distributes malicious OneNote files","Detects value modification of registry key containing path to binary used as screensaver.","Detects abusing Windows 10 Narrator's Feedback-Hub","Detects NetNTLM downgrade attack","Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation\nby causing a malicious DLL to be loaded and run in the context of separate processes on the computer.","DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll","Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started","Alerts on trust record modification within the registry, indicating usage of macros","Detects persistence registry keys for Recycle Bin","Detects the modification of the PortProxy registry key which is used for port forwarding.","Detects actions caused by the RedMimicry Winnti playbook","Detects potential malicious modification of run keys by winekey or team9 backdoor","Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup","Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)","Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process","Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.","Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'","Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories","Detects a method to load DLL via LSASS process using an undocumented Registry key","Detects Processes accessing the camera and microphone from suspicious folder","Detects suspicious registry modifications made by suspicious processes such as script engine processes such as WScript, or CScript etc.\nThese processes are rarely used for legitimate registry modifications, and their activity may indicate an attempt to modify the registry\nwithout using standard tools like regedit.exe or reg.exe, potentially for evasion and persistence.","The following analytic detects suspicious registry modifications that implement auto admin logon by adding DefaultUserName and DefaultPassword values. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the \"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" registry path. This activity is significant because it is associated with BlackMatter ransomware, which uses this technique to automatically log on to compromised hosts and continue encryption after a safe mode boot. If confirmed malicious, this could allow attackers to maintain persistence and further encrypt the network, leading to significant data loss and operational disruption.","The following analytic detects a process modifying the registry with a known malicious CLSID under InProcServer32. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry modifications within the HKLM or HKCU Software Classes CLSID paths. This activity is significant as it may indicate an attempt to load a malicious DLL, potentially leading to code execution. If confirmed malicious, this could allow an attacker to persist in the environment, execute arbitrary code, or escalate privileges, posing a severe threat to system integrity and security.","The following analytic detects the presence of a registry key associated with the Remcos RAT agent on a host. It leverages data from the Endpoint.Processes and Endpoint.Registry data models in Splunk, focusing on instances where the \"license\" key is found in the \"Software\\Remcos\" path. This behavior is significant as it indicates potential compromise by the Remcos RAT, a remote access Trojan used for unauthorized access and data exfiltration. If confirmed malicious, the attacker could gain control over the system, steal sensitive information, or use the compromised host for further attacks. Immediate investigation and remediation are required.","The following analytic identifies suspicious modifications in the registry entry, specifically targeting paths used by malware like REVIL. It detects changes in registry paths such as `SOFTWARE\\\\WOW6432Node\\\\Facebook_Assistant` and `SOFTWARE\\\\WOW6432Node\\\\BlackLivesMatter`. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry modifications linked to process GUIDs. This activity is significant as it indicates potential malware persistence mechanisms, often used by advanced persistent threats (APTs) and ransomware. If confirmed malicious, this could allow attackers to maintain persistence, encrypt files, and store critical ransomware-related information on compromised hosts.","The following analytic detects suspicious modifications to the sdclt.exe registry, a technique often used to bypass User Account Control (UAC). It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific registry paths and values associated with sdclt.exe. This activity is significant because UAC bypasses can allow attackers to execute payloads with elevated privileges without user consent. If confirmed malicious, this could lead to unauthorized code execution, privilege escalation, and potential persistence within the environment, posing a severe security risk.","The following analytic detects a potential deletion of firewall rules, indicating a possible security breach or unauthorized access attempt. It identifies actions where firewall rules are removed using commands like netsh advfirewall firewall delete rule, which can expose the network to external threats by disabling critical security measures. Monitoring these activities helps maintain network integrity and prevent malicious attacks.","This detection identifies the deletion of registry keys under HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\\, which store records of previously connected remote systems via Remote Desktop Protocol (RDP). These keys are created automatically when a user connects to a remote host using the native Windows RDP client (mstsc.exe) and can be valuable forensic artifacts for tracking remote access activity. Malicious actors aware of this behavior may delete these keys after using RDP to hide evidence of their activity and avoid detection during incident response. This form of artifact cleanup is a known defense evasion technique, often performed during or after lateral movement. Legitimate users rarely delete these keys manually, making such actions highly suspicious—especially when correlated with RDP usage, unusual logon behavior, or other signs of compromise. Detecting the deletion of these registry entries can provide crucial insight into attempts to cover tracks following interactive remote access.","The following analytic detects a process attempting to delete a scheduled task's Security Descriptor (SD) from the registry path of that task.\nIt leverages the Endpoint.Registry data model to identify registry actions performed by the SYSTEM user, specifically targeting deletions of the SD value.\nThis activity is significant as it may indicate an attempt to remove evidence of a scheduled task for defense evasion.\nIf confirmed malicious, it suggests an attacker with privileged access trying to hide their tracks, potentially compromising system integrity and security.","The following analytic detects the deletion or modification of Most Recently Used (MRU) command entries stored within the Windows Registry. Adversaries often clear these registry keys, such as HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU, to remove forensic evidence of commands executed via the Windows Run dialog or other system utilities. This activity aims to obscure their actions, hinder incident response efforts, and evade detection. Detection focuses on monitoring for changes (deletion of values or modification of the MRUList value) to these specific registry paths, particularly when performed by unusual processes or outside of typical user behavior. Anomalous deletion events can indicate an attempt at defense evasion or post-exploitation cleanup by a malicious actor.","This analytic is used to identify when a USB removable media device is attached to a Windows host. In this scenario we are querying the Endpoint Registry data model to look for modifications to the HKLM\\System\\CurrentControlSet\\Enum\\USBSTOR\\ key. Adversaries and Insider Threats may use removable media devices for several malicious activities, including initial access, execution, and exfiltration.","This analytic is used to identify when a USB removable media device is attached to a Windows host. In this scenario we are querying the Endpoint Registry data model to look for modifications to the Windows Portable Device keys HKLM\\SOFTWARE\\Microsoft\\Windows Portable Devices\\Devices\\ or HKLM\\System\\CurrentControlSet\\Enum\\SWD\\WPDBUSENUM\\ . Adversaries and Insider Threats may use removable media devices for several malicious activities, including initial access, execution, and exfiltration.","The following analytic detects a suspicious modification of the registry aimed at bypassing User Account Control (UAC) by leveraging WSReset.exe. It identifies the creation or modification of specific registry values under the path \"*\\\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\\\Shell\\\\open\\\\command*\". This detection uses data from Endpoint Detection and Response (EDR) agents, focusing on process and registry events. This activity is significant because UAC bypass techniques can allow attackers to execute high-privilege actions without user consent. If confirmed malicious, this could lead to unauthorized code execution and potential system compromise.","Detects enabling of the \"AllowAnonymousCallback\" registry value, which allows a remote connection between computers that do not have a trust relationship.","Detects the modification of the registry to allow a driver or service to persist in Safe Mode.","Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.\nA port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.","Detects when an attacker adds a new \"Debugger\" value to the \"AeDebug\" key in order to achieve persistence which will get invoked when an application crashes","Detect enable rdp feature to allow specific user to rdp connect on the targeted machine","Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless","Detects attempts to disable AMSI (Anti-Malware Scan Interface) by modifying the AmsiEnable registry value.\nAnti-Malware Scan Interface (AMSI) is a security feature in Windows that allows applications and services to integrate with anti-malware products for enhanced protection against malicious content.\nAdversaries may attempt to disable AMSI to evade detection by security software, allowing them to execute malicious scripts or code without being scanned.","Detects modification of autostart extensibility point (ASEP) in registry.","Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information.","Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom VBScript via \"BgInfo.exe\"","Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via \"BgInfo.exe\"","Bypasses User Account Control using a fileless method","Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification","Detects the setting of the environement variable \"windir\" to a non default value.\nAttackers often abuse this variable in order to trigger a UAC bypass via the \"SilentCleanup\" task.\nThe SilentCleanup task located in %windir%\\system32\\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.","Detects changes to the default RDP port.\nRemote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).","Hides the file extension through modification of the registry","Detects changes in Sysmon driver altitude value.\nIf the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.","Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel.","Running Chrome VPN Extensions via the Registry install 2 vpn extension","Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet.","Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.","Detects changes to 'HKCU\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute'","Detects disabling the CrashDump per registry (as used by HermeticWiper)","Detects the addition of the 'MiniNt' key to the registry. Upon a reboot, Windows Event Log service will stop writing events.\nWindows Event Log is a service that collects and stores event logs from the operating system and applications. It is an important component of Windows security and auditing.\nAdversary may want to disable this service to disable logging of security events which could be used to detect their activities.","Detect the creation of a service with a service binary located in a suspicious directory","Detects attempts to disable Windows Credential Guard by setting registry values to 0. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.\nAdversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.","Detects the abuse of custom file open handler, executing powershell","Detects the addition of the \"Debugger\" value to the \"DbgManagedDebugger\" key in order to achieve persistence. Which will get invoked when an application crashes","Detects the Setting of Windows Defender Exclusions","Detects registry value settings that would replace the user's desktop background.\nThis is a common technique used by malware to change the desktop background to a ransom note or other image.","Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a \"Dev Drive\".","Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the \"Enabled\" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel","Detects changes to the \"DisableHypervisorEnforcedPagingTranslation\" registry value. Where the it is set to \"1\" in order to disable the Hypervisor Enforced Paging Translation feature.","Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)","Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system","Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging","Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage","Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)","Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros","Detects registry modifications that disable Privacy Settings Experience","Detect set UseActionCenterExperience to 0 to disable the Windows security center notification","Detects the modification of the registry to disable a system restore on the computer","Detects when an attacker or tool disables the  Windows Defender service (WinDefend) via the registry","Detects changes to the Windows EventLog channel permission values. It focuses on changes to the Security Descriptor Definition Language (SDDL) string, as modifications to these values can restrict access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel. Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as \"Get-EventLog\" or \"wevtutil\".","Detect set EnableFirewall to 0 to disable the Windows firewall","Detects tampering with the \"Enabled\" registry key in order to disable Windows logging of a Windows event channel","Detects disabling Windows Defender Exploit Guard Network Protection","Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections","Detects disabling Windows Defender PUA protection","Detects disabling Windows Defender Tamper Protection","Detect set DisallowRun to 1 to prevent user running specific computer program","Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun.\nThe disk cleanup manager is part of the operating system.\nIt displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\nAlthough Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\nInstead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\nAny developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.","Detects when a user enables DNS-over-HTTPS.\nThis can be used to hide internet activity or be used to hide the process of exfiltrating data.\nWith this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.","Potential adversaries stopping ETW providers recording loaded .NET assemblies.","Detects changes to \"DsrmAdminLogonBehavior\" registry value.\nDuring a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure.\nAttackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory.\nIf the \"DsrmAdminLogonBehavior\" value is set to \"0\", the administrator account can only be used if the DC starts in DSRM.\nIf the \"DsrmAdminLogonBehavior\" value is set to \"1\", the administrator account can only be used if the local AD DS service is stopped.\nIf the \"DsrmAdminLogonBehavior\" value is set to \"2\", the administrator account can always be used.","Detects the enabling of the \"EnablePeriodicBackup\" registry value. Once enabled, The OS will backup System registry hives on restarts to the \"C:\\Windows\\System32\\config\\RegBack\" folder. Windows creates a \"RegIdleBackup\" task to manage subsequent backups.\nRegistry backup was a default behavior on Windows and was disabled as of \"Windows 10, version 1803\".","Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by setting the value of \"DisableAIDataAnalysis\" to \"0\".\nAdversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.\nThis rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.","Detects .NET Framework CLR and .NET Core CLR \"cor_enable_profiling\" and \"cor_profiler\" variables being set and configured.","Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability","Detects tampering with EventLog service \"file\" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting","Detects applications being added to the \"allowed applications\" list of exploit guard in order to bypass controlled folder settings","Detect change of the user account associated with the FAX service to avoid the escalation problem.","Detect possible persistence using Fax DLL load when service restart","Detects the abuse of the exefile handler in new file association. Used for bypass of security products.","Detects commonly-used chained commands and strings in the most recent 'url' value of the 'TypedPaths' key, which could be indicative of a user being targeted by the FileFix technique.","Detects when an attacker adds a new \"Debugger\" value to the \"Hangs\" key in order to achieve persistence which will get invoked when an application crashes","Detects when an attacker modifies the registry value of the \"hhctrl\" to point to a custom binary","Detects modifications to the \"Hidden\" and \"ShowSuperHidden\" explorer registry values in order to disable showing of hidden files and system files.\nThis technique is abused by several malware families to hide their files from normal users.","Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)","Detects when the \"index\" value of a scheduled task is modified from the registry\nWhich effectively hides it from any tooling such as \"schtasks /query\" (Read the referenced link for more information about the effects of this technique)","Detects changes to the \"HVCIDisallowedImages\" registry value to potentially add a driver to the list, in order to prevent it from loading.","Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message.\nBefore doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named \"Ime File\" with a DLL path.\nIMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.","Detects the addition of new root, CA or AuthRoot certificates to the Windows registry","Detects changes to the Internet Explorer \"DisableFirstRunCustomize\" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows.","Detect changes to the \"LegalNoticeCaption\" or \"LegalNoticeText\" registry values where the message set contains keywords often used in ransomware ransom messages","Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any\nanomalous executables with suspicious arguments. The downloaded file will be in C:\\Users\\redacted\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdaterreSignInSettingsConfig.json","Detects the setting of the \"DumpType\" registry value to \"2\" which stands for a \"Full Dump\". Technique such as LSASS Shtinkering requires this value to be \"2\" in order to dump LSASS.","Detects changes to the NGenAssemblyUsageLog registry key.\n.NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section).\nBy simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.","Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper","Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper","A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.","Detects the registration of a new ODBC driver.","Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location","Detects registry changes to Microsoft Office \"AccessVBOM\" to a value of \"1\" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings.","Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature.","Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.","Detects the modification of Outlook setting \"LoadMacroProviderOnBoot\" which if enabled allows the automatic loading of any configured VBA project/module","Detects the modification of Outlook security setting to allow unprompted execution of macros.","Detects changes to the registry values related to outlook security settings","Detects registry changes to Office trust records where the path is located in a potentially suspicious location","Detects changes to registry keys related to \"Trusted Location\" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions.","Detects registry changes to Microsoft Office \"VBAWarning\" to a value of \"1\" which enables the execution of all macros, whether signed or unsigned.","Detects changes to the \"MaxMpxCt\" registry value.\nMaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate.\nRansomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.","Detects when an attacker adds a new AMSI provider via the Windows Registry to bypass AMSI (Antimalware Scan Interface) protections.\nAttackers may add custom AMSI providers to persist on the system and evade detection by security software that relies on AMSI for scanning scripts and other content.\nThis technique is often used in conjunction with fileless malware and script-based attacks to maintain persistence while avoiding detection.","Detects the setting of the REGISTERAPPRESTART compatibility layer on an application.\nThis compatibility layer allows an application to register for restart using the \"RegisterApplicationRestart\" API.\nThis can be potentially abused as a persistence mechanism.","Detects changes to the \"Default\" property for keys located in the \\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\ registry. Which might be used as a method of persistence\nThe entries found under App Paths are used primarily for the following purposes.\nFirst, to map an application's executable file name to that file's fully qualified path.\nSecond, to prepend information to the PATH environment variable on a per-application, per-process basis.","Detects potential persistence using Appx DebugPath","Detects change the the \"AutodialDLL\" key which could be used as a persistence method to load custom DLL via the \"ws2_32\" library","Detects when an attacker modifies the registry key \"HtmlHelp Author\" to achieve persistence","Detects potential COM object hijacking via modification of default system CLSID.","Detects COM object hijacking via TreatAs subkey","Detects changes to the PSFactory COM InProcServer32 registry. This technique was used by RomCom to create persistence storing a malicious DLL.","Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism.","Detects potential registry persistence technique using the Event Viewer \"Events.asp\" technique","Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys","Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert JavaScript for persistence","Detects when an attacker registers a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index.\nYou can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files.","Detects creation of \"UserInitMprLogonScript\" registry value which can be used as a persistence method by malicious actors","Detects when an attacker modifies the \"REG_MULTI_SZ\" value named \"Extensions\" to include a custom DLL to achieve persistence via lsass.\nThe \"Extensions\" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.","Detects when an attacker register a new SIP provider for persistence and defense evasion","Detects modification to the \"Default\" value of the \"MyComputer\" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)","Detects when an attacker adds a new \"DLLPathOverride\" value to the \"Natural Language\" key in order to achieve persistence which will get invoked by \"SearchIndexer.exe\" process","Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.","Detects potential persistence activity via outlook home page.\nAn attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys.","Detects potential persistence activity via outlook today page.\nAn attacker can set a custom page to execute arbitrary code and link to it via the registry values \"URL\" and \"UserDefinedUrl\".","Detects potential WerFault \"ReflectDebugger\" registry value abuse for persistence.","Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute","Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time","Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.","Detects the installation of a new shim database where the file is located in a non-default location","Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt","Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.","Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)","Detects tampering with attachment manager settings policies attachments (See reference for more information)","Detects potential ClickFix malware execution patterns by monitoring registry modifications in RunMRU keys containing HTTP/HTTPS links.\nClickFix is known to be distributed through phishing campaigns and uses techniques like clipboard hijacking and fake CAPTCHA pages.\nThrough the fakecaptcha pages, the adversary tricks users into opening the Run dialog box and pasting clipboard-hijacked content,\nsuch as one-liners that execute remotely hosted malicious files or scripts.","Detects registry modifications related to 'OracleOciLib' and 'OracleOciLibPath' under 'MSDTC' settings.\nThreat actors may modify these registry keys to redirect the loading of 'oci.dll' to a malicious DLL, facilitating phantom DLL hijacking via the MSDTC service.","Detects that a powershell code is written to the registry as a service.","Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed.","Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution","Detects potential PowerShell commands or code within registry run keys","Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging","Detects the execution of a Sysinternals Tool via the creation of the \"accepteula\" registry key","Detects the creation of the \"accepteula\" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)","Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the \"accepteula\" registry key.","Detects non-sysinternals tools setting the \"accepteula\" key which normally is set on sysinternals tool execution","Detects changes to the \"ExtErrorInformation\" key in order to disable ETW logging for rpcrt4.dll","Detects execution of commands via the run dialog box on Windows by checking values of the \"RunMRU\" registry key.\nThis technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.","Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl","Detects potentially suspicious changes to the SentinelOne context menu scan command by a process other than SentinelOne.","Detects changes to the \"ServiceDLL\" value related to a service in the registry.\nThis is often used as a method of persistence.","Detects changes to the \"TracingDisabled\" key in order to disable ETW logging for services.exe (SCM)","Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique)","Detects tamper attempts to sophos av functionality via registry key modification","Detects modifications to the registry key \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" where the value is set to \"0\" in order to hide user account from being listed on the logon screen.","Detect set Notification_Suppress to 1 to disable the Windows security center notification","Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only","Detect changes to the \"PendingFileRenameOperations\" registry key from uncommon or suspicious images locations to stage currently used files for rename or deletion after reboot.","Detects a suspicious printer driver installation with an empty Manufacturer value","Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder","Detects suspicious new RUN key element pointing to an executable in a suspicious folder","Detects the occurrence of numerous space characters in RunMRU registry paths, which may indicate execution via phishing lures using clickfix techniques to hide malicious commands in the Windows Run dialog box from naked eyes.","Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders.\nBoth services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)","Detects modifications to shell open registry keys that point to suspicious locations typically used by malware for persistence.\nGenerally, modifications to the `*\\shell\\open\\command` registry key can indicate an attempt to change the default action for opening files,\nand various UAC bypass or persistence techniques involve modifying these keys to execute malicious scripts or binaries.","Detects the occurrence of numerous space characters in TypedPaths registry paths, which may indicate execution via phishing lures using file-fix techniques to hide malicious commands.","Detect modification of the User Shell Folders registry values for Startup or Common Startup which could indicate persistence attempts.\nAttackers may modify User Shell Folders registry keys to point to malicious executables or scripts that will be executed during startup.\nThis technique is often used to maintain persistence on a compromised system by ensuring that the malicious payload is executed automatically.","Detects registry modifications that add Windows Filtering Platform (WFP) filters, which may be used to block security tools and EDR agents from reporting events.","Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings","Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious","Detects potential persistence behavior using the windows telemetry registry key.\nWindows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.\nThis binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.\nThe problem is, it will run any arbitrary command without restriction of location or type.","Detects tampering of RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.","Detects tampering of RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.\n\nBelow is a list of registry keys/values that are monitored by this rule:\n\n- Shadow: Used to enable Remote Desktop shadowing, which allows an administrator to view or control a user's session.\n- DisableRemoteDesktopAntiAlias: Disables anti-aliasing for remote desktop sessions.\n- DisableSecuritySettings: Disables certain security settings for Remote Desktop connections.\n- fAllowUnsolicited: Allows unsolicited remote assistance offers.\n- fAllowUnsolicitedFullControl: Allows unsolicited remote assistance offers with full control.\n- InitialProgram: Specifies a program to run automatically when a user logs on to a remote computer.\n- ServiceDll: Used in RDP hijacking techniques to specify a custom DLL to be loaded by the Terminal Services service.\n- SecurityLayer: Specifies the security layer used for RDP connections.","Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.","Detects applications or users re-enabling old TLS versions by setting the \"Enabled\" value to \"1\" for the \"Protocols\" registry key.","Detect modification of TreatAs key to enable \"rundll32.exe -sta\" command","Detects when the enablement of developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.","Detects UAC bypass method using Windows event viewer","Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)","Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value \"EnableLUA\" to 0.","Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the \"UACDisableNotify\" value.\nUAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users.\nWhen \"UACDisableNotify\" is set to 1, UAC prompts are suppressed.","Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the \"PromptOnSecureDesktop\" value.\nThe \"PromptOnSecureDesktop\" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts.\nWhen \"PromptOnSecureDesktop\" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software.","Detects VBScript content stored into registry keys as seen being used by UNC2452 group","Detects when the Windows Vulnerable Driver Blocklist is set to disabled. This setting is crucial for preventing the loading of known vulnerable drivers,\nand its modification may indicate an attempt to bypass security controls. It is often targeted by threat actors to facilitate the installation of malicious or vulnerable drivers,\nparticularly in scenarios involving Endpoint Detection and Response (EDR) bypass techniques.\nThis rule applies to systems that support the Vulnerable Driver Blocklist feature, including Windows 10 version 1903 and later, and Windows Server 2022 and later.\nNote that this change will require a reboot to take effect, and this rule only detects the registry modification action.","This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.","Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to enable clear-text credentials","Detects when attackers or tools disable Windows Defender functionalities via the Windows registry","Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks","Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests.","Detects when the 'AllowMultipleTSSessions' value is enabled.\nWhich allows for multiple Remote Desktop connection sessions to be opened at once.\nThis is often used by attacker as a way to connect to an RDP session without disconnecting the other users","Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.\nWinlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.","The following analytic detects suspicious modifications to the Active Setup registry for persistence and privilege escalation. It leverages data from the Endpoint.Registry data model, focusing on changes to the \"StubPath\" value within the \"SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\" path. This activity is significant as it is commonly used by malware, adware, and APTs to maintain persistence on compromised machines. If confirmed malicious, this could allow attackers to execute code upon system startup, potentially leading to further system compromise and unauthorized access.","The following analytic detects suspicious modifications to firewall rule registry settings that allow inbound traffic on specific ports with a public profile. It leverages data from the Endpoint.Registry data model, focusing on registry paths and values indicative of such changes. This activity is significant as it may indicate an adversary attempting to grant remote access to a machine by modifying firewall rules. If confirmed malicious, this could enable unauthorized remote access, potentially leading to further exploitation, data exfiltration, or lateral movement within the network.","The following analytic detects a registry modification that allows the 'Consent Admin' to perform operations requiring elevation without user consent or credentials. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the 'ConsentPromptBehaviorAdmin' value within the Windows Policies System registry path. This activity is significant as it indicates a potential privilege escalation attempt, which could allow an attacker to execute high-privilege tasks without user approval. If confirmed malicious, this could lead to unauthorized administrative access and control over the compromised machine, posing a severe security risk.","The following analytic detects a suspicious registry modification that enables auto admin logon on a host. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the \"AutoAdminLogon\" value within the \"SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\" registry path. This activity is significant because it was observed in BlackMatter ransomware attacks to maintain access after a safe mode reboot, facilitating further encryption. If confirmed malicious, this could allow attackers to automatically log in and continue their operations, potentially leading to widespread network encryption and data loss.","The following analytic detects when a known remote access software is added to common persistence locations on a device within the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others.","The following analytic detects modifications to the Windows registry that disable the Antimalware Scan Interface (AMSI) by setting the \"AmsiEnable\" value to \"0x00000000\". This detection leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\". Disabling AMSI is significant as it is a common technique used by ransomware, Remote Access Trojans (RATs), and Advanced Persistent Threats (APTs) to evade detection and impair defenses. If confirmed malicious, this activity could allow attackers to execute payloads with minimal alerts, leading to potential system compromise and data exfiltration.","The following analytic detects the modification of Windows Defender registry settings to disable antivirus and antispyware protections. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with Windows Defender policies. This activity is significant because disabling antivirus protections is a common tactic used by adversaries to evade detection and maintain persistence on compromised systems. If confirmed malicious, this action could allow attackers to execute further malicious activities undetected, leading to potential data breaches, system compromise, and further propagation of malware within the network.","The following analytic detects the modification of the Windows registry to disable the Windows Defender BlockAtFirstSeen feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path associated with Windows Defender SpyNet and the DisableBlockAtFirstSeen value. This activity is significant because disabling this feature can allow malicious files to bypass initial detection by Windows Defender, increasing the risk of malware infection. If confirmed malicious, this action could enable attackers to execute malicious code undetected, leading to potential system compromise and data breaches.","The following analytic detects the modification of the registry to disable Windows Defender's Enhanced Notification feature. It leverages data from Endpoint Detection and Response (EDR) agents, specifically monitoring changes to the registry path associated with Windows Defender reporting. This activity is significant because disabling Enhanced Notifications can prevent users and administrators from receiving critical security alerts, potentially allowing malicious activities to go unnoticed. If confirmed malicious, this action could enable an attacker to bypass detection mechanisms, maintain persistence, and escalate their activities without triggering alerts.","The following analytic detects the modification of the Windows Defender MpEngine registry value, specifically setting MpEnablePus to 0x00000000. This detection leverages endpoint registry logs, focusing on changes within the path \"*\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\MpEngine*\". This activity is significant as it indicates an attempt to disable key Windows Defender features, potentially allowing malware to evade detection. If confirmed malicious, this could lead to undetected malware execution, persistence, and further system compromise. Immediate investigation and endpoint isolation are recommended.","The following analytic detects the modification of the registry to disable Windows Defender SpyNet reporting. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path associated with Windows Defender SpyNet settings. This activity is significant because disabling SpyNet reporting can prevent Windows Defender from sending telemetry data, potentially allowing malicious activities to go undetected. If confirmed malicious, this action could enable an attacker to evade detection, maintain persistence, and carry out further attacks without being flagged by Windows Defender.","The following analytic detects the modification of the Windows registry to disable the Windows Defender Submit Samples Consent feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path associated with Windows Defender SpyNet and the SubmitSamplesConsent value set to 0x00000000. This activity is significant as it indicates an attempt to bypass or evade detection by preventing Windows Defender from submitting samples for further analysis. If confirmed malicious, this could allow an attacker to execute malicious code without being detected by Windows Defender, leading to potential system compromise.","The following analytic detects modifications to the registry that disable the Event Tracing for Windows (ETW) feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\ETWEnabled\" with a value set to \"0x00000000\". This activity is significant because disabling ETW can allow attackers to evade detection mechanisms, making it harder for security tools to monitor malicious activities. If confirmed malicious, this could enable attackers to execute payloads with minimal alerts, impairing defenses and potentially leading to further compromise of the system.","The following analytic detects modifications to the Windows registry aimed at disabling the Registry Editor (regedit). It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableRegistryTools\" with a value of \"0x00000001\". This activity is significant because malware, such as RATs or trojans, often disable registry tools to prevent the removal of their entries, aiding in persistence and defense evasion. If confirmed malicious, this could hinder incident response efforts and allow the attacker to maintain control over the compromised system.","The following analytic detects a suspicious registry modification aimed at disabling security audit logs by adding a specific registry entry. It leverages data from the Endpoint.Registry data model, focusing on changes to the \"Control\\\\MiniNt\" registry path. This activity is significant because it can prevent Windows from logging any events to the Security Log, effectively blinding security monitoring efforts. If confirmed malicious, this technique could allow an attacker to operate undetected, making it difficult to trace their actions and compromising the integrity of security audits.","The following analytic detects modifications to the Windows registry that disable the display of hidden files. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with hidden file settings. This activity is significant because malware, such as worms and trojan spyware, often use hidden files to evade detection. If confirmed malicious, this behavior could allow an attacker to conceal malicious files on the system, making it harder for security tools and analysts to identify and remove the threat.","The following analytic detects the modification of the registry to disable UAC remote restriction by setting the \"LocalAccountTokenFilterPolicy\" value to \"0x00000001\". It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\CurrentVersion\\\\Policies\\\\System*\". This activity is significant because disabling UAC remote restriction can allow an attacker to bypass User Account Control (UAC) protections, potentially leading to privilege escalation. If confirmed malicious, this could enable an attacker to execute unauthorized actions with elevated privileges, compromising the security of the affected system.","The following analytic detects a suspicious registry modification aimed at disabling Windows hotkeys for native applications. It leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values indicative of this behavior. This activity is significant as it can impair an analyst's ability to use essential tools like Task Manager and Command Prompt, hindering incident response efforts. If confirmed malicious, this technique can allow an attacker to maintain persistence and evade detection, complicating the remediation process.","The following analytic identifies modifications in the registry to disable Windows Defender's real-time behavior monitoring. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with Windows Defender settings. This activity is significant because disabling real-time protection is a common tactic used by malware such as RATs, bots, or Trojans to evade detection. If confirmed malicious, this action could allow an attacker to execute code, escalate privileges, or persist in the environment without being detected by antivirus software.","The following analytic detects modifications to the Windows registry that disable SmartScreen protection. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with SmartScreen settings. This activity is significant because SmartScreen provides an early warning system against phishing and malware. Disabling it can indicate malicious intent, often seen in Remote Access Trojans (RATs) to evade detection while downloading additional payloads. If confirmed malicious, this action could allow attackers to bypass security measures, increasing the risk of successful phishing attacks and malware infections.","The following analytic detects modifications to the registry that disable the CMD prompt application. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the \"DisableCMD\" registry value. This activity is significant because disabling CMD can hinder an analyst's ability to investigate and remediate threats, a tactic often used by malware such as RATs, Trojans, or Worms. If confirmed malicious, this could prevent security teams from using CMD for directory and file traversal, complicating incident response and allowing the attacker to maintain persistence.","The following analytic detects registry modifications that disable the Control Panel on Windows systems. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoControlPanel\" with a value of \"0x00000001\". This activity is significant as it is commonly used by malware to prevent users from accessing the Control Panel, thereby hindering the removal of malicious artifacts and persistence mechanisms. If confirmed malicious, this could allow attackers to maintain control over the infected machine and prevent remediation efforts.","The following analytic detects the disabling of Windows Defender services by monitoring registry modifications. It leverages registry event data to identify changes to specific registry paths associated with Defender services, where the 'Start' value is set to '0x00000004'. This activity is significant because disabling Defender services can indicate an attempt by an adversary to evade detection and maintain persistence on the endpoint. If confirmed malicious, this action could allow attackers to execute further malicious activities undetected, leading to potential data breaches or system compromise.","The following analytic detects the modification of the Windows registry to disable the Folder Options feature, which prevents users from showing hidden files and file extensions. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoFolderOptions\" with a value of \"0x00000001\". This activity is significant as it is commonly used by malware to conceal malicious files and deceive users with fake file extensions. If confirmed malicious, this could allow an attacker to hide their presence and malicious files, making detection and remediation more difficult.","The following analytic detects the modification of the Windows registry to disable the Run application in the Start menu. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoRun\" with a value of \"0x00000001\". This activity is significant because the Run application is a useful shortcut for executing known applications and scripts. If confirmed malicious, this action could hinder system cleaning efforts and make it more difficult to run essential tools, thereby aiding malware persistence.","The following analytic identifies modifications to the registry key that controls the enforcement of Windows User Account Control (UAC). It detects changes to the registry path `HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA` where the value is set to `0x00000000`. This activity is significant because disabling UAC can allow unauthorized changes to the system without user consent, potentially leading to privilege escalation. If confirmed malicious, an attacker could gain elevated privileges, making it easier to execute further attacks or maintain persistence within the environment.","The following analytic detects the modification of registry keys to disable System Restore on a machine. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with System Restore settings. This activity is significant because disabling System Restore can hinder recovery efforts and is a tactic often used by Remote Access Trojans (RATs) to maintain persistence on an infected system. If confirmed malicious, this action could prevent system recovery, allowing the attacker to sustain their foothold and potentially cause further damage or data loss.","The following analytic identifies modifications to the Windows registry that disable Task Manager. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableTaskMgr\" with a value of \"0x00000001\". This activity is significant as it is commonly associated with malware such as RATs, Trojans, and worms, which disable Task Manager to prevent users from terminating malicious processes. If confirmed malicious, this could allow attackers to maintain persistence and control over the infected system.","The following analytic identifies the deletion of registry keys that disable Local Security Authority (LSA) protection and Microsoft Defender Device Guard. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry actions and paths associated with LSA and Device Guard settings. This activity is significant because disabling these defenses can leave a system vulnerable to various attacks, including credential theft and unauthorized code execution. If confirmed malicious, this action could allow attackers to bypass critical security mechanisms, leading to potential system compromise and persistent access.","The following analytic detects modifications to the registry that enable RDP on a machine using a non-default port number. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" and the \"PortNumber\" value. This activity is significant as attackers often modify RDP settings to facilitate lateral movement and maintain remote access to compromised systems. If confirmed malicious, this could allow attackers to bypass network defenses, gain persistent access, and potentially control the compromised machine.","The following analytic detects a suspicious registry modification that enables the plain text credential feature in Windows by setting the \"UseLogonCredential\" value to 1 in the WDigest registry path. This detection leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values. This activity is significant because it is commonly used by malware and tools like Mimikatz to dump plain text credentials, indicating a potential credential dumping attempt. If confirmed malicious, this could allow an attacker to obtain sensitive credentials, leading to further compromise and lateral movement within the network.","The following analytic detects a registry modification that disables the ETW for the .NET Framework. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the ETWEnabled registry value under the .NETFramework path. This activity is significant because disabling ETW can allow attackers to evade Endpoint Detection and Response (EDR) tools and hide their execution from audit logs. If confirmed malicious, this action could enable attackers to operate undetected, potentially leading to further compromise and persistent access within the environment.","The following analytic detects an Eventvwr UAC bypass by identifying suspicious registry modifications in the path that Eventvwr.msc references upon execution. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry changes and process execution details. This activity is significant because it indicates a potential privilege escalation attempt, allowing an attacker to execute arbitrary commands with elevated privileges. If confirmed malicious, this could lead to unauthorized code execution, persistence, and further compromise of the affected system.","The following analytic detects a suspicious registry modification that hides a user account from the Windows Login screen. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\SpecialAccounts\\\\Userlist*\" with a value of \"0x00000000\". This activity is significant as it may indicate an adversary attempting to create a hidden admin account to avoid detection and maintain persistence on the compromised machine. If confirmed malicious, this could allow the attacker to maintain undetected access and control over the system, posing a severe security risk.","The following analytic detects the modification of the UserInitMprLogonScript registry entry, which is often used by attackers to establish persistence and gain privilege escalation upon system boot. It leverages data from the Endpoint.Registry data model, focusing on changes to the specified registry path. This activity is significant because it is a common technique used by APT groups and malware to ensure their payloads execute automatically when the system starts. If confirmed malicious, this could allow attackers to maintain persistent access and potentially escalate their privileges on the compromised host.","The following analytic detects the modification of registry keys related to the desktop wallpaper settings. It leverages Sysmon EventCode 13 to identify changes to the \"Control Panel\\\\Desktop\\\\Wallpaper\" and \"Control Panel\\\\Desktop\\\\WallpaperStyle\" registry keys, especially when the modifying process is not explorer.exe or involves suspicious file paths like temp or public directories. This activity is significant as it can indicate ransomware behavior, such as the REVIL ransomware, which changes the wallpaper to display a ransom note. If confirmed malicious, this could signify a compromised machine and the presence of ransomware, leading to potential data encryption and extortion.","The following analytic detects modifications to the registry key `HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors`. It leverages data from the Endpoint.Registry data model, focusing on events where the registry path is modified. This activity is significant because attackers can exploit this registry key to load arbitrary .dll files, which will execute with elevated SYSTEM permissions and persist after a reboot. If confirmed malicious, this could allow attackers to maintain persistence, execute code with high privileges, and potentially compromise the entire system.","The following analytic detects modifications to the registry aimed at bypassing the User Account Control (UAC) feature in Windows. It identifies changes to the .NET COR_PROFILER_PATH registry key, which can be exploited to load a malicious DLL via mmc.exe. This detection leverages data from the Endpoint.Registry datamodel, focusing on specific registry paths and values. Monitoring this activity is crucial as it can indicate an attempt to escalate privileges or persist within the environment. If confirmed malicious, this could allow an attacker to execute arbitrary code with elevated privileges, compromising system integrity.","The following analytic detects suspicious modifications or new entries in the Print Processor registry path. It leverages registry activity data from the Endpoint data model to identify changes in the specified registry path. This activity is significant because the Print Processor registry is known to be exploited by APT groups like Turla for persistence and privilege escalation. If confirmed malicious, this could allow an attacker to execute a malicious DLL payload by restarting the spoolsv.exe process, leading to potential control over the compromised machine.","The following analytic detects registry activity related to the creation of application compatibility shims. It leverages data from the Endpoint.Registry data model, specifically monitoring registry paths associated with AppCompatFlags. This activity is significant because attackers can use shims to bypass security controls, achieve persistence, or escalate privileges. If confirmed malicious, this could allow an attacker to maintain long-term access, execute arbitrary code, or manipulate application behavior, posing a severe risk to the integrity and security of the affected systems.","The following analytic identifies modifications to registry keys commonly used for persistence mechanisms. It leverages data from endpoint detection sources like Sysmon or Carbon Black, focusing on specific registry paths known to initiate applications or services during system startup. This activity is significant as unauthorized changes to these keys can indicate attempts to maintain persistence or execute malicious actions upon system boot. If confirmed malicious, this could allow attackers to achieve persistent access, execute arbitrary code, or maintain control over compromised systems, posing a severe threat to system integrity and security.","The following analytic detects modifications to registry keys under \"Image File Execution Options\" that can be used for privilege escalation. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths and values like GlobalFlag and Debugger. This activity is significant because attackers can use these modifications to intercept executable calls and attach malicious binaries to legitimate system binaries. If confirmed malicious, this could allow attackers to execute arbitrary code with elevated privileges, leading to potential system compromise and persistent access.","The following analytic detects modifications to the SCRNSAVE.EXE registry entry, indicating potential event trigger execution via screensaver settings for persistence or privilege escalation. It leverages registry activity data from the Endpoint data model to identify changes to the specified registry path. This activity is significant as it is a known technique used by APT groups and malware to maintain persistence or escalate privileges. If confirmed malicious, this could allow an attacker to execute arbitrary code with elevated privileges, leading to further system compromise and persistent access.","The following analytic detects changes to the PowerShell ExecutionPolicy in the registry to \"Unrestricted\" or \"Bypass.\" It leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry modifications under the path *Software\\Microsoft\\Powershell\\1\\ShellIds\\Microsoft.PowerShell*. This activity is significant because setting the ExecutionPolicy to these values can allow the execution of potentially malicious scripts without restriction. If confirmed malicious, this could enable an attacker to execute arbitrary code, leading to further compromise of the system and potential escalation of privileges.","The following analytic detects suspicious modifications to the registry that may indicate a UAC (User Account Control) bypass attempt via the SilentCleanup task. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry changes in the path \"*\\\\Environment\\\\windir\" with executable values. This activity is significant as it can allow an attacker to gain high-privilege execution without user consent, bypassing UAC protections. If confirmed malicious, this could lead to unauthorized administrative access, enabling further system compromise and persistence.","The following analytic detects suspicious modifications to the time provider registry for persistence and autostart. It leverages data from the Endpoint.Registry data model, focusing on changes to the \"CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders\" registry path. This activity is significant because such modifications are uncommon and can indicate an attempt to establish persistence on a compromised host. If confirmed malicious, this technique allows an attacker to maintain access and execute code automatically upon system boot, potentially leading to further exploitation and control over the affected system.","The following analytic identifies changes to the Directory Services Restore Mode (DSRM) account behavior via registry modifications. It detects alterations in the registry path \"*\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\DSRMAdminLogonBehavior\" with specific values indicating potential misuse. This activity is significant because the DSRM account, if misconfigured, can be exploited to persist within a domain, similar to a local administrator account. If confirmed malicious, an attacker could gain persistent administrative access to a Domain Controller, leading to potential domain-wide compromise and unauthorized access to sensitive information.","The following analytic detects potentially suspicious modifications to the Audit Policy auditing options registry values. It leverages data from the Endpoint.Registry data model, focusing on changes to one of the following auditing option values \"CrashOnAuditFail\", \"FullPrivilegeAuditing\", \"AuditBaseObjects\" and \"AuditBaseDirectories\" within the \"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\" registry key. This activity is significant as it could be a sign of a threat actor trying to tamper with the audit policy configuration, and disabling SACLs configuration. If confirmed malicious, this behavior could allow attackers to bypass defenses, and plan further attacks, potentially leading to full machine compromise or lateral movement.","The following analytic detects modifications to undocumented registry keys that allow a DLL to load into lsass.exe, potentially capturing credentials. It leverages the Endpoint.Registry data model to identify changes to \\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt or \\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt. This activity is significant as it indicates a possible attempt to inject malicious code into the Local Security Authority Subsystem Service (LSASS), which can lead to credential theft. If confirmed malicious, this could allow attackers to gain unauthorized access to sensitive information and escalate privileges within the environment.","The following analytic detects modifications to Windows registry values that disable Google Chrome auto-updates.\nChanges to values such as DisableAutoUpdateChecksCheckboxValue = 1, Update{8A69D345-D564-463C-AFF1-A69D9E530F96} = 0, UpdateDefault = 0, and AutoUpdateCheckPeriodMinutes = 0 can prevent Chrome from receiving security updates.\nThis behavior may indicate attempts to bypass update policies, maintain unauthorized extensions, or facilitate malware persistence.\nMonitoring these registry changes helps identify potential policy violations or malicious activity targeting browser security.","The following analytic detects modifications to the Windows registry keys that control the Chrome Extension Install Allowlist. Unauthorized changes to these keys may indicate attempts to bypass Chrome extension restrictions or install unapproved extensions. This detection helps identify potential security policy violations or malicious activity targeting Chrome extension settings.","This detection identifies suspicious modifications to the Windows Compatibility Telemetry registry settings, specifically within the \"TelemetryController\" registry key and \"Command\" registry value. It leverages data from the Endpoint.Registry data model, focusing on registry paths and values indicative of such changes. This activity is significant because CompatTelRunner.exe and the \"Microsoft Compatibility Appraiser\" task always run as System and can be used to elevate privileges or establish a highly privileged persistence mechanism. If confirmed malicious, this could enable unauthorized code execution, privilege escalation, or persistent access to the compromised system.","The following analytic detects modifications to the Windows Defender exclusion registry entries. It leverages endpoint registry data to identify changes in the registry path \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\*\". This activity is significant because adversaries often modify these entries to bypass Windows Defender, allowing malicious code to execute without detection. If confirmed malicious, this behavior could enable attackers to evade antivirus defenses, maintain persistence, and execute further malicious activities undetected.","The following analytic detects a suspicious registry modification that disables the Change Password feature on a Windows host. It identifies changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableChangePassword\" with a value of \"0x00000001\". This activity is significant as it can prevent users from changing their passwords, a tactic often used by ransomware to maintain control over compromised systems. If confirmed malicious, this could hinder user response to an attack, allowing the attacker to persist and potentially escalate their access within the network.","The following analytic detects a suspicious registry modification that disables the Lock Computer feature in Windows. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableLockWorkstation\" with a value of \"0x00000001\". This activity is significant because it prevents users from locking their screens, a tactic often used by malware, including ransomware, to maintain control over compromised systems. If confirmed malicious, this could allow attackers to sustain their presence and execute further malicious actions without user interruption.","The following analytic detects a suspicious registry modification that disables the logoff feature on a Windows host. It leverages data from the Endpoint.Registry data model to identify changes to specific registry values associated with logoff functionality. This activity is significant because it can indicate ransomware attempting to make the compromised host unusable and hinder remediation efforts. If confirmed malicious, this action could prevent users from logging off, complicate incident response, and allow attackers to maintain persistence and control over the affected system.","The following analytic detects attempts to disable the memory crash dump feature on Windows systems by setting the registry value to 0. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the CrashDumpEnabled registry key. This activity is significant because disabling crash dumps can hinder forensic analysis and incident response efforts. If confirmed malicious, this action could be part of a broader attack strategy, such as data destruction or system destabilization, as seen with HermeticWiper, potentially leading to significant operational disruptions and data loss.","The following analytic detects the modification of the Windows registry to disable the Notification Center on a host machine. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the \"DisableNotificationCenter\" registry value set to \"0x00000001.\" This activity is significant because disabling the Notification Center can be a tactic used by RAT malware to hide its presence and subsequent actions. If confirmed malicious, this could allow an attacker to operate stealthily, potentially leading to further system compromise and data exfiltration.","The following analytic detects suspicious registry modifications that disable the shutdown button on a user's logon screen. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with shutdown policies. This activity is significant because it is a tactic used by malware, particularly ransomware like KillDisk, to hinder system usability and prevent the removal of malicious changes. If confirmed malicious, this could impede system recovery efforts, making it difficult to restart the machine and remove other harmful modifications.","The following analytic detects suspicious registry modifications aimed at disabling Windows Group Policy features. It leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values associated with disabling key Windows functionalities. This activity is significant because it is commonly used by ransomware to hinder mitigation and forensic response efforts. If confirmed malicious, this behavior could severely impair the ability of security teams to analyze and respond to the attack, allowing the attacker to maintain control and persist within the compromised environment.","The following analytic detects the modification of the Windows Registry key \"DisableAntiSpyware\" being set to disable. This detection leverages data from the Endpoint.Registry datamodel, specifically looking for the registry value name \"DisableAntiSpyware\" with a value of \"0x00000001\". This activity is significant as it is commonly associated with Ryuk ransomware infections, indicating potential malicious intent to disable Windows Defender. If confirmed malicious, this action could allow attackers to disable critical security defenses, facilitating further malicious activities such as data encryption, exfiltration, or additional system compromise.","The following analytic detects the creation of a new DWORD value named \"EnableAt\" in the registry path \"HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\". This modification enables the use of the at.exe or wmi Win32_ScheduledJob commands to add scheduled tasks on a Windows endpoint. The detection leverages registry event data from the Endpoint datamodel. This activity is significant because it may indicate that an attacker is enabling the ability to schedule tasks, potentially to execute malicious code at specific times or intervals. If confirmed malicious, this could allow persistent code execution on the system.","The following analytic detects suspicious registry modifications aimed at hiding common Windows notification features on a compromised host. It leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values. This activity is significant as it is often used by ransomware to obscure visual indicators, increasing the impact of the attack. If confirmed malicious, this could prevent users from noticing critical system alerts, thereby aiding the attacker in maintaining persistence and furthering their malicious activities undetected.","The following analytic detects modifications to the Windows registry that change the health check interval of Windows Defender. It leverages data from the Endpoint datamodel, specifically monitoring changes to the \"ServiceKeepAlive\" registry path with a value of \"0x00000001\". This activity is significant because altering Windows Defender settings can impair its ability to perform timely health checks, potentially leaving the system vulnerable. If confirmed malicious, this could allow an attacker to disable or delay security scans, increasing the risk of undetected malware or other malicious activities.","The following analytic detects modifications to the Windows registry that change the Windows Defender Quick Scan Interval. It leverages data from the Endpoint.Registry data model, focusing on changes to the \"QuickScanInterval\" registry path. This activity is significant because altering the scan interval can impair Windows Defender's ability to detect malware promptly, potentially allowing threats to persist undetected. If confirmed malicious, this modification could enable attackers to bypass security measures, maintain persistence, and execute further malicious activities without being detected by quick scans.","The following analytic detects modifications to the ThrottleDetectionEventsRate registry setting in Windows Defender. It leverages data from the Endpoint.Registry datamodel to identify changes in the registry path related to Windows Defender's event logging rate. This activity is significant because altering the ThrottleDetectionEventsRate can reduce the frequency of logged detection events, potentially masking malicious activities. If confirmed malicious, this could allow an attacker to evade detection by decreasing the visibility of security events, thereby hindering incident response and forensic investigations.","The following analytic detects modifications to the Windows registry specifically targeting the \"WppTracingLevel\" setting within Windows Defender. This detection leverages data from the Endpoint.Registry data model to identify changes in the registry path associated with Windows Defender tracing levels. Such modifications are significant as they can impair the diagnostic capabilities of Windows Defender, potentially hiding malicious activities. If confirmed malicious, this activity could allow an attacker to evade detection and maintain persistence within the environment, leading to further compromise and data exfiltration.","The following analytic detects modifications to the Windows registry that disable the Windows Defender SmartScreen App Install Control feature. It leverages data from the Endpoint.Registry data model to identify changes to specific registry values. This activity is significant because disabling App Install Control can allow users to install potentially malicious web-based applications without restrictions, increasing the risk of security vulnerabilities. If confirmed malicious, this action could lead to the installation of harmful applications, potentially compromising the system and exposing sensitive information.","The following analytic detects modifications to the Windows Defender ThreatSeverityDefaultAction registry setting. It leverages data from the Endpoint.Registry datamodel to identify changes in registry values that define how Windows Defender responds to threats. This activity is significant because altering these settings can impair the system's defense mechanisms, potentially allowing threats to go unaddressed. If confirmed malicious, this could enable attackers to bypass antivirus protections, leading to persistent threats and increased risk of data compromise or further system exploitation.","The following analytic detects the deletion of the Windows Defender context menu entry from the registry. It leverages data from the Endpoint datamodel, specifically monitoring registry actions where the path includes \"*\\\\shellex\\\\ContextMenuHandlers\\\\EPP\" and the action is 'deleted'. This activity is significant as it is commonly associated with Remote Access Trojan (RAT) malware attempting to disable security features. If confirmed malicious, this could allow an attacker to impair defenses, facilitating further malicious activities such as unauthorized access, persistence, and data exfiltration.","The following analytic detects the deletion of the Windows Defender main profile registry key. It leverages data from the Endpoint.Registry datamodel, specifically monitoring for deleted actions within the Windows Defender registry path. This activity is significant as it indicates potential tampering with security defenses, often associated with Remote Access Trojans (RATs) and other malware. If confirmed malicious, this action could allow an attacker to disable Windows Defender, reducing the system's ability to detect and respond to further malicious activities, thereby compromising endpoint security.","The following analytic detects modifications in the Windows registry by the Applocker utility that deny the execution of various security products. This detection leverages data from the Endpoint.Registry datamodel, focusing on specific registry paths and values indicating a \"Deny\" action against known antivirus and security software. This activity is significant as it may indicate an attempt to disable security defenses, a tactic observed in malware like Azorult. If confirmed malicious, this could allow attackers to bypass security measures, facilitating further malicious activities and persistence within the environment.","The following analytic detects a modification in the Windows registry that disables the Windows Defender Controlled Folder Access feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the EnableControlledFolderAccess registry setting. This activity is significant because Controlled Folder Access is designed to protect critical folders from unauthorized access, including ransomware attacks. If this activity is confirmed malicious, it could allow attackers to bypass a key security feature, potentially leading to unauthorized access or modification of sensitive files.","The following analytic detects modifications in the Windows registry to disable firewall and network protection settings within Windows Defender Security Center. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the UILockdown registry value. This activity is significant as it may indicate an attempt to impair system defenses, potentially restricting users from modifying firewall or network protection settings. If confirmed malicious, this could allow an attacker to weaken the system's security posture, making it more vulnerable to further attacks and unauthorized access.","The following analytic detects modifications to the Windows registry that disable the Windows Defender protocol recognition feature. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the \"DisableProtocolRecognition\" setting. This activity is significant because disabling protocol recognition can hinder Windows Defender's ability to detect and respond to malware or suspicious software. If confirmed malicious, this action could allow an attacker to bypass antivirus defenses, facilitating further malicious activities such as data exfiltration or system compromise.","The following analytic detects a modification in the Windows registry to disable Windows Defender PUA protection by setting PUAProtection to 0. This detection leverages data from the Endpoint.Registry datamodel, focusing on registry path changes related to Windows Defender. Disabling PUA protection is significant as it reduces defenses against Potentially Unwanted Applications (PUAs), which, while not always malicious, can negatively impact user experience and security. If confirmed malicious, this activity could allow an attacker to introduce adware, browser toolbars, or other unwanted software, potentially compromising system integrity and user productivity.","The following analytic detects modifications to the Windows registry that disable the Windows Defender real-time signature delivery feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path associated with Windows Defender signature updates. This activity is significant because disabling real-time signature delivery can prevent Windows Defender from receiving timely malware definitions, reducing its effectiveness. If confirmed malicious, this action could allow attackers to bypass malware detection, leading to potential system compromise and persistent threats.","The following analytic detects modifications to the Windows registry entry \"EnableWebContentEvaluation\" to disable Windows Defender web content evaluation. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes where the registry value is set to \"0x00000000\". This activity is significant as it indicates an attempt to impair browser security features, potentially allowing malicious web content to bypass security checks. If confirmed malicious, this could lead to users interacting with harmful scripts or unsafe web elements, increasing the risk of system exploitation and security breaches.","The following analytic detects modifications to the Windows registry that disable Windows Defender Application Guard auditing. It leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values. This activity is significant because disabling auditing can hinder security monitoring and threat detection within the isolated environment, making it easier for malicious activities to go unnoticed. If confirmed malicious, this action could allow attackers to bypass Windows Defender protections, potentially leading to unauthorized access, data exfiltration, or further system compromise.","The following analytic detects modifications to the Windows registry that disable Windows Defender's file hash computation by setting the EnableFileHashComputation value to 0. This detection leverages data from the Endpoint.Registry data model, focusing on changes to the specific registry path associated with Windows Defender. Disabling file hash computation can significantly impair Windows Defender's ability to detect and scan for malware, making it a critical behavior to monitor. If confirmed malicious, this activity could allow attackers to bypass Windows Defender, facilitating undetected malware execution and persistence in the environment.","The following analytic detects modifications in the Windows registry to disable Windows Defender generic reports. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the \"DisableGenericRePorts\" registry value. This activity is significant as it can prevent the transmission of error reports to Microsoft's Windows Error Reporting service, potentially hiding malicious activities. If confirmed malicious, this action could allow attackers to bypass Windows Defender detections, reducing the visibility of their activities and increasing the risk of undetected system compromise.","The following analytic detects modifications to the Windows registry that disable Windows Defender Network Protection. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the EnableNetworkProtection registry entry. This activity is significant because disabling Network Protection can leave the system vulnerable to network-based threats by preventing Windows Defender from analyzing and blocking malicious network activity. If confirmed malicious, this action could allow attackers to bypass security measures, potentially leading to unauthorized access, data exfiltration, or further compromise of the network.","The following analytic detects modifications to the Windows registry that disable Windows Defender's infection reporting. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the \"DontReportInfectionInformation\" registry key. This activity is significant because it can prevent Windows Defender from reporting detailed threat information to Microsoft, potentially allowing malware to evade detection. If confirmed malicious, this action could enable attackers to bypass security measures, maintain persistence, and avoid detection, leading to prolonged unauthorized access and potential data breaches.","The following analytic detects modifications to the Windows registry that disable the Windows Defender Scan On Update feature. It leverages data from the Endpoint.Registry datamodel, specifically looking for changes to the \"DisableScanOnUpdate\" registry setting with a value of \"0x00000001\". This activity is significant because disabling automatic scans can leave systems vulnerable to malware and other threats. If confirmed malicious, this action could allow attackers to bypass Windows Defender, facilitating further compromise and persistence within the environment.","The following analytic detects modifications to the Windows registry that disable Windows Defender Signature Retirement. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the DisableSignatureRetirement registry setting. This activity is significant because disabling signature retirement can prevent Windows Defender from removing outdated antivirus signatures, potentially reducing its effectiveness in detecting threats. If confirmed malicious, this action could allow an attacker to evade detection by using older, less relevant signatures, thereby compromising the system's security posture.","The following analytic detects modifications to the Windows registry that disable the Windows Defender phishing filter. It leverages data from the Endpoint.Registry data model, focusing on changes to specific registry values related to Microsoft Edge's phishing filter settings. This activity is significant because disabling the phishing filter can allow attackers to deceive users into visiting malicious websites without triggering browser warnings. If confirmed malicious, this could lead to users unknowingly accessing harmful sites, resulting in potential security incidents or data compromises.","The following analytic detects modifications to the Windows registry that override the Windows Defender SmartScreen prompt. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the \"PreventSmartScreenPromptOverride\" registry setting. This activity is significant because it indicates an attempt to disable the prevention of user overrides for SmartScreen prompts, potentially allowing users to bypass security warnings. If confirmed malicious, this could lead to users inadvertently executing or accessing harmful content, increasing the risk of security incidents or system compromises.","The following analytic detects modifications to the Windows registry that set the Windows Defender SmartScreen level to \"warn.\" This detection leverages data from the Endpoint.Registry data model, specifically monitoring changes to the ShellSmartScreenLevel registry value. This activity is significant because altering SmartScreen settings to \"warn\" can reduce immediate suspicion from users, allowing potentially malicious executables to run with just a warning prompt. If confirmed malicious, this could enable attackers to execute harmful files, increasing the risk of successful malware deployment and subsequent system compromise.","The following analytic detects the disabling of an AutoLogger session or one of its providers, by identifying changes to the Registry values \"Start\" and \"Enabled\" part of the \"\\WMI\\Autologger\\\" key path. It leverages data from the Endpoint.Registry datamodel to monitor specific registry paths and values. This activity is significant as attackers and adversaries can leverage this in order to evade defense and blind EDRs and log ingest tooling. If confirmed malicious, this action could allow an attacker to conceal their activities, making it harder to detect further malicious actions and maintain persistence on the compromised endpoint.","The following analytic detects modifications to the registry related to the disabling of autostart functionality for certain antivirus products, such as Kingsoft and Tencent. Malware like ValleyRAT may alter specific registry keys to prevent these security tools from launching automatically at startup, thereby weakening system defenses. By monitoring changes in the registry entries associated with antivirus autostart settings, this detection enables security analysts to identify attempts to disable protective software. Detecting these modifications early is critical for maintaining system integrity and preventing further compromise by malicious actors.","The following analytic detects the disabling of Hypervisor-protected Code Integrity (HVCI) by monitoring changes in the Windows registry. It leverages data from the Endpoint datamodel, specifically focusing on registry paths and values related to HVCI settings. This activity is significant because HVCI helps protect the kernel and system processes from tampering by malicious code. If confirmed malicious, disabling HVCI could allow attackers to execute unsigned kernel-mode code, potentially leading to kernel-level rootkits or other severe security breaches.","The following analytic detects the disabling of Windows Defender logging by identifying changes to the Registry keys DefenderApiLogger or DefenderAuditLogger set to disable. It leverages data from the Endpoint.Registry datamodel to monitor specific registry paths and values. This activity is significant as it is commonly associated with Remote Access Trojan (RAT) malware attempting to evade detection. If confirmed malicious, this action could allow an attacker to conceal their activities, making it harder to detect further malicious actions and maintain persistence on the compromised endpoint.","The following analytic detects the creation or modification of registry keys associated with new Outlook form installations, potentially indicating exploitation of CVE-2024-21378. It leverages data from the Endpoint.Registry datamodel, focusing on registry paths involving InProcServer32 keys linked to Outlook forms. This activity is significant as it may signify an attempt to achieve authenticated remote code execution via malicious form objects. If confirmed malicious, this could allow an attacker to create arbitrary files and registry keys, leading to remote code execution and potential full system compromise.","The following analytic detects modifications to the Windows registry related to the Local Security Authority (LSA) NoLMHash setting. It identifies when the registry value is set to 0, indicating that the system will store passwords in the weaker Lan Manager (LM) hash format. This detection leverages registry activity logs from endpoint data sources like Sysmon or EDR tools. Monitoring this activity is crucial as it can indicate attempts to weaken password storage security. If confirmed malicious, this could allow attackers to exploit weaker LM hashes, potentially leading to unauthorized access and credential theft.","The following analytic detects modifications to the Windows registry key \"AuthenticationLevelOverride\" within the Terminal Server Client settings. It leverages data from the Endpoint.Registry datamodel to identify changes where the registry value is set to 0x00000000. This activity is significant as it may indicate an attempt to override authentication levels for remote connections, a tactic used by DarkGate malware for malicious installations. If confirmed malicious, this could allow attackers to gain unauthorized remote access, potentially leading to data exfiltration or further system compromise.","The following analytic identifies a suspicious modification to the Windows auto update configuration registry. It detects changes to the registry path \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\\\\AutoInstallMinorUpdates\" with a value of \"0x00000000\". This activity is significant as it is commonly used by adversaries, including malware like RedLine Stealer, to bypass detection and deploy additional payloads. If confirmed malicious, this modification could allow attackers to evade defenses, potentially leading to further system compromise and exploitation of zero-day vulnerabilities.","The following analytic detects a suspicious modification to the Windows registry that changes the auto-update notification setting to \"Notify before download.\" This detection leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values. This activity is significant because it is a known technique used by adversaries, including malware like RedLine Stealer, to evade detection and potentially deploy additional payloads. If confirmed malicious, this modification could allow attackers to bypass security measures, maintain persistence, and exploit vulnerabilities on the target host.","This analytic is developed to detect suspicious registry modifications targeting BitLocker settings. The malware ShrinkLocker alters various registry keys to change how BitLocker handles encryption, potentially bypassing TPM requirements, enabling BitLocker without TPM, and enforcing specific startup key and PIN configurations. Such modifications can weaken system security, making it easier for unauthorized access and data breaches. Detecting these changes is crucial for maintaining robust encryption and data protection.","The following analytic detects suspicious modifications to the Windows registry's default icon settings, a technique associated with Lockbit ransomware. It leverages data from the Endpoint Registry data model, focusing on changes to registry paths under \"*HKCR\\\\*\\\\defaultIcon\\\\(Default)*\". This activity is significant as it is uncommon for normal users to modify these settings, and such changes can indicate ransomware infection or other malware. If confirmed malicious, this could lead to system defacement and signal a broader ransomware attack, potentially compromising sensitive data and system integrity.","This analytic is developed to detect suspicious registry modifications that disable Remote Desktop Protocol (RDP) by altering the \"fDenyTSConnections\" key. Changing this key's value to 1 prevents remote connections, which can disrupt remote management and access. Such modifications could indicate an attempt to hinder remote administration or isolate the system from remote intervention, potentially signifying malicious activity.","The following analytic detects modifications to the Windows registry entry \"DisableRestrictedAdmin,\" which controls the Restricted Admin mode behavior. This detection leverages registry activity logs from endpoint data sources like Sysmon or Carbon Black. Monitoring this activity is crucial as changes to this setting can disable a security feature that limits credential exposure during remote connections. If confirmed malicious, an attacker could weaken security controls, increasing the risk of credential theft and unauthorized access to sensitive systems.","The following analytic detects modifications to the Windows registry that disable toast notifications. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\PushNotifications\\\\ToastEnabled*\" with a value set to \"0x00000000\". This activity is significant because disabling toast notifications can prevent users from receiving critical system and application updates, which adversaries like Azorult exploit for defense evasion. If confirmed malicious, this action could allow attackers to operate undetected, leading to prolonged persistence and potential further compromise of the system.","The following analytic detects modifications to the Windows registry that disable the Windows Defender raw write notification feature. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the registry path associated with Windows Defender's real-time protection settings. This activity is significant because disabling raw write notifications can allow malware, such as Azorult, to bypass Windows Defender's behavior monitoring, potentially leading to undetected malicious activities. If confirmed malicious, this could enable attackers to execute code, persist in the environment, and access sensitive information without detection.","The following analytic detects a suspicious registry modification aimed at disabling Windows Defender notifications. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the registry path \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\Notifications\\\\DisableNotifications\" with a value of \"0x00000001\". This activity is significant as it indicates an attempt to evade detection by disabling security alerts, a technique used by adversaries and malware like RedLine Stealer. If confirmed malicious, this could allow attackers to operate undetected, increasing the risk of further compromise and data exfiltration.","The following analytic detects modifications to the Windows registry aimed at disabling Windows Security Center notifications. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the registry path \"*\\\\Windows\\\\CurrentVersion\\\\ImmersiveShell\\\\UseActionCenterExperience*\" with a value of \"0x00000000\". This activity is significant as it can indicate an attempt by adversaries or malware, such as Azorult, to evade defenses by suppressing critical update notifications. If confirmed malicious, this could allow attackers to persist undetected, potentially leading to further exploitation and compromise of the host system.","The following analytic detects modifications to the Windows registry key \"DisableRemoteDesktopAntiAlias\" with a value set to 0x00000001. This detection leverages data from the Endpoint datamodel, specifically monitoring changes in the Registry node. This activity is significant as it may indicate the presence of DarkGate malware, which alters this registry setting to enhance its remote desktop capabilities. If confirmed malicious, this modification could allow an attacker to maintain persistence and control over the compromised host, potentially leading to further exploitation and data exfiltration.","The following analytic detects modifications to the Windows registry that disable security settings for Terminal Services. It leverages the Endpoint data model, specifically monitoring changes to the registry path associated with Terminal Services security settings. This activity is significant because altering these settings can weaken the security posture of Remote Desktop Services, potentially allowing unauthorized remote access. If confirmed malicious, such modifications could enable attackers to gain persistent remote access to the system, facilitating further exploitation and data exfiltration.","The following analytic detects modifications in the Windows registry to disable Windows Error Reporting (WER) settings. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to registry paths related to WER with a value set to \"0x00000001\". This activity is significant as adversaries may disable WER to suppress error notifications, hiding the presence of malicious activities. If confirmed malicious, this could allow attackers to operate undetected, potentially leading to prolonged persistence and further exploitation within the environment.","The following analytic detects modifications to the Windows registry aimed at preventing the execution of specific computer programs. It leverages data from the Endpoint.Registry datamodel, focusing on changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\DisallowRun*\" with a value of \"0x00000001\". This activity is significant as it can indicate an attempt to disable security tools, a tactic used by malware like Azorult. If confirmed malicious, this could allow an attacker to evade detection and maintain persistence on the compromised host.","The following analytic detects a suspicious modification to the Windows registry that disables automatic updates. It leverages data from the Endpoint datamodel, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\DoNotConnectToWindowsUpdateInternetLocations\" with a value of \"0x00000001\". This activity is significant as it can be used by adversaries, including malware like RedLine Stealer, to evade detection and prevent the system from receiving critical updates. If confirmed malicious, this could allow attackers to exploit vulnerabilities, persist in the environment, and potentially deploy additional payloads.","The following analytic detects modifications to the Windows Error Reporting registry key \"DontShowUI\" to suppress error reporting dialogs. It leverages data from the Endpoint datamodel's Registry node to identify changes where the registry value is set to 0x00000001. This activity is significant as it is commonly associated with DarkGate malware, which uses this modification to avoid detection during its installation. If confirmed malicious, this behavior could allow attackers to maintain a low profile, avoiding user alerts and potentially enabling further malicious activities without user intervention.","The following analytic detects a suspicious modification to the Windows registry setting for EnableLinkedConnections. It leverages data from the Endpoint.Registry datamodel to identify changes where the registry path is \"*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLinkedConnections\" and the value is set to \"0x00000001\". This activity is significant because enabling linked connections can allow network shares to be accessed with both standard and administrator-level privileges, a technique often abused by malware like BlackByte ransomware. If confirmed malicious, this could lead to unauthorized access to sensitive network resources, escalating the attacker's privileges.","The following analytic detects a modification to the Windows registry setting \"LongPathsEnabled,\" which allows file paths longer than 260 characters. This detection leverages data from the Endpoint.Registry datamodel, focusing on changes to the specific registry path and value. This activity is significant because adversaries, including malware like BlackByte, exploit this setting to bypass file path limitations, potentially aiding in evasion techniques. If confirmed malicious, this modification could facilitate the execution of long-path payloads, aiding in persistence and further system compromise.","The following analytic identifies a suspicious modification of the Windows registry setting for max connections per server. It detects changes to specific registry paths using data from the Endpoint.Registry datamodel. This activity is significant because altering this setting can be exploited by attackers to increase the number of concurrent connections to a remote server, potentially facilitating DDoS attacks or enabling more effective lateral movement within a compromised network. If confirmed malicious, this could lead to network disruption or further compromise of additional systems.","The following analytic detects a suspicious modification to the Windows registry that disables automatic reboot with a logged-on user. This detection leverages the Endpoint data model to identify changes to the registry path `SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\NoAutoRebootWithLoggedOnUsers` with a value of `0x00000001`. This activity is significant as it is commonly used by adversaries, including malware like RedLine Stealer, to evade detection and maintain persistence. If confirmed malicious, this could allow attackers to bypass security measures and deploy additional payloads without interruption.","The following analytic identifies a suspicious modification to the Windows registry that disables automatic updates. It detects changes to the registry path `SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\NoAutoUpdate` with a value of `0x00000001`. This activity is significant as it is commonly used by adversaries, including malware like RedLine Stealer, to evade detection and maintain persistence. If confirmed malicious, this could allow attackers to bypass security updates, leaving the system vulnerable to further exploitation and potential zero-day attacks.","The following analytic detects modifications to the Windows registry aimed at preventing wallpaper changes. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the \"NoChangingWallPaper\" registry value. This activity is significant as it is a known tactic used by Rhysida ransomware to enforce a malicious wallpaper, thereby limiting user control over system settings. If confirmed malicious, this registry change could indicate a ransomware infection, leading to further system compromise and user disruption.","This analytic is developed to detect suspicious registry modifications targeting the \"scforceoption\" key. Altering this key enforces smart card login for all users, potentially disrupting normal access methods. Unauthorized changes to this setting could indicate an attempt to restrict access or force a specific authentication method, possibly signifying malicious intent to manipulate system security protocols.","The following analytic detects modifications to the Windows registry key \"ProxyEnable\" to enable proxy settings. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the \"Internet Settings\\ProxyEnable\" registry path. This activity is significant as it is commonly exploited by malware and adversaries to establish proxy communication, potentially connecting to malicious Command and Control (C2) servers. If confirmed malicious, this could allow attackers to redirect network traffic through a proxy, facilitating unauthorized communication and data exfiltration, thereby compromising the security of the affected host.","The following analytic detects modifications to the Windows registry key for setting up a proxy server. It leverages data from the Endpoint.Registry datamodel, focusing on changes to the \"Internet Settings\\\\ProxyServer\" registry path. This activity is significant as it can indicate malware or adversaries configuring a proxy to facilitate unauthorized communication with Command and Control (C2) servers. If confirmed malicious, this could allow attackers to establish persistent, covert channels for data exfiltration or further exploitation of the compromised host.","The following analytic detects modifications in the Windows registry to suppress Windows Defender notifications. It leverages data from the Endpoint.Registry datamodel, specifically targeting changes to the \"Notification_Suppress\" registry value. This activity is significant because adversaries, including those deploying Azorult malware, use this technique to bypass Windows Defender and disable critical notifications. If confirmed malicious, this behavior could allow attackers to evade detection, maintain persistence, and execute further malicious activities without alerting the user or security tools.","The following analytic detects a suspicious modification to the Windows Defender Tamper Protection registry setting. It leverages data from the Endpoint datamodel, specifically targeting changes where the registry path is set to disable Tamper Protection. This activity is significant because disabling Tamper Protection can allow adversaries to make further undetected changes to Windows Defender settings, potentially leading to reduced security on the system. If confirmed malicious, this could enable attackers to evade detection, persist in the environment, and execute further malicious activities without interference from Windows Defender.","The following analytic detects a potential addition or modification of firewall rules, signaling possible configuration changes or security policy adjustments. It tracks commands such as netsh advfirewall firewall add rule and netsh advfirewall firewall set rule, which may indicate attempts to alter network access controls. Monitoring these actions ensures the integrity of firewall settings and helps prevent unauthorized network access.","The following analytic detects a suspicious modification to the Windows Update configuration registry key, specifically targeting the UpdateServiceUrlAlternate setting. It leverages data from the Endpoint.Registry datamodel to identify changes to this registry path. This activity is significant because adversaries, including malware like RedLine Stealer, exploit this technique to bypass detection and deploy additional payloads. If confirmed malicious, this modification could allow attackers to redirect update services, potentially leading to the execution of malicious code, further system compromise, and persistent evasion of security defenses.","The following analytic detects a suspicious modification to the Windows Update configuration registry key \"UseWUServer.\" It leverages data from the Endpoint.Registry data model to identify changes where the registry value is set to \"0x00000001.\" This activity is significant because it is commonly used by adversaries, including malware like RedLine Stealer, to bypass detection mechanisms and potentially exploit zero-day vulnerabilities. If confirmed malicious, this modification could allow attackers to evade defenses, persist on the target host, and deploy additional malicious payloads.","The following analytic detects modifications to the Windows Registry specifically targeting Programmatic Identifier associations to bypass User Account Control (UAC) Windows OS feature. ValleyRAT may create or alter registry entries to targetted progIDs like `.pwn` files with malicious processes, allowing it to execute harmful scripts or commands when these files are opened. By monitoring for unusual changes in registry keys linked to ProgIDs, this detection enables security analysts to identify potential threats like ValleyRAT execution attempts. Early detection of these modifications helps mitigate unauthorized execution and prevents further exploitation of the system.","The following analytic detects modifications to theregistry related to ValleyRAT C2 configuration. Specifically,  it monitors changes in registry keys where ValleyRAT saves the IP address and port information of its command-and-control (C2) server. This activity is a key indicator of ValleyRAT attempting to establish persistent communication with its C2 infrastructure. By identifying these unauthorized registry modifications, security analysts can quickly detect malicious configurations and investigate the associated threats. Early detection of these changes helps prevent further exploitation and limits the malware’s ability to exfiltrate data or control infected systems.","The following analytic detects modifications to the Windows Registry specifically targeting `.pwn` file associations related to the ValleyRAT malware. ValleyRAT may create or alter registry entries to associate `.pwn` files with malicious processes, allowing it to execute harmful scripts or commands when these files are opened. By monitoring for unusual changes in registry keys linked to `.pwn` extensions, this detection enables security analysts to identify potential ValleyRAT infection attempts. Early detection of these modifications helps mitigate unauthorized execution and prevents further exploitation of the system.","The following analytic detects potentially malicious registry modifications characterized by MD5-like registry key names. It leverages the Endpoint data model to identify registry entries under the SOFTWARE path with 32-character hexadecimal names, a technique often used by NjRAT malware for fileless storage of keylogs and .DLL plugins. This activity is significant as it can indicate the presence of NjRAT or similar malware, which can lead to unauthorized data access and persistent threats within the environment. If confirmed malicious, attackers could maintain persistence and exfiltrate sensitive information.","The following analytic detects suspicious modifications to the Windows Update Server (WUServer) registry settings. It leverages data from the Endpoint.Registry data model to identify changes in the registry path associated with Windows Update configurations. This activity is significant because adversaries, including malware like RedLine Stealer, exploit this technique to bypass detection and deploy additional payloads. If confirmed malicious, this registry modification could allow attackers to evade defenses, potentially leading to further system compromise and persistent unauthorized access.","The following analytic identifies suspicious modifications to the Windows Update configuration registry, specifically targeting the WUStatusServer key. It leverages data from the Endpoint datamodel to detect changes in the registry path associated with Windows Update settings. This activity is significant as it is commonly used by adversaries, including malware like RedLine Stealer, to bypass detection and deploy additional payloads. If confirmed malicious, this modification could allow attackers to evade defenses, potentially leading to further system compromise and persistent unauthorized access.","The following analytic detects suspicious modifications to the Windows registry keys related to file compression color and information tips. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the \"ShowCompColor\" and \"ShowInfoTip\" values under the \"Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\" path. This activity is significant as it was observed in the Hermetic Wiper malware, indicating potential malicious intent to alter file attributes and user interface elements. If confirmed malicious, this could signify an attempt to manipulate file visibility and deceive users, potentially aiding in further malicious activities.","The following analytic detects the execution of mshta.exe via registry entries to run malicious scripts. It leverages registry activity logs to identify entries containing \"mshta,\" \"javascript,\" \"vbscript,\" or \"WScript.Shell.\" This behavior is significant as it indicates potential fileless malware, such as Kovter, which uses encoded scripts in the registry to persist and execute without files. If confirmed malicious, this activity could allow attackers to maintain persistence, execute arbitrary code, and evade traditional file-based detection methods, posing a significant threat to system integrity and security.","The following analytic detects suspicious modifications to the EventLog security descriptor registry value for defense evasion. It leverages data from the Endpoint.Registry data model, focusing on changes to the \"CustomSD\" value within the \"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Eventlog\\<Channel>\\CustomSD\" path. This activity is significant as changes to the access permissions of the event log could blind security products and help attackers evade defenses. If confirmed malicious, this could allow attackers to block users and security products from viewing, ingesting and interacting event logs.","The following analytic detects registry changes to the default file association value. It leverages data from the Endpoint data model, specifically monitoring registry paths under \"HKCR\\\\*\\\\shell\\\\open\\\\command\\\\*\". This activity can be significant because, attackers might alter the default file associations in order to execute arbitrary scripts or payloads when a user opens a file, leading to potential code execution. If confirmed malicious, this technique can enable attackers to persist on the compromised host and execute further malicious commands, posing a severe threat to the environment.","The following analytic detects the addition of new InProcServer32 registry keys on Windows endpoints. It leverages data from the Endpoint.Registry datamodel to identify changes in registry paths associated with InProcServer32. This activity is significant because malware often uses this mechanism to achieve persistence or execute malicious code by registering a new InProcServer32 key pointing to a harmful DLL. If confirmed malicious, this could allow an attacker to persist in the environment or execute arbitrary code, posing a significant threat to system integrity and security.","The following analytic detects suspicious registry modifications indicative of NjRat's fileless storage technique. It leverages the Endpoint.Registry data model to identify specific registry paths and values commonly used by NjRat for keylogging and executing DLL plugins. This activity is significant as it helps evade traditional file-based detection systems, making it crucial for SOC analysts to monitor. If confirmed malicious, this behavior could allow attackers to persist on the host, execute arbitrary code, and capture sensitive keystrokes, leading to potential data breaches and further system compromise.","The following analytic detects the modification of the Windows Registry key \"PONT_STRING\" under Outlook Options. This disables certain dialog popups, which could allow malicious scripts to run without notice. This detection leverages data from the Endpoint.Registry datamodel to search for this key changing from an unusual process. This activity is significant as it is commonly associated with some malware infections, indicating potential malicious intent to harvest email information.","The following analytic detects the modification of the Windows Registry key \"LoadMacroProviderOnBoot\" under Outlook. This enables automatic loading of macros, which could allow malicious scripts to run without notice. This detection leverages data from the Endpoint.Registry datamodel to search for this key being enabled. This activity is significant as it is commonly associated with some malware infections, indicating potential malicious intent to harvest email information.","The following analytic detects the modification of the Windows Registry key \"Level\" under Outlook Security. This allows macros to execute without warning, which could allow malicious scripts to run without notice. This detection leverages data from the Endpoint.Registry datamodel, specifically looking for the registry value name \"Level\" with a value of \"0x00000001\". This activity is significant as it is commonly associated with some malware infections, indicating potential malicious intent to harvest email information.","The following analytic identifies modifications to specific Outlook registry values related to WebView and Today features. It detects when a URL is set in these registry locations, which could indicate attempts to manipulate Outlook's web-based components. The analytic focuses on changes to the \"URL\" value within Outlook's WebView and Today registry paths. This activity is significant as it may represent an attacker's effort to redirect Outlook's web content or inject malicious URLs. If successful, this technique could lead to phishing attempts, data theft, or serve as a stepping stone for further compromise of the user's email client and potentially sensitive information.","The following analytic detects the creation of registry artifacts when an ISO container is opened, clicked, or mounted on a Windows operating system. It leverages data from the Endpoint.Registry data model, specifically monitoring registry keys related to recent ISO or IMG file executions. This activity is significant as adversaries increasingly use container-based phishing campaigns to bypass macro-based document execution controls. If confirmed malicious, this behavior could indicate an initial access attempt, potentially leading to further exploitation, persistence, or data exfiltration within the environment.","The following analytic detects the modification of registry keys related to the Windows Proxy settings via netsh.exe. It leverages data from the Endpoint.Registry data model, focusing on changes to the registry path \"*\\\\System\\\\CurrentControlSet\\\\Services\\\\PortProxy\\\\v4tov4\\\\tcp*\". This activity is significant because netsh.exe can be used to establish a persistent proxy, potentially allowing an attacker to execute a helper DLL whenever netsh.exe runs. If confirmed malicious, this could enable the attacker to maintain persistence, manipulate network configurations, and potentially exfiltrate data or further compromise the system.","This detection identifies the creation of registry keys under HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\\, which occur when a user initiates a Remote Desktop Protocol (RDP) connection using the built-in Windows RDP client (mstsc.exe). These registry entries store information about previously connected remote hosts, including usernames and display settings. Their creation is a strong indicator that an outbound RDP session was initiated from the system. While the presence of these keys is normal during legitimate RDP use, their appearance can be used to track remote access activity, especially in environments where RDP is tightly controlled. In post-compromise scenarios, these artifacts may be created by threat actors using RDP for lateral movement or command-and-control. Monitoring the creation of these registry entries can help defenders detect initial use of RDP from a compromised host, particularly when correlated with unusual user behavior, logon patterns, or network activity.","The following analytic detects modifications to the BootExecute registry key, which manages applications and services executed during system boot. It leverages data from the Endpoint.Registry data model, focusing on changes to the registry path \"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\BootExecute\". This activity is significant because unauthorized changes to this key can indicate attempts to achieve persistence, load malicious code, or tamper with the boot process. If confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary code at boot, or disrupt system operations.","The following analytic detects the installation of a root CA certificate by monitoring specific registry paths for SetValue events. It leverages data from the Endpoint datamodel, focusing on registry paths containing \"certificates\" and registry values named \"Blob.\" This activity is significant because unauthorized root CA certificates can compromise the integrity of encrypted communications and facilitate man-in-the-middle attacks. If confirmed malicious, this could allow an attacker to intercept, decrypt, or manipulate sensitive data, leading to severe security breaches.","The following analytic detects a registry modification that disables the ETW for the .NET Framework. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the COMPlus_ETWEnabled registry value under the \"Environment\" registry key path for both user (HKCU\\Environment) and machine (HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment) scopes. This activity is significant because disabling ETW can allow attackers to evade Endpoint Detection and Response (EDR) tools and hide their execution from audit logs. If confirmed malicious, this action could enable attackers to operate undetected, potentially leading to further compromise and persistent access within the environment.","The following analytic identifies modifications to the SafeBoot registry keys, specifically within the Minimal and Network paths. This detection leverages registry activity logs from endpoint data sources like Sysmon or EDR tools. Monitoring these keys is crucial as adversaries can use them to persist drivers or services in Safe Mode, with Network allowing network connections. If confirmed malicious, this activity could enable attackers to maintain persistence even in Safe Mode, potentially bypassing certain security measures and facilitating further malicious actions.","The following analytic detects suspiciously long data written to the Windows registry, a behavior often linked to fileless malware or persistence techniques. It leverages Endpoint Detection and Response (EDR) telemetry, focusing on registry events with data lengths exceeding 512 characters. This activity is significant as it can indicate an attempt to evade traditional file-based defenses, making it crucial for SOC monitoring. If confirmed malicious, this technique could allow attackers to maintain persistence, execute code, or manipulate system configurations without leaving a conventional file footprint.","The following analytic detects modifications to the Windows Registry SIP Provider. It leverages Sysmon EventID 7 to monitor registry changes in paths and values related to Cryptography Providers and OID Encoding Types. This activity is significant as it may indicate an attempt to subvert trust controls, a common tactic for bypassing security measures and maintaining persistence. If confirmed malicious, an attacker could manipulate the system's cryptographic functions, potentially leading to unauthorized access, data theft, or other damaging outcomes. Review the modified registry paths and concurrent processes to identify the attack source.","The following analytic detects the creation or modification of Windows registry entries related to the Remote Manipulator System (RMS) Remote Admin tool. It leverages data from the Endpoint.Registry datamodel, focusing on registry paths containing \"SYSTEM\\\\Remote Manipulator System.\" This activity is significant because RMS, while legitimate, is often abused by adversaries, such as in the Azorult malware campaigns, to gain unauthorized remote access. If confirmed malicious, this could allow attackers to remotely control the targeted host, leading to potential data exfiltration, system manipulation, or further network compromise.","The following analytic detects modifications in the Windows registry to enable remote desktop assistance on a targeted machine. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the \"Control\\\\Terminal Server\\\\fAllowToGetHelp\" registry path. This activity is significant because enabling remote assistance via registry is uncommon and often associated with adversaries or malware like Azorult. If confirmed malicious, this could allow an attacker to remotely access and control the compromised host, leading to potential data exfiltration or further system compromise.","The following analytic detects modifications in the Windows registry to enable Remote Desktop Protocol (RDP) on a targeted machine. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the \"fDenyTSConnections\" registry value. This activity is significant as enabling RDP via registry is uncommon and often associated with adversaries or malware attempting to gain remote access. If confirmed malicious, this could allow attackers to remotely control the compromised host, potentially leading to further exploitation and lateral movement within the network.","This analytic identifies the modification of the Windows RemoteAccess Registry Entry.\nThis technique can be used by malware, adversaries, threat actors and red teamers to gain persistence on a system by tampering with the key to add a custom DLL to be loaded.\nThis technique was also observed to be used by Gh0st RAT malware.\nUpon seeing this behavior, it is recommended to review the system services events especially the remote access services.","The following analytic detects modifications to the Windows RunMRU registry key, which stores a history of commands executed through the Run dialog box (Windows+R). It leverages Endpoint Detection and Response (EDR) telemetry to monitor registry events targeting this key. This activity is significant as malware often uses the Run dialog to execute malicious commands while attempting to appear legitimate. If confirmed malicious, this could indicate an attacker using indirect command execution techniques for defense evasion or persistence. The detection excludes MRUList value changes to focus on actual command entries.","The following analytic detects the modification of registry keys that define Windows services using reg.exe. This detection leverages Splunk to search for specific keywords in the registry path, value name, and value data fields. This activity is significant because it indicates potential unauthorized changes to service configurations, a common persistence technique used by attackers. If confirmed malicious, this could allow an attacker to maintain access, escalate privileges, or move laterally within the network, leading to data theft, ransomware, or other damaging outcomes.","The following analytic detects the deletion of a service from the Windows Registry under CurrentControlSet\\Services. It leverages data from the Endpoint.Registry datamodel, specifically monitoring registry paths and actions related to service deletion. This activity is significant as adversaries may delete services to evade detection and hinder incident response efforts. If confirmed malicious, this action could disrupt legitimate services, impair system functionality, and potentially allow attackers to maintain a lower profile within the environment, complicating detection and remediation efforts.","The following analytic detects attempts to modify the Windows Registry to change a network profile's category to \"Private\", which may indicate an adversary is preparing the environment for lateral movement or reducing firewall restrictions. Specifically, this activity involves changes to the Category value within the HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Profiles\\{GUID} registry path. A value of 1 corresponds to a private network profile, which typically enables less restrictive firewall policies. While this action can occur during legitimate network configuration, it may also be a sign of malicious behavior when combined with other indicators such as suspicious account activity, unexpected administrative privilege usage, or execution of unsigned binaries. Monitoring for this registry modification—especially outside standard IT processes or correlated with persistence mechanisms—can help identify stealthy post-exploitation activity.","The following analytic identifies modifications to the registry path .wav\\\\OpenWithProgIds, associated with the Snake Malware campaign. It leverages data from the Endpoint.Registry datamodel to detect changes in this specific registry location. This activity is significant because Snake's WerFault.exe uses this registry path to decrypt an encrypted blob containing critical components like the AES key, IV, and paths for its kernel driver and loader. If confirmed malicious, this could allow the attacker to load and execute Snake's kernel driver, leading to potential system compromise and persistent access.","The following analytic detects modifications to the Windows registry under `SOFTWARE\\Microsoft\\Test`, a location rarely used by legitimate applications in a production environment. Monitoring this key is crucial, as adversaries may create or alter values here for monitoring update of itself file path, updated configuration file, or system mark compromised. The detection leverages **Sysmon Event ID 13** (Registry Value Set) to identify unauthorized changes. Analysts should investigate processes associated with these modifications, particularly unsigned executables or suspicious command-line activity, as they may indicate malware or unauthorized software behavior.","The following analytic identifies the creation of WMI Event Subscriptions, which can be used to establish persistence or perform privilege escalation. It detects EventID 19 (EventFilter creation), EventID 20 (EventConsumer creation), and EventID 21 (FilterToConsumerBinding creation) from Sysmon logs. This activity is significant because WMI Event Subscriptions can execute code with elevated SYSTEM privileges, making it a powerful persistence mechanism. If confirmed malicious, an attacker could maintain long-term access, escalate privileges, and execute arbitrary code, posing a severe threat to the environment.","Detects DNS queries for \"anonfiles.com\", which is an anonymous file upload platform often used for malicious purposes","Detects DNS queries made by \"AppInstaller.EXE\". The AppInstaller is the default handler for the \"ms-appinstaller\" URI. It attempts to load/install a package from the referenced URL","Detects DNS requests to Cloudflared tunnels domains.\nAttackers can abuse that feature to establish a reverse shell or persistence on a machine.","Detects DNS queries to domains commonly used by threat actors to host malware payloads or redirect through URL shorteners.\nThese include platforms like Cloudflare Workers, TryCloudflare, InfinityFree, and URL shorteners such as tinyurl and lihi.cc.\nSuch DNS activity can indicate potential delivery or command-and-control communication attempts.","Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.","Detects DNS server discovery via LDAP query requests from uncommon applications","Detects a DNS query by a non browser process on the system to \"azurewebsites.net\". The latter was often used by threat actors as a malware hosting and exfiltration site.","Detects DNS queries made by the finger utility, which can be abused by threat actors to retrieve remote commands for execution on Windows devices.\nIn one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server.\nSince the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion.\nInvestigating such DNS queries can also help identify potential malicious infrastructure used by threat actors for command and control (C2) communication.","Detects when the Notepad++ updater (gup.exe) makes DNS queries to domains that are not part of the known legitimate update infrastructure.\nThis could indicate potential exploitation of the updater mechanism or suspicious network activity that warrants further investigation.","Detects Azure Hybrid Connection Manager services querying the Azure service bus service","Detects DNS queries containing patterns associated with Kerberos coercion attacks via DNS object spoofing.\nThe pattern \"1UWhRCAAAAA..BAAAA\" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.\nAttackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.\nIt is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records\nto spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.","Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons","Detects DNS queries for subdomains related to MEGA sharing website","Detects DNS query requests to \"update.onelaunch.com\". This domain is associated with the OneLaunch adware application.\nWhen the OneLaunch application is installed it will attempt to get updates from this domain.","Detects DNS queries initiated by \"QuickAssist.exe\" to Microsoft Quick Assist primary endpoint that is used to establish a session.","Detects DNS queries initiated by \"Regsvr32.exe\"","Detects DNS queries for IP lookup services such as \"api.ipify.org\" originating from a non browser process.","Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)","Detects DNS queries to an \".onion\" address related to Tor routing networks","Detects DNS queries to \"ufile.io\", which was seen abused by malware and threat actors as a method for data exfiltration","Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.","Detects DNS queries related to local LLM models on endpoints by monitoring Sysmon DNS query events (Event ID 22) for known LLM model domains and services.\nLocal LLM frameworks like Ollama, LM Studio, and GPT4All make DNS calls to repositories such as huggingface.co and ollama.ai for model downloads, updates, and telemetry.\nThese queries can reveal unauthorized AI tool usage or data exfiltration risks on corporate networks.","The following analytic detects DNS queries initiated by the Windows AI Platform to domains associated with Hugging Face, OpenAI, and other popular providers of machine learning models and services. Monitoring these DNS requests is important because it can reveal when systems are accessing external AI platforms, which may indicate the use of third-party AI resources or the transfer of sensitive data outside the organization’s environment. Detecting such activity enables organizations to enforce data governance policies, prevent unapproved use of external AI services, and maintain visibility into potential data exfiltration risks. Proactive monitoring provides better control over AI model usage and helps safeguard organizational data flows.","The following analytic detects suspicious usage of BitLockerToGo.exe, which has been observed being abused by Lumma stealer malware. The malware leverages this legitimate Windows utility to manipulate registry keys, search for cryptocurrency wallets and credentials, and exfiltrate sensitive data. This activity is significant because BitLockerToGo.exe provides functionality for viewing, copying, and writing files as well as modifying registry branches - capabilities that the Lumma stealer exploits for malicious purposes. If confirmed malicious, this could indicate an active data theft campaign targeting cryptocurrency wallets, browser credentials, and password manager archives. The detection focuses on identifying BitLockerToGo.exe execution patterns that deviate from normal system behavior.","The following analytic detects a process located in a potentially suspicious location making DNS queries to known URL shortening services, specifically tinyurl.\nURL shorteners are frequently used by threat actors to obfuscate malicious destinations, including phishing pages, malware distribution sites, or command-and-control (C2) endpoints.\nWhile tinyurl.com is a legitimate service, its use in enterprise environments—particularly by non-browser processes or scripts—should be considered suspicious, especially if correlated with subsequent outbound connections, file downloads, process file path or credential prompts. Analysts should investigate the source process, execution context, and destination domain to determine intent and risk.","The following analytic detects instances where vbc.exe, the Visual Basic Command Line Compiler, initiates DNS queries. Normally, vbc.exe operates locally to compile Visual Basic code and does not require internet access or to perform DNS lookups. Therefore, any observed DNS activity originating from vbc.exe is highly suspicious and indicative of potential malicious activity. This behavior often suggests that a malicious payload is masquerading as the legitimate vbc.exe process to establish command-and-control (C2) communication, resolve domains for data exfiltration, or download additional stages of malware. Security teams should investigate the process's parent, command-line arguments, and the resolved domains for further indicators of compromise.","The following analytic identifies DNS queries to domains associated with the 3CX supply chain attack. It leverages the Network_Resolution datamodel to detect these suspicious domain indicators. This activity is significant because it can indicate a potential compromise stemming from the 3CX supply chain attack, which is known for distributing malicious software through trusted updates. If confirmed malicious, this activity could allow attackers to establish a foothold in the network, exfiltrate sensitive data, or further propagate malware, leading to extensive damage and data breaches.","This detection identifies DNS queries to domains that match previously decommissioned S3 buckets. This activity is significant because attackers may attempt to recreate deleted S3 buckets that were previously public to hijack them for malicious purposes. If successful, this could allow attackers to host malicious content or exfiltrate data through compromised bucket names that may still be referenced by legitimate applications.","The following analytic identifies DNS queries from internal hosts to dynamic domain providers. It leverages DNS query logs from the `Network_Resolution` data model and cross-references them with a lookup file containing known dynamic DNS providers. This activity is significant because attackers often use dynamic DNS services to host malicious payloads or command-and-control servers, making it crucial for security teams to monitor. If confirmed malicious, this activity could allow attackers to bypass firewall blocks, evade detection, and maintain persistent access to the network.","The following analytic detects DNS queries to domains associated with known remote access software such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. This detection is crucial as adversaries often use these tools to maintain access and control over compromised environments. Identifying such behavior is vital for a Security Operations Center (SOC) because unauthorized remote access can lead to data breaches, ransomware attacks, and other severe impacts if these threats are not mitigated promptly.","Detects DNS-based Kerberos coercion attacks where adversaries inject marshaled credential structures into DNS records to spoof SPNs and redirect authentication such as in CVE-2025-33073. This detection leverages suricata looking for specific CREDENTIAL_TARGET_INFORMATION structures in DNS queries.","The following analytic identifies DNS queries with unusually large lengths by computing the standard deviation of query lengths and filtering those exceeding two times the standard deviation. It leverages DNS query data from the Network_Resolution data model, focusing on the length of the domain names being resolved. This activity is significant as unusually long DNS queries can indicate data exfiltration or command-and-control communication attempts. If confirmed malicious, this activity could allow attackers to stealthily transfer data or maintain persistent communication channels within the network.","The following analytic detects DNS queries to common Ngrok domains, indicating potential use of the Ngrok reverse proxy tool. It leverages the Network Resolution datamodel to identify queries to domains such as \"*.ngrok.com\" and \"*.ngrok.io\". While Ngrok usage is not inherently malicious, it has been increasingly adopted by adversaries for covert communication and data exfiltration. If confirmed malicious, this activity could allow attackers to bypass network defenses, establish persistent connections, and exfiltrate sensitive data, posing a significant threat to the network's security.","The following analytic detects a suspicious `rundll32.exe` process making HTTP connections and performing DNS queries to web domains. It leverages Sysmon EventCode 22 logs to identify these activities. This behavior is significant as it is commonly associated with IcedID malware, where `rundll32.exe` checks internet connectivity and communicates with C&C servers to download configurations and other components. If confirmed malicious, this activity could allow attackers to establish persistence, download additional payloads, and exfiltrate sensitive data, posing a severe threat to the network.","The following analytic detects a suspicious process making DNS queries to known, abused text-paste web services, VoIP, instant messaging, and digital distribution platforms. It leverages Sysmon EventID 22 logs to identify queries from processes like cmd.exe, powershell.exe, and others. This activity is significant as it may indicate an attempt to download malicious files, a common initial access technique. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the target host.","The following analytic identifies a process making a DNS query to Discord, excluding legitimate Discord application paths. It leverages Sysmon logs with Event ID 22 to detect DNS queries containing \"discord\" in the QueryName field. This activity is significant because Discord can be abused by adversaries to host and download malicious files, as seen in the WhisperGate campaign. If confirmed malicious, this could indicate malware attempting to download additional payloads from Discord, potentially leading to further code execution and compromise of the affected system.","The following analytic detects the wermgr.exe process attempting to connect to known IP check web services. It leverages Sysmon EventCode 22 to identify DNS queries made by wermgr.exe to specific IP check services. This activity is significant because wermgr.exe is typically used for Windows error reporting, and its connection to these services may indicate malicious code injection, often associated with malware like Trickbot. If confirmed malicious, this behavior could allow attackers to recon the infected machine's IP address, aiding in further exploitation and evasion tactics.","The following analytic detects a suspicious process making DNS queries to known, abused web services such as text-paste sites, VoIP, secure tunneling, instant messaging, and digital distribution platforms. This detection leverages Sysmon logs with Event ID 22, focusing on specific query names. This activity is significant as it may indicate an adversary attempting to download malicious files, a common initial access technique. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the target host.","The following analytic detects the execution of a DNS query by a process to the associated Telegram API domain, which could indicate access via a Telegram bot commonly used by malware for command and control (C2) communications. By monitoring DNS queries related to Telegram's infrastructure, the detection identifies potential attempts to establish covert communication channels between a compromised system and external malicious actors. This behavior is often observed in cyberattacks where Telegram bots are used to receive commands or exfiltrate data, making it a key indicator of suspicious or malicious activity within a network.","The following analytic detects processes attempting to connect to known IP check web services. This behavior is identified using Sysmon EventCode 22 logs, specifically monitoring DNS queries to services like \"wtfismyip.com\" and \"ipinfo.io\". This activity is significant as it is commonly used by malware, such as Trickbot, for reconnaissance to determine the infected machine's IP address. If confirmed malicious, this could allow attackers to gather network information, aiding in further attacks or lateral movement within the network.","The following analytic identifies DNS queries to known TOR proxy websites, such as \"*.torproject.org\" and \"www.theonionrouter.com\". It leverages Sysmon EventCode 22 to detect these queries by monitoring DNS query events from endpoints. This activity is significant because adversaries often use TOR proxies to disguise the source of their malicious traffic, making it harder to trace their actions. If confirmed malicious, this behavior could indicate an attempt to obfuscate network traffic, potentially allowing attackers to exfiltrate data or communicate with command and control servers undetected.","The following analytic identifies suspicious Office documents that connect to non-Microsoft Office domains. It leverages Sysmon EventCode 22 to detect processes like winword.exe or excel.exe making DNS queries to domains outside of *.office.com or *.office.net. This activity is significant as it may indicate a spearphishing attempt using malicious documents to download or connect to harmful content. If confirmed malicious, this could lead to unauthorized data access, malware infection, or further network compromise.","Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.","Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence","Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence","Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence","Detects the deletion of a process's executable by itself. This is usually not possible without workarounds and may be used by malware to hide its traces.","Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence","Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence","Detects the deletion of the TeamViewer log files which may indicate an attempt to destroy forensic evidence","Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence","Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.","Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)","Detects the deletion of the \"Zone.Identifier\" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.","The following analytic detects excessive file deletion events in the Windows Defender folder. It leverages Sysmon EventCodes 23 and 26 to identify processes deleting multiple files within this directory. This behavior is significant as it may indicate an attempt to corrupt or disable Windows Defender, a key security component. If confirmed malicious, this activity could allow an attacker to disable endpoint protection, facilitating further malicious actions without detection.","The following analytic detects the deletion of the ConsoleHost_history.txt file, which stores command history for PowerShell sessions. Attackers may attempt to remove this file to cover their tracks and evade detection during post-exploitation activities. This detection focuses on file deletion commands executed via PowerShell, Command Prompt, or scripting languages that specifically target ConsoleHost_history.txt, typically located at %APPDATA%\\Microsoft\\Windows\\PowerShell\\PSReadline\\ConsoleHost_history.txt. Identifying such activity can help uncover potential anti-forensic behavior and suspicious administrative actions.","The following analytic identifies a suspicious process that is recursively deleting executable files on a compromised host. It leverages Sysmon Event Codes 23 and 26 to detect this activity by monitoring for a high volume of deletions or overwrites of files with extensions like .exe, .sys, and .dll. This behavior is significant as it is commonly associated with destructive malware such as CaddyWiper, DoubleZero, and SwiftSlicer, which aim to make file recovery impossible. If confirmed malicious, this activity could lead to significant data loss and system instability, severely impacting business operations.","This detection identifies the deletion of the Default.rdp file from a user’s Documents folder. This file is automatically created or updated by the Remote Desktop Connection client (mstsc.exe) whenever a user initiates an RDP session. It contains session configuration data, such as the remote hostname and display settings. While the presence of this file is normal during legitimate RDP usage, its deletion may indicate an attempt to conceal evidence of remote access activity. Threat actors and red team operators often remove Default.rdp as part of post-access cleanup to evade forensic detection. Detecting this action—especially when correlated with recent RDP activity—can help identify defense evasion techniques and uncover potentially malicious use of remote desktop connections. Monitoring for this file's deletion adds an important layer of visibility into user behavior and can serve as an early indicator of interactive attacker presence.","The following analytic identifies a high frequency of file deletions by monitoring Sysmon EventCodes 23 and 26 for specific file extensions. This detection leverages Sysmon logs to track deleted target filenames, process names, and process IDs. Such activity is significant as it often indicates ransomware behavior, where files are encrypted and the originals are deleted. If confirmed malicious, this activity could lead to extensive data loss and operational disruption, as ransomware can render critical files inaccessible, demanding a ransom for their recovery.","The following analytic identifies a suspicious process that deletes the Mark-of-the-Web (MOTW) data stream. It leverages Sysmon EventCode 23 to detect when a file's Zone.Identifier stream is removed. This activity is significant because it is a common technique used by malware, such as Ave Maria RAT, to bypass security restrictions on files downloaded from the internet. If confirmed malicious, this behavior could allow an attacker to execute potentially harmful files without triggering security warnings, leading to further compromise of the system.","This detection identifies the deletion of files within the AutomaticDestinations folder, located under a user’s AppData\\Roaming\\Microsoft\\Windows\\Recent directory. These files are part of the Windows Jump List feature, which records recently accessed files and folders tied to specific applications. Each .automaticDestinations-ms file corresponds to a program (e.g., Explorer, Word, Notepad) and can be valuable for forensic analysis of user activity. Adversaries may target this folder to erase evidence of their actions, such as which documents or directories were accessed during a session. This type of deletion is rarely seen during normal user activity and may indicate deliberate anti-forensic behavior. When correlated with suspicious logon events, RDP usage, or script execution, this activity may represent an attempt to cover tracks after data access, lateral movement, or staging for exfiltration. Detecting removal of these artifacts can highlight post-compromise cleanup efforts and help analysts reconstruct attacker behavior.","This detection identifies the deletion of RDP bitmap cache files—specifically .bmc and .bin files—typically stored in the user profile under the Terminal Server Client\\Cache directory. These files are created by the native Windows Remote Desktop Client (mstsc.exe) and store graphical elements from remote sessions to improve performance. Deleting these files may indicate an attempt to remove forensic evidence of RDP usage. While rare in legitimate user behavior, this action is commonly associated with defense evasion techniques used by attackers or red teamers who wish to hide traces of interactive remote access. When observed in conjunction with recent logon activity, RDP session indicators, or script execution, this behavior should be treated as potentially malicious. Monitoring for deletion of these files provides valuable visibility into anti-forensic actions that often follow lateral movement or hands-on-keyboard activity.","Detects an appx package that was added to the pipeline of the \"to be processed\" packages which was downloaded from a file sharing or CDN domain.","Detects an appx package that was added to the pipeline of the \"to be processed\" packages that is located in a known folder often used as a staging directory.","Detects an appx package that was added to the pipeline of the \"to be processed\" packages that is located in uncommon locations.","This analytic detects successful MSIX/AppX package installations on Windows systems by monitoring EventID 854 in the Microsoft-Windows-AppXDeployment-Server/Operational log. This event is generated when an MSIX/AppX package has been successfully installed on a system. While most package installations are legitimate, monitoring these events can help identify unauthorized or suspicious package installations, especially when correlated with other events such as unsigned package installations (EventID 603 with Flags=8388608) or full trust package installations (EventID 400 with HasFullTrust=true).","Detects potential use of Rubeus via registered new trusted logon process","Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security.","Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs","Detects when the password policy is enumerated.","Detects activity as \"net user administrator /domain\" and \"net group domain admins /domain\"","The following analytic detects instances where more than five unique Windows account passwords are changed within a 10-minute interval. It leverages Event Code 4724 from the Windows Security Event Log, using the wineventlog_security dataset to monitor and count distinct TargetUserName values. This behavior is significant as rapid password changes across multiple accounts are unusual and may indicate unauthorized access or internal compromise. If confirmed malicious, this activity could lead to widespread account compromise, unauthorized access to sensitive information, and potential disruption of services.","Detects activity when a member is removed from a security-enabled global group","Detects potential attempts made to set the Directory Services Restore Mode administrator password.\nThe Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers.\nAttackers may change the password in order to obtain persistence.","The following analytic detects attempts to reset the Directory Services Restore Mode (DSRM) administrator password on a Domain Controller. It leverages event code 4794 from the Windows Security Event Log, specifically looking for events where the DSRM password reset is attempted. This activity is significant because the DSRM account can be used similarly to a local administrator account, providing potential persistence for an attacker. If confirmed malicious, this could allow an attacker to maintain administrative access to the Domain Controller, posing a severe risk to the domain's security.","Detects svchost hosting RDP termsvcs communicating with the loopback address","Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986","Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)","Identifies the modification of a file creation time for executable files in sensitive system directories. Adversaries\nmay modify file time attributes to blend malicious executables with legitimate system files. Timestomping is a technique\nthat modifies the timestamps of a file often to mimic files that are in trusted directories.","Detects loading of known malicious drivers via their hash.","Detects loading of known malicious drivers via the file name of the drivers.","Detects driver load of the Process Hacker tool","Detects driver load of the System Informer tool","Detects a driver load from a temporary directory","Detects loading of known vulnerable drivers via their hash.","Detects the load of known vulnerable drivers via the file name of the drivers.","Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors","Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation","Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows","The following analytic identifies all drivers being loaded on Windows systems using Sysmon EventCode 6 (Driver Load). It leverages fields such as driver path, signature status, and hash to detect potentially suspicious drivers. This activity is significant for a SOC as malicious drivers can be used to gain kernel-level access, bypass security controls, or persist in the environment. If confirmed malicious, this activity could allow an attacker to execute arbitrary code with high privileges, leading to severe system compromise and potential data exfiltration.","The following analytic detects the loading of drivers from suspicious paths, which is a technique often used by malicious software such as coin miners (e.g., xmrig). It leverages Sysmon EventCode 6 to identify drivers loaded from non-standard directories. This activity is significant because legitimate drivers typically reside in specific system directories, and deviations may indicate malicious activity. If confirmed malicious, this could allow an attacker to execute code at the kernel level, potentially leading to privilege escalation, persistence, or further system compromise.","The following analytic detects the loading of known vulnerable Windows drivers, which may indicate potential persistence or privilege escalation attempts. It leverages Sysmon EventCode 6 to identify driver loading events and cross-references them with a list of vulnerable drivers. This activity is significant as attackers often exploit vulnerable drivers to gain elevated privileges or maintain persistence on a system. If confirmed malicious, this could allow attackers to execute arbitrary code with high privileges, leading to further system compromise and potential data exfiltration.","The following analytic detects the installation of the XMRIG coinminer driver on a system. It identifies the loading of the `WinRing0x64.sys` driver, commonly associated with XMRIG, by analyzing Sysmon EventCode 6 logs for specific signatures and image loads. This activity is significant because XMRIG is an open-source CPU miner frequently exploited by adversaries to mine cryptocurrency illicitly. If confirmed malicious, this activity could lead to unauthorized resource consumption, degraded system performance, and potential financial loss due to unauthorized cryptocurrency mining.","Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration","Detects when an attacker tries to hide from Sysmon by disabling or stopping it","The following analytic identifies potential Kerberos ticket forging attacks, specifically the Diamond Ticket attack. This is detected when a user logs into a host and the GroupMembership field in event 4627 indicates a privileged group (e.g., Domain Admins), but the user does not actually belong to that group in the directory service. The detection leverages Windows Security Event Log 4627, which logs account logon events. The analytic cross-references the GroupMembership field from the event against a pre-populated lookup of actual group memberships. Its crucial to note that the accuracy and effectiveness of this detection heavily rely on the users diligence in populating and regularly updating this lookup table. Any discrepancies between the events GroupMembership and the lookup indicate potential ticket forging. Kerberos ticket forging, especially the Diamond Ticket attack, allows attackers to impersonate any user and potentially gain unauthorized access to resources. By forging a ticket that indicates membership in a privileged group, an attacker can bypass security controls and gain elevated privileges. Detecting such discrepancies in group memberships during logon events can be a strong indicator of this attack in progress, making it crucial for security teams to monitor and investigate. If validated as a true positive, this indicates that an attacker has successfully forged a Kerberos ticket and may have gained unauthorized access to critical resources, potentially with elevated privileges.","The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.","Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver.\nWith this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode.\nThis user right does not apply to Plug and Play device drivers.\nIf you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers.\nThis will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.","Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.","Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.","Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.","Detects an appx package deployment / installation with the error code \"0x80073cff\" which indicates that the package didn't meet the signing requirements.","Detects a user log-off activity. Could be used for example to correlate information during forensic investigations","Detects certificate creation with template allowing risk permission subject","Detects certificate creation with template allowing risk permission subject and risky EKU","Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.","This detection identifies instances where a Windows Firewall rule is added by monitoring Event ID 4946 in the Windows Security Event Log. Firewall rule modifications can indicate legitimate administrative actions, but they may also signal unauthorized changes, misconfigurations, or malicious activity such as attackers allowing traffic for backdoors or persistence mechanisms. By analyzing fields like RuleName, RuleId, Computer, and ProfileChanged, security teams can determine whether the change aligns with expected behavior. Correlating with user activity and process execution can help distinguish false positives from real threats, ensuring better visibility into potential security risks.","Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.","Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators","Detects when a rule has been added to the Windows Firewall exception list","Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location.","Detects the addition of a new \"Allow\" firewall rule by the WMI process (WmiPrvSE.EXE).\nThis can occur if an attacker leverages PowerShell cmdlets such as \"New-NetFirewallRule\", or directly uses WMI CIM classes such as \"MSFT_NetFirewallRule\".","Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall","Detects application popup reporting a failure of the Sysmon service","Detect standard users login that are part of high privileged groups such as the Administrator group","Detects the creation of a new bits job by Bitsadmin","Detects the creation of a new bits job by PowerShell","focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including\nCobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads\nthat often undergo minimal changes by attackers due to bad opsec.","A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files.","Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance","Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers","A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.","Detects the execution of Evil-WinRM via PowerShell Module logs by leveraging the hardcoded strings inside the utility.","Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below","Detects remote PowerShell sessions","The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain.\nYou can use it to reset the password of the local computer.","Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and\nto identify potential systems of interest for Lateral Movement.\nNetworks often contain shared network drives and folders that enable users to access file directories on various systems across a network.","Detect scenarios where a potentially unauthorized application or user is modifying the system time.","Addition of domains is seldom and should be verified for legitimacy.","The following analytic identifies instances where more than five unique Windows accounts are disabled within a 10-minute window, as indicated by Event Code 4725 in the Windows Security Event Log. It leverages the wineventlog_security dataset, grouping data into 10-minute segments and tracking the count and distinct count of TargetUserName. This behavior is significant as it may indicate internal policy breaches or an external attacker's attempt to disrupt operations. If confirmed malicious, this activity could lead to widespread account lockouts, hindering user access and potentially disrupting business operations.","The following analytic detects the deletion of more than five unique Windows accounts within a 10-minute period, using Event Code 4726 from the Windows Security Event Log. It leverages the `wineventlog_security` dataset, segmenting data into 10-minute intervals to identify suspicious account deletions. This activity is significant as it may indicate an attacker attempting to erase traces of their actions. If confirmed malicious, this could lead to unauthorized access removal, hindering incident response and forensic investigations.","The following analytic detects a Telegram process enumerating all network users in a local group. It leverages EventCode 4798, which is generated when a process enumerates a user's security-enabled local groups on a computer or device. This activity is significant as it may indicate an attempt to gather information on user accounts, a common precursor to further malicious actions. If confirmed malicious, this behavior could allow an attacker to map out user accounts, potentially leading to privilege escalation or lateral movement within the network.","Detects locked workstation session events that occur automatically after a standard period of inactivity.","This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.\nOften, this event can be generated by attackers when searching for available windows servers in the network.","The following analytic detects when a new certificate is requested or granted against Active Directory Certificate Services (AD CS) using a Subject Alternative Name (SAN). It leverages Windows Security Event Codes 4886 and 4887 to identify these actions. This activity is significant because improperly configured certificate templates can be exploited for privilege escalation and environment compromise. If confirmed malicious, an attacker could gain elevated privileges or persist within the environment, potentially leading to unauthorized access to sensitive information and further exploitation.","The following analytic detects when a new certificate is requested from Certificate Services - AD CS. It leverages Event ID 4886, which indicates that a certificate request has been received. This activity is significant because unauthorized certificate requests can be part of credential theft or lateral movement tactics. If confirmed malicious, an attacker could use the certificate to impersonate users, gain unauthorized access to resources, or establish persistent access within the environment. Monitoring and correlating this event with other suspicious activities is crucial for identifying potential security incidents.","The following analytic identifies the issuance of a new certificate by Certificate Services - AD CS, detected via Event ID 4887. This event logs the requester user context, DNS hostname of the requesting machine, and the request time. Monitoring this activity is crucial as it can indicate potential misuse of authentication certificates. If confirmed malicious, an attacker could use the issued certificate to impersonate users, escalate privileges, or maintain persistence within the environment. This detection helps in identifying and correlating suspicious certificate-related activities for further investigation.","Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected\napplications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for\nsaved usernames and passwords. This may also be performed in preparation of lateral movement.","Detects external disk drives or plugged-in USB devices.","The following analytic identifies a high frequency of process termination events on a computer within a short period. It leverages Sysmon EventCode 5 logs to detect instances where 15 or more processes are terminated within a 3-second window. This behavior is significant as it is commonly associated with ransomware attempting to avoid exceptions during file encryption. If confirmed malicious, this activity could indicate an active ransomware attack, potentially leading to widespread file encryption and significant data loss.","The following analytic detects the termination of specific processes by the Industroyer2 malware. It leverages Sysmon EventCode 5 to identify when processes like \"PServiceControl.exe\" and \"PService_PPD.exe\" are killed. This activity is significant as it targets processes related to energy facility networks, indicating a potential attack on critical infrastructure. If confirmed malicious, this could lead to disruption of essential services, loss of control over energy systems, and significant operational impact. Immediate investigation is required to determine the cause and mitigate any potential threats.","The following analytic detects attempts to install unsigned MSIX/AppX packages using the -AllowUnsigned parameter. This detection leverages Windows event logs from the AppXDeployment-Server, specifically focusing on EventID 603 which indicates the start of a deployment operation with specific deployment flags. The flag value 8388608 corresponds to the -AllowUnsigned option in PowerShell's Add-AppxPackage cmdlet. This activity is significant as adversaries have been observed leveraging unsigned MSIX packages to deliver malware, bypassing signature verification that would normally protect users from malicious packages. If confirmed malicious, this could allow attackers to execute arbitrary code, establish persistence, or deliver malware while evading traditional detection mechanisms.","This detection identifies the installation of developer-signed MSIX packages that lack Microsoft Store signatures. All malicious MSIX packages observed in recent threat campaigns (including those from FIN7, Zloader/Storm-0569, and FakeBat/Storm-1113) were developer-signed rather than Microsoft Store signed. Microsoft Store apps have specific publisher IDs containing '8wekyb3d8bbwe' or 'cw5n1h2txyewy', while developer-signed packages lack these identifiers. This detection focuses on EventID 855 from the Microsoft-Windows-AppXDeployment-Server/Operational logs, which indicates a completed package installation.","This detection identifies instances where a Windows Firewall rule has been modified, which may indicate an attempt to alter security policies. Unauthorized modifications can weaken firewall protections, allowing malicious traffic or preventing legitimate communications. The event logs details such as the modified rule name, protocol, ports, application path, and the user responsible for the change. Security teams should monitor unexpected modifications, correlate them with related events, and investigate anomalies to prevent unauthorized access and maintain network security integrity.","This detection identifies instances where a Windows Firewall rule has been deleted, potentially exposing the system to security risks. Unauthorized removal of firewall rules can indicate an attacker attempting to bypass security controls or malware disabling protections for persistence and command-and-control communication. The event logs details such as the deleted rule name, protocol, port, and the user responsible for the action. Security teams should monitor for unexpected deletions, correlate with related events, and investigate anomalies to prevent unauthorized access and maintain network security posture.","Detects deletion of registry key that adds 'Scan with Defender' option in context menu. Attackers may use this to make it harder for users to scan files that are suspicious.","Detects attempts to disable Windows Credential Guard by deleting registry values. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.\nAdversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.","Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing \"DisableAIDataAnalysis\" registry value.\nAdversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.\nThis rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.","Detects the removal of folders from the \"ProtectedFolders\" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder","Detects the deletion of registry keys containing the MSTSC connection history","Detects the deletion of AMSI provider registry key entries in HKLM\\Software\\Microsoft\\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.","Detects any deletion of entries in \".*\\shell\\open\\command\" registry keys.\nThese registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.","Detects attempts to delete the RunMRU registry key, which stores the history of commands executed via the run dialog.\nIn the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands.\nAdversaries may delete this key to cover their tracks after executing commands.","Detects when the \"index\" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as \"schtasks /query\"","Remove SD (Security Descriptor) value in \\Schedule\\TaskCache\\Tree registry hive to hide schedule task. This technique is used by Tarrask malware","Detects when someone is adding or removing applications or folders from exploit guard \"ProtectedFolders\" or \"AllowedApplications\"","Detects disabling of the \"Automatic Sample Submission\" feature of Windows Defender.","Detects suspicious changes to the Windows Defender configuration","The following analytic detects modifications to Windows Defender Attack Surface Reduction (ASR) registry settings. It leverages Windows Defender Operational logs, specifically EventCode 5007, to identify changes in ASR rules. This activity is significant because ASR rules are designed to block actions commonly used by malware to exploit systems. Unauthorized modifications to these settings could indicate an attempt to weaken system defenses. If confirmed malicious, this could allow an attacker to bypass security measures, leading to potential system compromise and data breaches.","The following analytic identifies when a Windows Defender ASR rule disabled events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR rule disabled events that are generated when an ASR rule is disabled.","The following analytic identifies security events from Microsoft Defender, focusing on Exploit Guard and Attack Surface Reduction (ASR) features. It detects Event IDs 1121, 1126, 1131, and 1133 for blocked operations, and Event IDs 1122, 1125, 1132, and 1134 for audit logs. Event ID 1129 indicates user overrides, while Event ID 5007 signals configuration changes. This detection uses a lookup to correlate ASR rule GUIDs with descriptive names. Monitoring these events is crucial for identifying unauthorized operations, potential security breaches, and policy enforcement issues. If confirmed malicious, attackers could bypass security measures, execute unauthorized actions, or alter system configurations.","Detects when an application acquires a certificate private key","The following analytic detects the extraction of authentication certificates using Windows Event Log - CAPI2 (CryptoAPI 2). It leverages EventID 70, which is generated when a certificate's private key is acquired. This detection is significant because it can identify potential misuse of certificates, such as those extracted by tools like Mimikatz or Cobalt Strike. If confirmed malicious, this activity could allow attackers to impersonate users, escalate privileges, or access sensitive information, posing a severe risk to the organization's security.","Detects possible Kerberos Replay Attack on the domain controllers when \"KRB_AP_ERR_REPEAT\" Kerberos response is sent to the client","Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.","Detects the creation of a binary file with the \".sed\" extension. The \".sed\" extension stand for Self Extraction Directive files.\nThese files are used by the \"iexpress.exe\" utility in order to create self extracting packages.\nAttackers were seen abusing this utility and creating PE files with embedded \".sed\" entries.\nUsually \".sed\" files are simple ini files and not PE binaries.","Triggers on any Sysmon \"FileExecutableDetected\" event, which triggers every time a PE that is monitored by the config is created.","The following analytic detects the presence of executable files masquerading as benign file types on Windows systems. Adversaries employ this technique to evade defenses and trick users into executing malicious code by renaming executables with extensions commonly associated with documents, images, or other non-executable formats (e.g., .pdf, .jpg, .doc, .png).","Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour","Detects when the \"Windows Defender Threat Protection\" service is disabled.","The following analytic detects the first occurrence of a Windows service running in your environment. It leverages Windows system event logs, specifically EventCode 7036, to identify services entering the \"running\" state. This activity is significant because the appearance of a new or previously unseen service could indicate the installation of unauthorized or malicious software. If confirmed malicious, this activity could allow an attacker to execute arbitrary code, maintain persistence, or escalate privileges within the environment. Monitoring for new services helps in early detection of potential threats.","The following analytic detects the suspicious termination of known services commonly targeted by ransomware before file encryption. It leverages Windows System Event Logs (EventCode 7036) to identify when critical services such as Volume Shadow Copy, backup, and antivirus services are stopped. This activity is significant because ransomware often disables these services to avoid errors and ensure successful file encryption. If confirmed malicious, this behavior could lead to widespread data encryption, rendering files inaccessible and potentially causing significant operational disruption and data loss.","Detects when a memory process image does not match the disk image, indicative of process hollowing.","Detects new BITS transfer job saving local files with potential suspicious extensions","Detects BITS transfer job downloading files from a file sharing domain.","Detects a BITS transfer job downloading file(s) from a direct IP address.","Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.","Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location","Detects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired.\nThis event is best correlated with EID 3089 to determine the error of the validation.","Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded","Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL","Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations","The following analytic detects successful Remote Desktop Protocol (RDP) connections by monitoring EventCode 1149 from the Windows TerminalServices RemoteConnectionManager Operational log. This detection is significant as successful RDP connections can indicate remote access to a system, which may be leveraged by attackers to control or exfiltrate data. If confirmed malicious, this activity could lead to unauthorized access, data theft, or further lateral movement within the network. Monitoring successful RDP connections is crucial for identifying potential security breaches and mitigating risks promptly.","Detects triggering of AMSI by Windows Defender.","Detects actions taken by Windows Defender malware detection engines","Detects activity when the settings of the Windows firewall have been changed","Detects when a all the rules have been deleted from the Windows Defender Firewall configuration","Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KBs aren't installed.","An application has been removed. Check if it is critical.","Detects Windows error reporting events where the process that crashed is LSASS (Local Security Authority Subsystem Service).\nThis could be the cause of a provoked crash by techniques such as Lsass-Shtinkering to dump credentials.","This rule detects a suspicious crash of the Microsoft Malware Protection Engine","Detects potential abuse of ntdsutil to dump ntds.dit database","Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location","Detects the reporting of NTLMv1 being used between a client and server. NTLMv1 is insecure as the underlying encryption algorithms can be brute-forced by modern hardware.","Detects execution of Sysinternals tools via an AppX package.\nAttackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths.","Detects attempts to install unsigned MSIX/AppX packages using the -AllowUnsigned parameter via AppXDeployment-Server events","Detects execution of AppX packages with known suspicious or malicious signature","Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited.\nMS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability.\nUnfortunately, that is about the only instance of CVEs being written to this log.","Detects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store.","The following analytic detects the export of a certificate from the Windows Certificate Store. It leverages the Certificates Lifecycle log channel, specifically event ID 1007, to identify this activity. Monitoring certificate exports is crucial as certificates can be used for authentication to VPNs or private resources. If malicious actors export certificates, they could potentially gain unauthorized access to sensitive systems or data, leading to significant security breaches.","Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability","Detects when a DNS zone transfer failed.","Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset.\nThis occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default).\nRegistry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.","Detects volume shadow copy mount via Windows event log","Detects logons using NTLM, which could be caused by a legacy source or attackers","The following analytic detects driver load errors in the Windows PrintService Admin logs, specifically identifying issues related to CVE-2021-34527 (PrintNightmare). It triggers on error messages indicating the print spooler failed to load a plug-in module, such as \"meterpreter.dll,\" with error code 0x45A. This detection method leverages specific event codes and error messages. This activity is significant as it may indicate an exploitation attempt of a known vulnerability. If confirmed malicious, an attacker could gain unauthorized code execution on the affected system, leading to potential system compromise.","Detects an installation of a device that is forbidden by the system policy","Detects suspicious application installed by looking at the added shortcut to the app resolver cache","Triggers on any Sysmon \"FileBlockExecutable\" event, which indicates a violation of the configured block policy","Triggers on any Sysmon \"FileBlockShredding\" event, which indicates a violation of the configured shredding policy.","Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages","Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task","Detects the execution of Scheduled Tasks where the program being run is located in a suspicious location or where it is an unusual program to be run from a Scheduled Task","Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities","The following analytic detects the execution of tasks registered in Windows Task Scheduler by monitoring EventID 200 (action run) and 201 (action completed) from the Task Scheduler logs. This detection leverages Task Scheduler logs to identify potentially suspicious or unauthorized task executions. Monitoring these events is significant for a SOC as it helps uncover evasive techniques used for persistence, unauthorized code execution, or other malicious activities. If confirmed malicious, this activity could lead to unauthorized access, data exfiltration, or the execution of harmful payloads, posing a significant threat to the environment.","Windows Defender logs when the history of detected infections is deleted.","Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initiated this action you might want to reduce it to a \"medium\" level if this occurs too many times in your environment","Detects blocked attempts to change any of Defender's settings such as \"Real Time Monitoring\" and \"Behavior Monitoring\"","Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators","Detects MSI package installation from suspicious locations","Detects installation of a remote msi file from web.","This detection helps hunt for changes to SQL Server configuration options that could indicate malicious activity. It monitors for modifications to any SQL Server configuration settings, allowing analysts to identify potentially suspicious changes that may be part of an attack, such as enabling dangerous features or modifying security-relevant settings.","This detection identifies when critical SQL Server configuration options are modified, including \"Ad Hoc Distributed Queries\", \"external scripts enabled\", \"Ole Automation Procedures\", \"clr enabled\", and \"clr strict security\". These features can be abused by attackers for various malicious purposes - Ad Hoc Distributed Queries enables Active Directory reconnaissance through ADSI provider, external scripts and Ole Automation allow execution of arbitrary code, and CLR features can be used to run custom assemblies. Enabling these features could indicate attempts to gain code execution or perform reconnaissance through SQL Server.","This detection identifies when the xp_cmdshell configuration is modified in SQL Server. The xp_cmdshell extended stored procedure allows execution of operating system commands and programs from SQL Server, making it a high-risk feature commonly abused by attackers for privilege escalation and lateral movement.","Detects file being transferred via ScreenConnect RMM","Detects \"BugCheck\" errors indicating the system rebooted due to a crash, capturing the bugcheck code, dump file path, and report ID.","This hunting query detects user interactions with MSIX packages by monitoring EventCode 171 in the Microsoft-Windows-AppXPackaging/Operational logs. These events are generated when a user clicks on or attempts to interact with an MSIX package, even if the package is not fully installed. This information can be valuable for security teams to identify what MSIX packages users are attempting to open in their environment, which may help detect malicious MSIX packages before they're fully installed. Monitoring these interactions can provide early warning of potential MSIX package abuse, which has been leveraged by threat actors such as FIN7, Zloader (Storm-0569), and FakeBat (Storm-1113).","The following analytic detects the shutdown of the Windows Event Log service by leveraging Windows Event ID 1100. This event is logged every time the service stops, including during normal system shutdowns. Monitoring this activity is crucial as it can indicate attempts to cover tracks or disable logging. If confirmed malicious, an attacker could hide their activities, making it difficult to trace their actions and investigate further incidents. Analysts should verify if the shutdown was planned and review other alerts and data sources for additional suspicious behavior.","The following analytic detects the addition of new printer drivers by monitoring Windows PrintService operational logs, specifically EventCode 316. This detection leverages log data to identify messages indicating the addition or update of printer drivers, such as \"kernelbase.dll\" and \"UNIDRV.DLL.\" This activity is significant as it may indicate exploitation attempts related to vulnerabilities like CVE-2021-34527 (PrintNightmare). If confirmed malicious, attackers could gain code execution or escalate privileges, potentially compromising the affected system. Immediate isolation and investigation of the endpoint are recommended.","The following analytic identifies the backup of the Active Directory Certificate Services (AD CS) store, detected via Event ID 4876. This event is logged when a backup is performed using the CertSrv.msc UI or the CertUtil.exe -BackupDB command. Monitoring this activity is crucial as unauthorized backups can indicate an attempt to steal authentication certificates, which are critical for secure communications. If confirmed malicious, this activity could allow an attacker to impersonate users, escalate privileges, or access sensitive information, severely compromising the security of the environment.","This analytic monitors Windows RDP client connection sequence events (EventCode 1024) from the Microsoft-Windows-TerminalServices-RDPClient/Operational log. These events track when RDP ClientActiveX initiates connection attempts to remote servers. The connection sequence is a critical phase of RDP where the client and server exchange settings and establish common parameters for the session. Monitoring these events can help identify unusual RDP connection patterns, potential lateral movement attempts, unauthorized remote access activity, and RDP connection chains that may indicate compromised systems. NOTE the analytic was written for Multi-Line as XML was not properly parsed out.","Detects Access to LSASS Process","Detects blocking of process creations originating from PSExec and WMI commands","This detection searches for Windows Defender ASR block events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR block events that are generated when a process or application attempts to perform an action that is blocked by an ASR rule. Typically, these will be enabled in block most after auditing and tuning the ASR rules themselves. Set to TTP once tuned.","Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.","Detects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records.","Shadow Copies deletion using operating systems utilities via PowerShell","Detects PowerShell called from an executable by the version mismatch method","Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network","Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths.","Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.","Detects Windows services that got terminated for whatever reason","Detects important or interesting Windows services that got terminated for whatever reason","Detects important or interesting Windows services that got terminated unexpectedly.","The following analytic detects when a Windows service is modified from a start type to disabled. It leverages system event logs, specifically EventCode 7040, to identify this change. This activity is significant because adversaries often disable security or other critical services to evade detection and maintain control over a compromised host. If confirmed malicious, this action could allow attackers to bypass security defenses, leading to further exploitation and persistence within the environment.","The following analytic identifies an excessive number of system events where services are modified from start to disabled. It leverages Windows Event Logs (EventCode 7040) to detect multiple service state changes on a single host. This activity is significant as it may indicate an adversary attempting to disable security applications or other critical services, potentially leading to defense evasion or destructive actions. If confirmed malicious, this behavior could allow attackers to disable security defenses, disrupt system operations, and achieve their objectives on the compromised system.","The following analytic detects the disabling of Windows Update services, such as \"Update Orchestrator Service for Windows Update,\" \"WaaSMedicSvc,\" and \"Windows Update.\" It leverages Windows System Event ID 7040 logs to identify changes in service start modes to 'disabled.' This activity is significant as it can indicate an adversary's attempt to evade defenses by preventing critical updates, leaving the system vulnerable to exploits. If confirmed malicious, this could allow attackers to maintain persistence and exploit unpatched vulnerabilities, compromising the integrity and security of the affected host.","Detects plugged/unplugged USB devices","Detects activity when Windows Defender Firewall has been reset to its default configuration","Detects denied requests by Active Directory Certificate Services.\nExample of these requests denial include issues with permissions on the certificate template or invalid signatures.","Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes","Detects DNS queries for subdomains related to \"Put.io\" sharing website.","Detects DNS resolution of an .onion address related to Tor routing networks","Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option.","Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests.","Detects the addition of a new module to an IIS server.","Detects the removal of a previously installed IIS module.","Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.","The following analytic detects failed trust validation attempts using Windows Event Log - CAPI2 (CryptoAPI 2). It specifically triggers on EventID 81, which indicates that \"The digital signature of the object did not verify.\" This detection leverages the CAPI2 Operational log to identify instances where digital signatures fail to validate. Monitoring this activity is crucial as it can indicate attempts to execute untrusted or potentially malicious binaries. If confirmed malicious, this activity could allow attackers to bypass security controls and execute unauthorized code, leading to potential system compromise.","Detects image load events with revoked certificates by code integrity.","Detects loaded kernel modules that did not meet the WHQL signing requirements.","This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded","Detects potential Active Directory enumeration via LDAP","Detects issues with Windows Defender Real-Time Protection features","Detects the presence of a loaded unsigned kernel module on the system.","Detects blocked load attempts of revoked drivers","Detects blocked image load events with revoked certificates by code integrity.","Detects blocked load events that did not meet the authenticode signing level requirements or violated the code integrity policy.","This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded","Detects logons using NTLM to hosts that are potentially not part of the domain.","Detects the restoration of files from the defender quarantine","This detection searches for Windows Defender ASR audit events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR audit events that are generated when a process or application attempts to perform an action that would be blocked by an ASR rule, but is allowed to proceed for auditing purposes.","Detects disabling of the Windows Defender feature of scanning for malware and other potentially unwanted software","Detects disabling of the Windows Defender virus scanning feature","Detects command execution via ScreenConnect RMM","Detects the expiration of the grace period of Windows Defender. This means protection against viruses, spyware, and other potentially unwanted software is disabled.","Detects an appx package deployment that was blocked by the local computer policy.\nThe following events indicate that an AppX package deployment was blocked by a policy:\n- Event ID 441: The package deployment operation is blocked by the \"Allow deployment operations in special profiles\" policy\n- Event ID 442: Deployments to non-system volumes are blocked by the \"Disable deployment of Windows Store apps to non-system volumes\" policy.\"\n- Event ID 453: Package blocked by a platform policy.\n- Event ID 454: Package blocked by a platform policy.","Detects the load of a revoked kernel driver","Detects restricted access to applications by the Software Restriction Policies (SRP) policy","Detects an appx package deployment that was blocked by AppLocker policy.","Detects backup catalog deletions","Detects loaded unsigned image on the system","Detects block events for files that are disallowed by code integrity for protected processes","Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode","Detects the configuration of a new ISATAP router on a Windows host. While ISATAP is a legitimate Microsoft technology for IPv6 transition, unexpected or unauthorized ISATAP router configurations could indicate a potential IPv6 DNS Takeover attack using tools like mitm6.\nIn such attacks, adversaries advertise themselves as DHCPv6 servers and set malicious ISATAP routers to intercept traffic.\nThis detection should be correlated with network baselines and known legitimate ISATAP deployments in your environment.","Detects errors when a target server doesn't have suitable keys for generating kerberos tickets.\nThis issue can occur for example when a service uses a user account or a computer account that is configured for only DES encryption on a computer that is running Windows 7 which has DES encryption for Kerberos authentication disabled.","Detects SMB server connections to shares without signing or encryption enabled.\nThis could indicate potential lateral movement activity using unsecured SMB shares.","Detects activity when The Windows Defender Firewall service failed to load Group Policy","The following analytic identifies the creation or modification of Image File Execution Options (IFEO) registry keys, detected via EventCode 3000 in the Application channel. This detection leverages Windows Event Logs to monitor for process names added to IFEO under specific registry paths. This activity is significant as it can indicate attempts to set traps for process monitoring or debugging, often used by attackers for persistence or evasion. If confirmed malicious, this could allow an attacker to execute arbitrary code or manipulate process behavior, leading to potential system compromise.","Detects the creation of a WMI Event Subscription. Attackers can abuse this mechanism for persistence or to elevate to\nSYSTEM privileges.","The following analytic detects when an IIS Module DLL fails to load due to a configuration problem, identified by EventCode 2282. This detection leverages Windows Application event logs to identify repeated failures in loading IIS modules. Such failures can indicate misconfigurations or potential tampering with IIS components. If confirmed malicious, this activity could lead to service disruptions or provide an attacker with opportunities to exploit vulnerabilities within the IIS environment. Immediate investigation is required to determine the legitimacy of the failing module and to mitigate any potential security risks."],"dl":["An account was successfully logged on.","An account failed to log on.","An operation was performed on an object.","A scheduled task was created.","A scheduled task was updated.","System audit policy was changed.","A member was added to a security-enabled global group.","A user account was changed.","The name of an account was changed.","A directory service object was modified.","A directory service object was created.","The image loaded event logs when a module is loaded in a specific process.","The CreateRemoteThread event detects when a process creates a thread in another process.","The audit log was cleared.","Creating Scriptblock text (MessageNumber of MessageTotal).","A new process has been created.","A scheduled task was deleted.","A member was added to a security-enabled local group.","A computer account was changed.","A network share object was checked to see whether client can be granted desired access.","The process creation event provides extended information about a newly created process.","The process accessed event reports when a process opens another process.","This event generates when a named pipe is created.","A logon was attempted using explicit credentials.","A handle to an object was requested.","An attempt was made to access an object.","A computer account was created.","A Kerberos authentication ticket (TGT) was requested.","A Kerberos service ticket was requested.","Kerberos pre-authentication failed.","The computer attempted to validate the credentials for an account.","A network share object was accessed.","When a consumer binds to a filter, this event logs the consumer name and filter path.",0,"Special privileges assigned to new logon.","An operation was attempted on a privileged object.","A user right was assigned.","A member was added to a security-enabled universal group.","The RawAccessRead event detects when a process conducts reading operations from the drive.","This event logs when a named file stream is created.","Deployment DeploymentOperation operation with target volume MountPoint on Package PackageFullName from: Path finished successfully.","The LogFileCleared.Channel log file was cleared.","A service was installed in the system.","A token right was adjusted.","A user account was created.","A security-enabled global group was deleted.","A computer account was deleted.","The Windows Filtering Platform has blocked a connection.","The network connection event logs TCP/UDP connections on the machine.","File create operations are logged when a file is created or overwritten.","Registry key and value create and delete operations map to this event type.","This Registry event type identifies Registry value modifications.","This event logs when a named pipe connection is made between a client and a server.","This event logs the registration of WMI consumers.","This event is generated when a process executes a DNS query.","A file was deleted. Additionally the deleted file is saved in the ArchiveDirectory.","A file was deleted.","Successfully added the following uri(s) to be processed: Path.","A trusted logon process has been registered with the Local Security Authority.","A registry value was modified.","A handle to an object was requested.","An attempt was made to reset an account's password.","A member was removed from a security-enabled global group.","SID History was added to an account.","An attempt was made to set the Directory Services Restore Mode.","The Windows Filtering Platform has permitted a connection.","The change file creation time event is registered when a file creation time is explicitly modified by a process.","The driver loaded events provides information about a driver being loaded on the system.","This event logs changes in the Sysmon configuration.","Group membership information.","Permissions on an object were changed.","A privileged service was called.","Backup of data protection master key was attempted.","The Windows Filtering Platform has blocked a packet.","Credential Manager credentials were read.","Deployment DeploymentOperation operation with target volume MountPoint on Package PackageFullName from: Path failed with error ErrorCode. See http://go.microsoft.com/fwlink/?LinkId=235160 for help diagnosing app deployment issues.","An account was logged off.","User initiated logoff.","The handle to an object was closed.","A scheduled task was disabled.","Certificate Services loaded a template.","An attempt was made to register a security event source.","An attempt was made to unregister a security event source.","A change was made to the Windows Firewall exception list. A rule was added.","The following filter was present when the Windows Filtering Platform Base Filtering Engine started.","A Windows Filtering Platform filter has been changed.","A Windows Filtering Platform provider context has been changed.","The service state change event reports the state of the Sysmon service (started or stopped).","When a WMI event filter is registered, this event logs the WMI namespace, filter name and filter expression.","A rule has been added to the Windows Defender Firewall exception list.","A rule has been deleted in the Windows Defender Firewall exception list.","A rule has been deleted in the Windows Defender Firewall exception list.","A rule has been added to the Windows Defender Firewall exception list.","Application popup: Caption : Message.","Groups assigned to a new logon.","The BITS service created a new job: jobTitle, with owner jobId.",0,"The system time was changed.","A scheduled task was enabled.","A new trust was created to a domain.","A user account was enabled.","An attempt was made to change an account's password.","A user account was disabled.","A user account was deleted.","A security-enabled global group was created.","A security-enabled local group was created.","A member was removed from a security-enabled local group.","A security-enabled local group was deleted.","A security-enabled local group was changed.","A security-enabled global group was changed.","A security-disabled global group was created.","A security-enabled universal group was created.","A group?s type was changed.","The ACL was set on accounts which are members of administrators groups.","A user's local group membership was enumerated.","The workstation was locked.","A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group.","Certificate Services received a certificate request.","Certificate Services approved a certificate request and issued a certificate.","A directory service object was deleted.","Vault credentials were read.","A new external device was recognized by the system.","The process terminate event reports when a process terminates.","Finished resolving action lists. DeploymentRequest action lists:PackageMoniker.","An object was deleted.","A user account was locked out.","A change was made to the Windows Firewall exception list. A rule was modified.","A change was made to the Windows Firewall exception list. A rule was deleted.","Special groups have been assigned to a new logon.","The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.","The Windows Filtering Platform has permitted a bind to a local port.","Registry key and value rename operations map to this event type.","Product Name Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.","For more details for this event, please refer to the \"Details\" section.","## SOAP Request: Value.","A replay attack was detected.","Protection of auditable protected data was attempted.","Unprotection of auditable protected data was attempted.","Domain Policy was changed.","An attempt to add SID History to an account failed.","A session was reconnected to a Window Station.","Auditing settings on object were changed.","A Windows Firewall setting was changed.","Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.","A network share object was added.","Credential Manager credentials were backed up.","A device was enabled.","This event is generated when Sysmon detects the creation of a new executable file.","Remote Desktop Services: Session logon succeeded.","Namespace = ; NotificationQuery = ; OwnerName = ; HostProcessID = ; Provider= , queryID = ; PossibleCause =.","Namespace = Operation_ESStoConsumerBinding.Namespace; Eventfilter = Operation_ESStoConsumerBinding.ESS (refer to its activate eventid:5859); Consumer = Operation_ESStoConsumerBinding.CONSUMER; PossibleCause = Operation_ESStoConsumerBinding.PossibleCause.",0,"A process has exited.","A user account was unlocked.","A Kerberos service ticket was renewed.","A security-enabled local group membership was enumerated.","The Per-user audit policy table was created.","This event is generated when process hiding techniques are being detected.","Credential Guard auto enablement status.","ClipSVC service is starting. Caller: Data.","ClipSVC was restarted while there is a pending rearm reboot required. Caller: Data.","License install failed for license type: Type.","License successfully installed for package PackageName.","Application license successfully installed.","Lease successfully installed.","Clip service has been rearmed. Result code: Data.","The license with Id LicenseId has been archived successfully. PFM if available: PackageName.","The lease with Id LicenseId has been archived successfully. PFM if available: PackageName.","The license with Id LicenseId of type Type has been archived successfully. PFM if available: PackageName.","ClipUp run from Clip service with arguments 'Arguments'. Result: HRESULT.","AAD Cloud AP plugin call API returned error: Result.","WamExtension process token operation completed with error: Data.","Compatibility fix applied to CompatibilityFixEvent.ExePath.","Compatibility fix applied to CompatibilityFixEvent.ExePath.","Process RegisterUninstallStringEventData.ProcessName attempted to register UninstallString RegisterUninstallStringEventData.UninstallString, Status: RegisterUninstallStringEventData.Status.","The Appx operation 'Operation' on 'PackageId' failed for user 'User' - Error. (Error: Result).","App Readiness service has been notified of new apps. (Source: Source, Error: Result).","Task 'TaskId' is added for User, tasks: TaskCount.","Task 'TaskId' is removed for User, tasks: TaskCount.","Pre-registration for 'PackageId' failed. (Error: Result).","A exception was caught: Error.","Failed to start system service: ServiceName with error: ErrorCode.","Determining packages to be installed during logon for user: UserSid.","The following packages will be installed: InstallPackageList. The following packages will be removed: RemovePackageList.","Unable to determine packages to be installed during logon with error: ErrorCode.","error ErrorCode: Cannot register the PackageName package due to the following error: ErrorText.","error ErrorCode: While processing the request, the system failed to register the CategoryName extension due to the following error: ErrorMessage.","error ErrorCode: Cannot register the request because the following error was encountered during the registration of the CategoryName extension: ErrorMessage.","error ErrorCode: While removing the request, the system failed to de-register the CategoryName extension due to the following error: ErrorMessage.","AppX Deployment operation failed for package PackageFullName with error ErrorCode. The specific error text for this failure is: SummaryError.","Moving package folder SourceFolderPath to DestinationFolderPath. Result: ErrorCode.","Deployment DeploymentOperation operation with target volume MountPoint on Package PackageFullName from: Path finished successfully.","RemoveDefaultPackages uninstall override policy failure during removal of package PathTwo with error code PathOne.","ServerSideRPCPreRegisterPackage PackageFullName, Option: Flags, Result: HResult, Calling process: CallingProcess.","ServerSideRPCPreRegisterAllInboxPackages result: HResult, Option: Options, Calling process: CallingProcess.","ServerSideRPCCleanupWCIReparsePoints result:HResult.","OnDemandRegisterPackage PackageFullName add PackageUser row, Bundle:Bundle, AppDataVolume:AppDataVolume.","Failed creating preview tiles for package PackageName due to the package not being found in StateRepository. Error: ErrorCode.","Deletion of registry key: RegistryKeyName failed with error: ErrorCode.","Determining packages to be installed during logon for user: UserSid.","The following packages will be installed: InstallPackageList. The following packages will be removed: EndOfLifePackageList.","During-logon registration of package MainPackageFullName for user UserSid finished with result: ErrorCode; updating registry...","Updating registry for package PackageMoniker completed with result: Error.","Deployment DeploymentOperation operation with target volume MountPoint on Package PackageFullName from: Path failed with error ErrorCode. See http://go.microsoft.com/fwlink/?LinkId=235160 for help diagnosing app deployment issues.","The Windows Biometric Service successfully created a Biometric Unit for sensor: BiometricSensor.","The Windows Biometric Service failed to start its secure component.","The following DMA (Direct Memory Access) capable devices are not declared as protected from external access, which can block security features such as BitLocker automatic device encryption.","The transfer job is complete.","Job cancelled. User: User, job: jobTitle, jobID: jobId, owner: jobOwner, filecount: fileCount.","Command-line command set for job jobId with owner jobOwner. Program: program Args: parameters.","The initialization of the peer helper modules failed with the following error: ErrorCode.",0,"Successful auto update of third-party root list with effective date: .","Successful auto update of disallowed certificate list with effective date: .","Successful auto update of pin rules with effective date: .","Code Integrity determined that a process (ProcessNameBuffer) attempted to load FileNameBuffer that did not meet the RequestedPolicy signing level requirements.","DPAPI BackUp service setup of preferred backup keys failed.","DPAPI created Master key.","Master key's record successfully logged to Diagnostic file.","DPAPI found credential key.","Open Provider operation failed.","Open Key operation failed.","Create Key operation failed.","Key write succeeded.","Delete key succeeded.","New client uses VBS Key Isolation.","Remote calls to the SAM database are being restricted using the default security descriptor: Name.","A DNS server plugin DLL has been loaded from location param1 on server param2.","The V1 plugin interface has been implemented in server level plugin DLL.","Starting computer boot policy processing for PrincipalSamName.","Starting user logon Policy processing for PrincipalSamName.","Starting manual processing of policy for computer PrincipalSamName.","Starting manual processing of policy for user PrincipalSamName.","Starting periodic policy processing for computer PrincipalSamName.","Domain Controller details.","Computer details.","Account details.","List of applicable Group Policy objects.","The following Group Policy objects were not applicable because they were filtered out.","InfoDescription Parameter: OperationParameter1.","Error: ErrorDescription Error code ErrorCode.","The Group Policy settings for the computer were processed successfully. New settings from NumberOfGroupPolicyObjects Group Policy objects were detected and applied.","The Group Policy settings for the user were processed successfully. New settings from NumberOfGroupPolicyObjects Group Policy objects were detected and applied.","Hypervisor configured mitigations for CVE-2018-3646 for virtual machines.","Activation of app ApplicationId attempted. Execution state: ExecutionState, AppState, Result.","Activation for AppId failed. Error code: ErrorCode. Activation phase: PhaseFlags.","Process Name: Process Name.","Boot Policy Migration used an authenticated variable. Status: Status.","Error: DiagCode Status: Status.","Measured Boot library encountered a failure and entered insecure state. InitState: InitState, StatusCode: StatusCode, Failure Address: FailureAddress, Reference Address: ReferenceAddress, Reason: ReasonCode.","Windows boot environment failed to initialize TPM device. StatusCode: StatusCode, Position: Position.","The virtualization-based security enablement policy check at phase Phase failed with status: Status.","Virtualization-based security (policies: VsmPolicy) is EnableDisableReason.","Virtualization-based security (policies: VsmPolicy) is EnableDisableReason with status: Status.","Initialized VolumeCacheMap for device guid: VolumeDeviceGuid.","Global Periodic Cache Information.","Volume Periodic Cache Information.","Volume Periodic Cache Read Latency Information.","Volume Periodic Cache Write Latency Information.","Crash dump initialization failed. NT status: NTStatus.","Session \"SessionName\" failed to start with the following error: ErrorCode.","The system time has changed to NewTime from OldTime.","The leap second configuration has been updated.","Windows failed to mount the volume.","Device DeviceInstanceId was configured.","Device DeviceInstanceId requires a system reboot to complete configuration.","Device DeviceInstanceId was started.","Device DeviceInstanceId had a problem starting.","Device DeviceInstanceId could not be query removed as the removal was vetoed.","Device DeviceInstanceId has been surprise removed as it is reported as missing on the bus.","A long running thread for driver entry was detected. The thread has been running for ElapsedTimeMs milliseconds.","A long running thread for driver entry routine has been completed.","The kernel power manager has initiated a shutdown transition.","Connectivity state in standby: State, Reason: Reason.","Processor Number in group Group exposes the following power management capabilities.","ShimCount shim(s) were applied to driver [DriverName].","Flags [Flags] were applied to device [DeviceName] - class [DeviceClass].","RPC call to function FunctionName returned the following error code: ErrorCode.","SOAP Request of type RequestType for user CID 'cid' in MachineEnvironment environment received the following error code from the Microsoft Account server: ErrorCode.","## SOAP Response: Value.","MUI resource cache builder has been called with the following parameters: Parameter.","Capability change on InterfaceGuid (IfLuid Family: Family Capability: Capability ChangeReason: CapabilityChangeReason).","Entered State: CurrentOrNextState Interface Guid: InterfaceGuid.","Transitioning to State: CurrentOrNextState Interface Guid: InterfaceGuid.","Transitioning to State: CurrentOrNextState Interface Guid: InterfaceGuid.","Network Connected.","Network Disconnected.","Network Category Changed.","NSI Set Category Result.","The NTFS volume has been successfully mounted.","NTFS scanned entire volume bitmap.","NTFS cached runs statistics.","Summary of disk space usage, since last event.","An IO took more than MaxLatencyMs ms to complete.","In the past SecondsElapsed seconds we had high latency IOs and/or IO failures.","VCB exclusive resource acquires.","NTFS metadata statistics for volume.","NTFS has successfully completed the VolumeSizeChangeRequestType request in CombinedDurationMs ms when trying to VolumeSizeChangeOperation the volume size from FromSize (MB) to ToSize (MB).","IO latency summary.","File-Level Trim Summary.","NTFS volume dismount has started.","The NTFS volume has successfully dismounted.","A process has created a USN journal on a volume.","A process has deleted a USN journal on a volume.","Started invocation of ScriptBlock ID: ScriptBlockId.","Completed invocation of ScriptBlock ID: ScriptBlockId.","Windows PowerShell has started an IPC listening thread on process: param1 in AppDomain: param2.","The System Setting {(Area) (SubArea) (ID)} owned by Component was changed from OldSettingValue to NewSettingValue by ProcessName. Justification: Justification.","The User Setting {(Area) (SubArea) (ID)} for user TargetUserSid owned by Component was changed from OldSettingValue to NewSettingValue by ProcessName. Justification: Justification.","Configuring ProvXML with category 'Message1'.","Applying package 'Message1' ID: Message2.","Process Name: Process Name.","The Windows Push Notification Platform has encountered an error in File: FileName, Function FunctionName, Line LineNumber, Error ErrorCode, ErrorMessage %5.","The Windows Push Notification Platform is required to connect on startup, ValidChannelsExist : ChannelsExist.","Cloud Notifications must be enabled in GP and MDM to receive push notifications. GroupPolicyValue: GroupPolicyValue, MDMPolicyValue: MDMPolicyValue.","A Power event was fired: PowerEventType [PowerEventType] IsEnabled [Enabled].","Windows Push Notification Service was disconnected due to error: Error and will now enter reconnect mode.","WNP Transport Layer sent command: Verb, Trid: TrID, Namespace: Namespace, CV: CorrelationVector containing Bytes bytes of payload: Payload. IsLongRunning: ConnectionType.","WNP Transport Layer received command: Verb, Trid: TrID, Namespace: Namespace, CV: CorrelationVector containing Bytes bytes of payload: Payload. IsLongRunning: ConnectionType.","WNP Keep Alive Detector starting KA measurement with value: KaValue seconds; type: KaValueType; Min Limit: KaMinLimit seconds.","WNP Transport Layer sent command: Verb, Trid: TrID, Namespace: Namespace, CV: CorrelationVector containing Bytes bytes of payload only. However, full payload including header is: Payload. IsLongRunning: ConnectionType.","WNP Transport Layer received command: Verb, Trid: TrID, Namespace: Namespace, CV: CorrelationVector containing Bytes bytes of payload only. However, full payload including header is: Payload. IsLongRunning: ConnectionType.","The channel table has added a valid channel mapping: ChannelId [ChannelId] AppUserModelId [AppUserModelId] ErrorCode [ErrorCode].","An application was registered with the following parameters: PackageFullName [PackageFullName] AppUserModelId [AppUserModelId] AppSettings [Settings] AppType [AppType] ErrorCode [ErrorCode].","An application was unregistered with the following parameters: AppUserModelId [AppUserModelId] ErrorCode [ErrorCode].","Summary of ReadyBoot Performance.","Boot plan calculation completed.","ReadyBoot disk assessment completed.","The attach state for volume VolumePath (Unique Id: VolumeUniqueId) has changed.","ReadyBoot has updated the system volume unique ID: VolumeUniqueId.","The server has initiated a multi-transport request to the client, for tunnel: The_server_has_initiated_a_multitransport_request_to_the_client_for_tunnel.","The multi-transport connection finished for tunnel: The_multitransport_connection_finished_for_tunnel, its transport type set to %2.","During this connection, server has not sent data or graphics update for Idle2 seconds (Idle1: %2, Idle2: %3).","The client supports version AVC_available of the RDP graphics protocol, client mode: Initial_profile, AVC available: Server, Initial profile: %4. Server: %5.","List of applicable GPOs.","An authentication package has been loaded by the Local Security Authority.","A notification package has been loaded by the Security Account Manager.","A security package has been loaded by the Local Security Authority.","An IPsec main mode negotiation failed.","An attempt was made to create a hard link.","An attempt was made to duplicate a handle to an object.","A primary token was assigned to process.","A user right was removed.","Kerberos policy was changed.","System security access was granted to an account.","System security access was removed from an account.","A security-disabled global group was changed.","A member was added to a security-disabled global group.","A member was removed from a security-disabled global group.","A security-disabled global group was deleted.","A security-enabled universal group was changed.","A security-enabled universal group was deleted.","A session was disconnected from a Window Station.","An attempt was made to query the existence of a blank password for an account.","The workstation was unlocked.","Boot Configuration Data loaded.","A trusted forest information entry was added.","The certificate manager denied a pending certificate request.","Certificate Services received a resubmitted certificate request.","Certificate Services revoked a certificate.","Certificate Services received a request to publish the certificate revocation list (CRL).","Certificate Services published the certificate revocation list (CRL).","A certificate request extension changed.","One or more certificate request attributes changed.","Certificate Services started.","Certificate Services stopped.","Certificate Services denied a certificate request.","Certificate Services set the status of a certificate request to pending.","A property of Certificate Services changed.","One or more rows have been deleted from the certificate database.","Role separation enabled: RoleSeparationEnabled.","A Certificate Services template was updated.","Resource attributes of the object were changed.","An Active Directory replica source naming context was removed.","The following policy was active when the Windows Firewall started.","A rule was listed when the Windows Firewall started.","Windows Firewall ignored a rule because it could not be parsed.","Windows Firewall changed the active profile.","Windows Firewall did not apply the following rule.","The state of a transaction has changed.","Windows Firewall blocked an application from accepting incoming connections on the network.","A change was made to IPsec settings. A connection security rule was added.","A change was made to IPsec settings. A connection security rule was deleted.","Key file operation.","Key migration operation.","Cryptographic operation.","A configuration entry changed in the OCSP Responder Service.","A security setting was updated on OCSP Responder Service.","A network share object was modified.","A network share object was deleted.","Vault credentials were read.","The following provider was present when the Windows Filtering Platform Base Filtering Engine started.","The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.","The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.","A Windows Filtering Platform callout has been changed.","A Windows Filtering Platform provider has been changed.","A Windows Filtering Platform sub-layer has been changed.","An object in the COM+ Catalog was modified.","An object was deleted from the COM+ Catalog.","An object was added to the COM+ Catalog.","A request was made to disable a device.","A device was disabled.","A request was made to enable a device.","Process 'ProcessPath' (PID ProcessId) was blocked from loading the non-Microsoft-signed binary 'ImageName'.","Contacted server UInt1 times, all failed, URI: Message1. Last HTTP error code: Int1.","The device doesn't have low battery level and contacts the server as usual. Normal operating notification; no action required.","Failed to communicate with authentication service. requestType request failed, hresult: HRESULT, HTTP error code: errorCode .","Initiating changes for package CbsPackageInitiateChanges.PackageIdentifier. Current state is CbsPackageInitiateChanges.InitialPackageState. Target state is CbsPackageInitiateChanges.IntendedPackageState. Client id: CbsPackageInitiateChanges.Client.","Initiating changes to turn on update CbsUpdateChangeState.UpdateName of package CbsUpdateChangeState.PackageIdentifier. Client id: CbsUpdateChangeState.Client.","Started execution of command 'Command'.","Remote Desktop Services: User authentication succeeded.","Product Name has detected malware or other potentially unwanted software.","Product Name has taken action to protect this machine from malware or other potentially unwanted software.","A Windows Defender Firewall setting has changed.","A Windows Defender Firewall setting in the Profiles profile has changed.","A rule has been modified in the Windows Defender Firewall exception list.","Windows Defender Firewall Group Policy settings have changed. The new settings have been applied.","All rules have been deleted from the Windows Defender Firewall configuration on this computer.","A rule has been modified in the Windows Defender Firewall exception list.","A Windows Defender Firewall setting in the Profiles profile has changed.","A Windows Defender Firewall setting has changed.","A rule has been added to the Windows Defender Firewall exception list.","A rule has been deleted in the Windows Defender Firewall exception list.","A rule has been added to the Windows Defender Firewall exception list.","Installation Failure: Windows failed to install the following update with error errorCode: updateTitle.","Product: Data_0. Version: Data_1. Language: Data_2. Removal completed with status: Data_3. Manufacturer: Data_4.","Faulting application name: Faulting_application_name, version: version, time stamp: 0xFaulting_module_name.",0,0,0,0,0,"Created process ProcessID for application ApplicationName in package PackageName. Message.","Started deployment DeploymentOperation operation on a package with main parameter Path and Options Flags and FlagsHigh. See http://go.microsoft.com/fwlink/?LinkId=235160 for help diagnosing app deployment issues.",0,"The app package signature was validated for core content of the app package published by subjectName. Payload won't be validated until the files are read.","Possible detection of CVE: PossibleDetectionOfCVE.","A certificate has been exported. Please refer to the \"Details\" section for more information.","The scripted diagnostic engine started initializing a diagnostic package located at PackagePath.",0,"The DNS server received a zone transfer request from param1 for a non-existent or non-authoritative zone param2.",0,0,0,"The access history in hive HiveName was cleared updating KeysUpdated keys and creating DirtyPages modified pages.",0,"Volume DriveName (DeviceName) CorruptionActionState.","NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked.",0,0,"The print spooler failed to load a plug-in module PluginDllName, error code ErrorCode. See the event user data for context information.",0,"A security-disabled local group was created.","A security-disabled universal group was created.","A basic application group was created.","An LDAP query group was created.",0,"The installation of this device is forbidden by system policy.","Shortcut for application Name with ID AppID and flags Flags is added to app resolver cache.","This event is generated when Sysmon detects and blocks the creation of executable files.","This event is generated when Sysmon detects and blocks file shredding.","This event is generated when an **error occurred within Sysmon**. They can happen if the system is under heavy load and certain tasks could not be performed or a bug exists in the Sysmon service.","Task Scheduler launch task \"Name\" , instance \"TaskName\" with process ID Path.","User \"TaskName\" deleted Task Scheduler task \"Name\".","Task Scheduler launched action \"TaskName\" in instance \"ActionName\" of task \"Name\".","Task Scheduler successfully completed task \"Name\" , instance \"TaskInstanceId\" , action \"TaskName\" .","Product Name has removed history of malware and other potentially unwanted software.","Product Name Real-time Protection scanning for malware and other potentially unwanted software was disabled.","Tamper Protection Changed Type a change to Product Name.","Product: . Version: . Language: . Installation completed with status: . Manufacturer: .",0,0,0,0,"Transferred files with action 'Transfer'.","Fault bucket , type.","The reader was created successfully for app package packageFullName.","The event logging service has shut down.","Printer driver param1 for param2 param3 was added or updated. Files:- param4. No user action is required.","Certificate Services backup started.","RDP ClientActiveX is trying to connect to the server (Value).","Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.",0,0,0,0,0,0,"The program version stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.","Getting registration status of package family PackageFamilyName completed with result: Error.(statusFound: FoundState, Status: ErrorCode).","BITS stopped transferring the name transfer job that is associated with the url URL. The status code is hr.","The BITS service provided job credentials in response to an authentication challenge from server for job job, url url. The credentials were rejected.","Cryptographic Operation failed.","OBTAIN LEASE - AdapterName: AdapterName Interface LUID: InterfaceLUID.","The UMDF Host Process (UMDFHostDeviceArrivalBegin.LifetimeId) has been asked to load drivers for device UMDFHostDeviceArrivalBegin.InstanceId.","Received a Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, UMDFHostDeviceRequest.RequestMinorCode) for device UMDFHostDeviceRequest.InstanceId.","Forwarded a finished Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, UMDFHostDeviceRequest.RequestMinorCode) to the lower driver for device UMDFHostDeviceRequest.InstanceId with status UMDFHostDeviceRequest.Status.","Acquired Service token.","NTLM server blocked in the domain audit: Audit NTLM authentication in this domain.","Extended Error Information.","Recovery of data protection master key was attempted.","The domain controller failed to validate the credentials for an account.","The password hash an account was accessed.","Auditing settings on object were changed.","NTLM authentication failed because the account was a member of the Protected User group.","NTLM authentication failed because access control restrictions are required.","The audit filter for Certificate Services changed.","The certificate manager settings for Certificate Services changed.","Special Groups Logon table modified.","Per User Audit Policy was changed.","A directory service object was moved.","Credential Manager credentials were restored from a backup.","Network Policy Server denied access to a user.","Global (per-pattern) state changed. State: Value1, pattern: Value2.","Failed to run action ActionType. Action ID: ActionId, error code: HRESULT.","Finished uploading results of action ActionType. Action ID: ActionId, upload result code: HRESULT.","Failure during action ActionType. Action ID: ActionId, Action phase: ActionPhase, error code: HRESULT.","Windows Defender Firewall has been reset to its default configuration.",0,0,0,0,0,0,0,0,"Active Directory Certificate Services denied request Name because RequestId. The request was for Reason. Additional information: SubjectName.","DNS query is completed for the name QueryName, type QueryType, query options QueryOptions with status QueryStatus Results QueryResults.","Changes to 'Configuration' at 'ConfigPath' have successfully been committed.","PowerShell console is starting up.","PowerShell console is ready for user input.","SIDs were filtered.","A member was removed from a security-enabled universal group.","A Kerberos authentication ticket request failed.","The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.","The Windows Filtering Platform has blocked a bind to a local port.","Remote Desktop Services: Session logoff succeeded.","Remote Desktop Services: Session has been disconnected.","Remote Desktop Services: Session reconnection succeeded.","Operation_StartedOperational.ProviderName provider started with result code Operation_StartedOperational.Code. HostProcess = Operation_StartedOperational.HostProcess; ProcessID = Operation_StartedOperational.ProcessID; ProviderPath = Operation_StartedOperational.ProviderPath.","Id = ; ClientMachine = ; User = ; ClientProcessId = ; Component = ; Operation = ; ResultCode = ; PossibleCause =.","Namespace = ; NotificationQuery = ; UserName = ; ClientProcessID = , ClientMachine = ; PossibleCause =.",0,0,0,"A secret object private to LSA was queried by a client. This object was returned in encrypted format for security reasons.","The PDC completed an automatic trust scan operation for all trusts with no errors.","LSA package is not signed as expected. This can cause unexpected behavior with Credential Guard.","ClipSVC service is running. Version Data.","ClipSVC service has shutdown.","Device license successfully installed.","The device license was updated with a different device ID.","Http transport error. Status: Http_transport_error_Status Correlation ID: Correlation_ID.","Enterprise STS Logon failure. Status: Enterprise_STS_Logon_failure_Status Correlation ID: Correlation_ID.","AppID certificate store is verified.","The AppLocker policy was applied successfully to this computer.","RuleAndFileData.FilePath was allowed to run but would have been prevented from running if the AppLocker policy were enforced.","FilePathBuffer was prevented from running.","FilePathBuffer was prevented from running.","FilePath was allowed to run but would have been prevented if the Config CI policy were enforced.","FilePath passed Config CI policy and was allowed to run.","Publisher info.","CreateAppContainerProfile failed for AppContainer Context with error ErrorCode.","DeleteAppContainerProfile failed with error because it was unable to unregister with the firewall.","Successfully created AppContainer .","AppContainer was not created because it already exists.","Successfully deleted AppContainer .","Successfully updated AppContainer .","Failed with ErrorCode retrieving AppModel Runtime status for package PackageFullName for user User.","Failed with ErrorCode modifying AppModel Runtime status for package PackageFullName for user User (clear=DesiredStatus, set=CurrentStatus).","Successfully updated AppModel Runtime status for package PackageFullName for user User (clear=DesiredStatus, set=CurrentStatus).","Created Desktop AppX container for package .","Added process to Desktop AppX container for package .","Destroyed Desktop AppX container for package .","PSMFlags for Desktop AppX process PackageFullName with applicationID ApplicationId is PsmFlags.","App Readiness service has started.","App Readiness service has stopped.","For 'User' has changed mode from 'From' to 'To'.","App Readiness service has found new tasks for Data.","App Readiness service has completed tasks for Data.","'Package' Operation succeeded for Username. (Elapsed seconds).","'Package' Operation failed for User. Error: 'Error' (Elapsed seconds).","Activity for 'User' has been suspended and will resume at ResumeAt.","'Package' Operation failed for User and will be attempted after AttemptAfter.","'Task' succeeded for Username. (Elapsed seconds).","FWOpenPolicyStore returns Data.","FWClosePolicyStore returns Data.","OnDemandRegisterAsync returns Data.","OnDemandRegisterWaitForCompletion returns Data.","OnDemandRegisterAsync returns ExitCode.","OnDemandRegisterWaitForCompletion returns ExitCode.","Checking for service idle. (Result=IsIdle, Reason=Reason).","'Data' has logged on.","'Data' has logged off.","Activity for 'Data' has resumed.","Starting registry flush for 'Data'.","Finished registry flush for 'Data'.","error Error: Unable to install because the following apps need to be closed filename.","Windows cannot remove framework PackageMoniker because package(s)PackageMoniker2 currently depends on the framework. Removing all packages that depend on the framework automatically removes the framework.","Windows cannot install package PackageName because it has version PackageVersion. A higher version PackageVersion2 of this package is already installed.","Framework is no longer explicitly installed but remains implicitly installed because packages still depend on it. Windows will automatically remove the framework when no other packages depend on it.","Hard linking file SourceFilePath to LinkDestinationPath failed with HRESULT ErrorCode.","Started bytecode generation for package PackageFullName on Architecture-bit architecture.","Finished bytecode generation for package PackageFullName on Architecture-bit architecture.","ErrorCode: Failed to generate bytecode for package PackageFullName on Architecture-bit architecture.","Bytecode generation for package PackageFullName on Architecture-bit architecture got cancelled because of a new deployment operation.","Valid bytecode file FullFilePath is already present for package PackageFullName; so bytecode generation is unnecessary.","Setting Sync Enabled status, package family name PackageFamilyName, enabled SettingSyncEnabled.","Started deployment operation on a package with main parameter , dependency parameters and Options and . See http://go.microsoft.com/fwlink/?LinkId=235160 for help diagnosing app deployment issues.","Error NextDeploymentState: Failure in the DeploymentState state handler.","Deployment DeploymentOperation operation on package PackageFullName has been de-queued and is running for user SID UserSid.","Performance summary of Deployment DeploymentOperation operation on Package PackageFullName: Summary.","Successfully updated the status for package StatusToClear and user StatusToSet (Clear=CallOrigin, Set=%5).","Deployment DeploymentOperation operation on package PackageFullName has been requeued for user SID UserSid.","No applicable cross-architecture framework was found for package PackageName. The package will be installed with matching-architecture framework only.","PreRegisterPackage PackageFullName, IsInstalled=IsInstalled, Options=Options.","OnDemandRegisterPackage PackageMoniker, unable to find the package from StateRepository, we will register it later.","Deployment DeploymentOperation operation on Package PackageFullName: Summary.","error ErrorCode: Unable to notify pre-launch service for app ApplicationUserModelId install/uninstall.","Preview tiles created for package AppId.","Successfully updated all user store with package PackageMoniker.","Windows can't provision the package PackageMoniker because it is an unsupported package type.","Windows cannot install package PackageName because it must be installed with an external location.","The Notifications extension found URI Uri with a periodic update recurrence of PeriodicUpdateRecurrence in the manifest (PackageFullName).","The Notifications extension started periodic update registration (PackageFullName).","The Notifications extension stopped periodic update registration with HRESULT Result (PackageFullName).","warning ErrorCode: The following error occurred while performing Indexed DB cleanup when removing the package: PackageName (ErrorText).","Starting validation and setting the Trust Label on package PackageFullName with flags Flags.","Finished validation and setting the Trust Label on package PackageFullName with flags Flags.","NumberOfFiles file(s) have been validated from block map for package PackageFullName.","Package PackageFullName has Trust Label already. Flags: Flags.","CC file pattern SearchString, hresult HresultCode, error ErrorCode, index Index.","ErrorCode: TerminateApplications successful.","ErrorCode: AllowUninstall successful for package String.","ErrorCode: GetActiveAumidsInPackage successful for package String.","About to service package PackageFullName. Setting the package state to disabled returned with ErrorCode.","Finished servicing package PackageFullName. Setting the package state to enabled returned with ErrorCode.","Creating Resiliency File ResiliencyFilePath for DeploymentOperation Operation on Package MainPackageMoniker.","The app bundle signature was validated for core content of the app bundle published by subjectName. App packages won't be validated until they are read.","The streaming reader was created successfully for app package packageFullName.","The reader was created successfully without manifest validation.","App manifest validation warning: Declared namespace namespace is inapplicable, it will be ignored during manifest processing.","The bundle streaming reader was created successfully for bundle packageFullName.","BitLocker encryption was started for volume VolumeMountPoint using AlgorithmType algorithm.","A BitLocker key protector was created.","The identification field was changed.","BitLocker resealed boot settings to the TPM for volume VolumeMountPoint.","BitLocker Drive Encryption is using software-based encryption to protect volume VolumeMountPoint.","BitLocker successfully sealed a key to the TPM.","A trusted WIM file has been added for volume %3.","BITS started the name transfer job that is associated with the url URL.","BITS stopped transferring the name transfer job that is associated with the url URL. The status code is hr.","High performance property for BITS job \"jobName\" with ID \"jobId\" isRoaming.","The BITS service loaded the job list from disk.","Successful auto update of third-party root certificate:: Subject: <> Sha1 thumbprint: <>.","Successful auto update retrieval of third-party root certificate from: <URL>.","Successful auto delete of third-party root certificate:: Subject: <> Sha1 thumbprint: <>.","Successful auto property update of third-party root certificate:: Subject: <> Sha1 thumbprint: <>.","For more details for this event, please refer to the \"Details\" section.","For more details for this event, please refer to the \"Details\" section.","A certificate has been replaced. Please refer to the \"Details\" section for more information.","A certificate has been deleted. Please refer to the \"Details\" section for more information.","A certificate has been archived. Please refer to the \"Details\" section for more information.","A new certificate has been installed. Please refer to the \"Details\" section for more information.","Attempting to save device profile BackupProfileId. See event details for more information.","Completed mirroring UpdateCount settings sync policies in Elapsed milliseconds.","Error ErrorCode occurred. See event details for more information.","Downloading Id failed with error code ErrorCode.","The Backup master policy is set.","Code Integrity was unable to load the FileNameBuffer catalog. Status Status.","Code Integrity determined a revoked image FileNameBuffer is loaded into the system. Check with the publisher to see if a new signed version of the image is available.","Code Integrity determined kernel module FileNameBuffer that did not meet the WHQL requirements is loaded into the system. However, due to code integrity auditing policy, the image was allowed to load.","Code Integrity will enable WHQL driver enforcement for this boot session. Settings Settings. Exemption Exemption.","Code Integrity will disable WHQL driver enforcement for this boot session. Settings Settings.","Signature information for another event. Match using the Correlation Id.","Refreshed and activated Code Integrity policy PolicyGUID PolicyNameBuffer. id PolicyIdBuffer. Status Status.","BINDFLT filter registration succeeded.","WCIFS filter registration succeeded.","DPAPI BackUp service started.","Synchronization of Master keys triggered.","Master key decryption in memory failed.","Started checking data integrity.","Completed data integrity checks.","MDM PolicyManager: Set policy int, Policy: (Message1), Area: (Message2), EnrollmentID requesting merge: (Message3), Current User: (Message4), Int: (HexInt1), Enrollment Type: (HexInt2), Scope: (HexInt3).","MDM PolicyManager: Evaluator notification (WNF): (HexInt1, HexInt2) published for Evaluator: (Message1).","MDM PolicyManager: Delete provider (Message1). Add Evaluator (Message2) to Evaluator WNF list to publish area Evaluator WNF on CSP unload.","MDM PolicyManager: During Message1 found bad enrollment (Message2) during merge. Requesting merge (Message3). Deleting policies for the enrollment. Enrollment state is (HRESULT).","No Migration needed, not an upgrade.","MDM PolicyManager: Dedicated notification (WNF): (HexInt1, HexInt2) published for Policy: (Message1).","MDM PolicyManager: Dedicated cached delayed notification (WNF): (HexInt1, HexInt2) published for Policy: (Message1) in Area (Message2).","MDM Declared Configuration: Function (Message1) operation (Message2) failed with (HRESULT).","DcSvc: Successfully initialized service. Result: (HRESULT).","DcSvc: Service status updated. Current state: (HexInt1), Exit code: (HexInt2), Wait hint: (HexInt3).","DcSvc: Service is being initialized.","DSM service started, mode is Prop_CoreServiceMode, last session (or boot) was Prop_Event_Window_Seconds seconds ago.","DSM Service is shutting down. Service uptime was Prop_UpTime_Seconds seconds, active worktime was Prop_WorkTime_MilliSeconds ms.","DSM Service is entering a retry sequence because soft (retryable) errors were encountered.","DSM Service is leaving the retry state, there have been Prop_RetryCycleCount retry cycles in this session.","DSM service has entered service mode 'Prop_CoreServiceMode'.","Device container 'Prop_DeviceName' (Prop_ContainerId) has been serviced, processed Prop_TaskCount tasks, and wrote Prop_PropertyCount properties in Prop_WorkTime_MilliSeconds ms.","DSM service was delayed by Prop_Seconds seconds for a driver query/download/install on device 'Prop_DeviceId'.","Device 'Prop_DeviceInstanceId' matched driver update Prop_PackageId.","Metadata package staging for device container Prop_ContainerId failed with error HRESULT.","Connection to the Windows Update service could not be established.","Connection to the Windows Metadata and Internet Services (WMIS) could not be established.","The Network List Manager reports no connectivity to the internet.","Driver update(s) was installed on device 'Prop_DevnodeId' in Prop_MilliSeconds ms.","Device container 'Prop_ContainerId' has entered the ready state.","Device setup for device container 'Prop_ContainerId' has been completed.","The IP address lease Address1 for the Network Card with network address HWAddress has been denied by the DHCP server Address2 (The DHCP Server sent a DHCPNACK message).","Domain change notification is received from DNS.","DHCPv4 client service is started.","DHCPv4 client service is stopped. ShutDown Flag value is DwordVal.","DHCPv4 client registered for shutdown notification.","DHCPv4 client received shutdown notification.","DHCPv4 client ProcessDHCPRequestForever received TERMINATE_EVENT.","DHCPv4 is waiting on DHCPv6 service to stop.","The installed server callout .dll file has caused an exception. The exception was.","The installed server callout .dll file has caused an exception. The exception was.","The DHCP service has failed to load one or more callout DLLs. The following error occured.","MAC Address HWAddress in DUID DUID could not be found in the system. Generated new DUID NewDUID based on MAC address NewHWAddress.","DHCPv6 client service is started.","DHCPv6 client service is stopped. ShutDown Flag value is DwordVal.","DHCPv6 client service stop is almost done.DHCP Context Ref count is DwordVal.","Diagnostic module DiagnosticModuleId (DiagnosticModuleImageName) detected a problem for scenario ScenarioId, instance InstanceId, original activity ID OriginalActivityId.","Diagnostic module DiagnosticModuleId (DiagnosticModuleImageName) started troubleshooting scenario ScenarioId, instance InstanceId, original activity ID OriginalActivityId.","Diagnostic module DiagnosticModuleId (DiagnosticModuleImageName) finished troubleshooting scenario ScenarioId, instance InstanceId, original activity ID OriginalActivityId. No resolution was set by the diagnostic module.","Diagnostic module () finished troubleshooting scenario , instance , original activity ID . It set resolution for user in session with expiration date . The resolution will be started immediately.","Diagnostic module () finished troubleshooting scenario , instance , original activity ID . It set resolution for user in session with expiration date . The resolution was queued to start later.","Diagnostic module DiagnosticModuleId (DiagnosticModuleImageName) started resolving scenario ScenarioId, instance InstanceId, original activity ID OriginalActivityId.","Diagnostic module DiagnosticModuleId (DiagnosticModuleImageName) finished resolving scenario ScenarioId, instance InstanceId, original activity ID OriginalActivityId.","Counter CounterId of instance (CounterSetGuid, InstanceName, InstanceId) could not be modified. Error: \"Error\".","Scheduled diagnostics have started.","Scheduled diagnostics have been completed.","The scheduled diagnostic task has started initializing a diagnostic package.","The scheduled diagnostic task has completed initialization of a diagnostic package.","The scheduled diagnostic task has started troubleshooting a diagnostic package.","The scheduled diagnostic task has completed troubleshooting a diagnostic package.","System maintenance detected issues requiring your attention. A notification was sent to Security and Maintenance.","The scripted diagnostic engine executed a diagnostic package located at PackagePath with ID PackageId.","The scripted diagnostic engine completed initializing a diagnostic package located at PackagePath.","The scripted diagnostic engine started diagnosing the diagnostic package PackageId.","The scripted diagnostic engine completed diagnosing the diagnostic package PackageId.","Windows has started up.","This application took longer than usual to start up, resulting in a performance degradation in the system startup process.","This driver took longer to initialize, resulting in a performance degradation in the system start up process.","Session manager initialization caused a slow down in the startup process.","Windows has shutdown.","This service caused a delay in the system shutdown process.","An error occurred when trying to add the account Name to the group AccountName. The problem, \"GroupName\", occurred when trying to open the group. Please add the account manually.","The error \"AccountName\" occurred when trying to create the well known account Name. Please contact PSS to recover.","An error occurred when trying to remove the account Name from the group AccountName. The problem, \"GroupName\", occurred when trying to remove the account from the group. Please remove the member manually.","The domain controller is starting a request for a new account-identifier pool.","The request for a new account-identifier pool has completed successfully.","Secured the machine account Name. The builtin\\account operators full control Access Control Entry was removed from the security descriptor on this object.","The domain is configured with the following minimum password length-related settings.","The security account manager is now logging periodic summary events for remote clients that call legacy password change or set RPC methods.","DCOM got error \"param1\" attempting to start the service param2 with arguments \"param3\" in order to run the server.","The server did not register with DCOM within the required timeout.","The permission settings do not grant permission for the COM Server application with CLSID.","Name resolution for the name QueryName timed out after none of the configured DNS servers responded.","The DNS server has started.","The DNS server has shut down.","The DNS server has finished the background loading and signing of zones. All zones are now available for DNS updates and zone transfers, as allowed by their individual zone configuration.","The DNS server could not bind a User Datagram Protocol (UDP) socket to Name. The event data is the error code. Restart the DNS server or reboot your computer.","The DNS server could not open socket for address Name.","The DNS server has loaded the zone param1 from file param2 on server param3. [virtualization instance: VirtualizationID].","The DNS server successfully autoconfigured.","The DNS server wrote version param1 of zone param2 to file param3.","The DNS Application Directory Partition param1 was created. The distinguished name of the root of this Directory Partition is param2.","The XfrScopeOptionValue has been set to Name. This option ID will be used to communicate the scope information during zone transfers via an OPT RR.","The zone Name was created with settings: Type=Type; Lookup=Lookup; ReplicationScope=ReplicationScope; ZoneFile=ZoneFile; [virtualization instance VirtualizationID].","The zone Zone was updated. The PropertyKey setting has been set to NewValue. [virtualization instance: VirtualizationID].","A resource record of type Type, name NAME, TTL TTL and RDATA RDATA was created in scope ZoneScope of zone Zone via dynamic update from IP Address Source.","A resource record of type Type, name NAME and RDATA RDATA was deleted from scope ZoneScope of zone Zone via dynamic update from IP Address Source.","The setting Setting on scope Scope has been set to NewValue.","A driver package which uses user-mode driver framework version UMDFDeviceInstallBegin.FrameworkVersion is being installed on device UMDFDeviceInstallBegin.DeviceId.","The UMDF service UMDFServiceInstall.ServiceName (CLSID UMDFServiceInstall.CLSID) was installed. It requires framework version UMDFServiceInstall.MinimumFxVersion or higher.","The driver package installation has succeeded.","Audit events have been dropped by the transport. AuditEventsDropped.Reason.","The event logging service encountered an error while processing an incoming event from publisher PublisherName and trying to process the metadata for it.","The event logging service encountered an error while processing an incoming event published from EventProcessingFailure.PublisherID.","Provider Enumeration Task Start Time. Provider: message.","Provider Enumeration Task Complete Time. Provider: message.","Volumes Canvas Volume Tile load starting. Time: message.","Volumes Canvas Volume Tile load completed. Time: message.","File System Filter 'DeviceName' (Version DeviceVersionMajor.DeviceVersionMinor, DeviceTime) unloaded successfully.","File System Filter 'DeviceName' (DeviceVersionMajor.DeviceVersionMinor, DeviceTime) has successfully loaded and registered with Filter Manager.","File System Filter 'DeviceName' (Version DeviceVersionMajor.DeviceVersionMinor, DeviceTime) does not support bypass IO.","Subscription policy has changed. Forwarder is adjusting its subscriptions according to the subscription manager(s) in the updated policy.","Starting CSEExtensionName Extension Processing.","Group Policy Service started.","Started the Group Policy service initialization phase.","Group Policy Session started.","Group Policy receiving applicable GPOs from the domain controller.","Starting to download policies.","Group Policy is trying to discover the Domain Controller information.","Completed CSEExtensionName Extension Processing in CSEElaspedTimeInMilliSeconds milliseconds.","Group Policy Service stopped.","Successfully completed the Group Policy Service initialization phase.","Group policy session completed successfully.","Group Policy successfully got applicable GPOs from the domain controller.","Successfully completed downloading policies.","The loopback policy processing mode is PolicyProcessingMode.","Next policy processing for PrincipalSamName will be attempted in NextPolicyApplicationTime NextPolicyApplicationTimeUnit.","Group Policy waited for TimeWaitedAtStartup milliseconds for the network subsystem at computer boot.","Group Policy received the notification NotificationType from Winlogon for session SessionId.","Group Policy received NotificationType notification from Service Control Manager.","Group Policy successfully discovered the Domain Controller in DCDiscoveryTimeInMilliSeconds milliseconds.","The Group Policy processing mode is PolicyApplicationMode.","Group policy session returned to winlogon.","Group Policy bandwidth estimation failed. Group Policy processing will continue. Assuming LinkDescription link.","Group Policy Winlogon status reporting has completed.","Group Policy Winlogon Start Shell handling completed.","Group Policy failed to discover the Domain Controller details in DCDiscoveryTimeInMilliSeconds milliseconds.","Completed computer boot policy processing for PrincipalSamName in PolicyElaspedTimeInSeconds seconds.","Completed user logon policy processing for PrincipalSamName in PolicyElaspedTimeInSeconds seconds.","Completed manual processing of policy for computer PrincipalSamName in PolicyElaspedTimeInSeconds seconds.","Completed manual processing of policy for user PrincipalSamName in PolicyElaspedTimeInSeconds seconds.","Completed periodic policy processing for computer PrincipalSamName in PolicyElaspedTimeInSeconds seconds.","The Group Policy settings for the computer were processed successfully. There were no changes detected since the last successful processing of Group Policy.","The Group Policy settings for the user were processed successfully. There were no changes detected since the last successful processing of Group Policy.","IOMMU fault reporting has been initialized.","Windows Hello for Business prerequisites check started.","Multi-factor unlock policy is not configured on this device.","Windows Hello for Business prerequisites check failed.","The Primary Account Primary Refresh Token prerequisite check failed.","The ServiceName service started successfully.","Windows Hello for Business prerequisites check completed successfully.","Windows Hello for Business successfully completed the remote desktop prerequisite check.","Attempted to reserve URL Url. Status ReserveStatus. Process Id ProcessId Executable path ExecutablePath, User UserSid.","Removed URL (Url) from URL group (UrlGroupId). Process Id ProcessId Executable path ExecutablePath, User UserSid.","Delete URL group UrlGroupId. Status Status. Process Id ProcessId Executable path ExecutablePath, User UserSid.","The Host Compute Service started successfully.","Cannot create system 'VmlEventLog.SystemId' since Hyper-V is not installed on the host.","The Host Compute Service is starting.","[VmlEventLog.SystemId] Create compute system, result VmlEventLog.Result.","[VmlEventLog.SystemId] Queue system notification: VmlEventLog.Parameter0 / VmlEventLog.Parameter1.","[VmlEventLog.SystemId] Create Virtual Machine.","Hypervisor launch failed; Either VMX not present or not enabled in BIOS.","V-Switch operation () took too long to complete. Operation Type: . Execution time ms. Queued time ms. Expected execution time less than ms. . .","vmswitch.sys build BuildNumber.BuildArch.BuildBranch, debug Debug, official Official, Date Time.","There are EntryCount boot options on this system.","The last shutdown's success status was LastShutdownGood. The last boot's success status was LastBootGood.","The boot menu policy was BootMenuPolicy.","The boot type was BootType.","The bootmgr spent BitlockerUserInputTime ms waiting for user input.","EFI time zone bias: EfiTimeZoneBias. Daylight flags: EfiDaylightFlags.","Crash dump disabled.","The operating system started at system time StartTime.","The operating system is shutting down at system time StopTime.","Hive HiveName was reorganized with a starting size of OriginalSize bytes and an ending size of NewSize bytes.","The time zone bias has changed to NewBias from OldBias.","The time zone information was refreshed with exit reason ExitReason. Current time zone bias is CurrentBias.","Windows has started processing the volume mount request.","The volume has been successfully mounted.","Device DeviceInstanceId requires further installation.","The driver FailureName failed to load.","The system is entering sleep.","Active battery count change.","The system session has transitioned from PreviousSessionId to NextSessionId.","The system has prepared for a system initiated reboot from AdaptiveTargetState.","Processor in group exposes the following.","WHEA successfully initialized.","WHEA event log entry.","Error hrError occurred while creating known folder FolderId with path 'Path'.","Error hrError occurred while verifying known folder FolderId with path 'Path'.","Error hrError occurred while initializing known folder FolderId with path 'Path'.","LPRemove launched.","LPRemove terminating.",0,"Operation: Operation.","ErrorVerifier in function FunctionName encountered unexpected error code (ErrorCode).","Performance counters for the () service were loaded successfully. The Record Data in the data section contains the new index values assigned to this service.","Performance counters for the () service were removed successfully. The Record Data contains the new values of the system Last Counter and Last Help registry entries.","Performance counters for the () service are already in the registry, no need to reinstall. This only happens when you install the same counter twice. The second time install will generate this event.","MUI notification for UI Language change has been invoked with flags set to Flags and the new languages set to NewLanguage and the previous languages set to PrevLanguage. The extended flags is set to ExtendedFlag.","MUI notification callback API FunctionName in FileName returned with code ReturnValue.","Network (String1) got qualified for automatic setup of network connected devices.","Network State Change Fired.","NTFS has sent volume dismount event notification and is waiting for the notifications to complete.","The volume dismount event notification on the NTFS volume has completed.","NTFS global corruption action state is now hc_stateid.","For internal use only.","Windows cannot load the extensible counter DLL \"C:\\Windows\\system32\\ntdsperf.dll\" (Win32 error code 126!s!).","The system has returned from a low power state.","Creating Runspace object.","Creating RunspacePool object.","Opening RunspacePool.","Modifying activity Id and correlating.","Modifying activity Id and correlating.","param1 initialization failed at param2. Error: Error. This can occur because of system instability or a lack of system resources.","The default printer was changed to NewDefaultPrinter. See the event user data for context information.","Printer param1 was created. No user action is required.","Printer param1 was deleted, and users will no longer be able to print to this printer. No user action is required.","Printer param1 will be deleted. No user action is required.","Printer param1 was resumed. No user action is required.","Settings for printer param1 were changed. No user action is required.","Printer driver param1 was deleted. No user action is required.","Rendering job RenderJobDiag.JobId.","Printer PrinterName was shared by the print spooler as ShareName.","Printer PrinterName shared as ShareName was unshared by the print spooler.","Allow access to SettingName on this device default setting successfully created as NewConsentValue.","Allow apps to access your SettingName setting default for user TargetUserSid successfully created as NewConsentValue.","User TargetUserSid setting for allow app AppPackageFamilyName access to SettingName default successfully created as NewConsentValue.","During app AppPackageFamilyName installation setting SettingName default set for user TargetUserSid as NewConsentValue.","During app AppPackageFamilyName installation setting SettingName default failed to be set.","The process 'param1' was terminated by the process 'param2' with termination code param3. The creation time for the exiting process was 0xparam4.","ProvXML category 'Message1' completed successfully. Message2.","Settings detail.","RegisterForCspAlerts succeeded. EnrollmentId = Message1.","The Connection Provider status changed to Status.","ConnectWork is requesting ConnectionManager to connect.","Device Compact Ticket request completed with Device Id DeviceId for the ConnectionType.","WNP Transport Layer Disconnect call initiated for the ConnectionType.","WNP Transport Layer Disconnect call completed for the ConnectionType.","WNP Transport Layer resolving DNS initiated for host HostName for the ConnectionType.","WNP Transport Layer resolving DNS completed for the ConnectionType with code ErrorCode.","WNP Transport Layer initial server connection initiated to server HostName on port Port for the ConnectionType.","WNP Transport Layer initial server connection completed to server HostName on port Port for the ConnectionType.","WNP Transport Layer TLS negotiation initiated for the ConnectionType.","WNP Transport Layer TLS negotiation completed for the ConnectionType with code ErrorCode.","WNP Keep Alive Detector starting Test Connection.","The KA value has converged. Now disconnect test connection.","WNP Transport Layer for ConnectionType detected preferred interface change. Old index OldIndex, old address family OldAddressFamily. New index NewIndex, new address family NewAddressFamily, NDIS_PHYSICAL_MEDIUM NewPhysicalMediumType.","WNP Transport Layer for ConnectionType called InitializeSecurityContext and got return code Error.","WNP Transport Layer for ConnectionType received asynchronous connection error SocketError.","Adding new user to the Windows Push Notification Service. DeviceId [DeviceId] UserId [UserId] UserType [UserType].","Removing existing user from the Windows Push Notification Service. DeviceId [DeviceId] UserId [UserId] UserType [UserType].","Adding new user to the Windows Push Notification Service completed. DeviceId [DeviceId] UserId [UserId] Error [ErrorCode].","Removing existing user from the Windows Push Notification Service completed. DeviceId [DeviceId] UserId [UserId] Error [ErrorCode].","WNP Transport Layer for ConnectionType detected first fallback interface change. Old index OldIndex, old address family OldAddressFamily. New index NewIndex, new address family NewAddressFamily, NDIS_PHYSICAL_MEDIUM NewPhysicalMediumType.","Tile session creation is requested for ProcessName endpoint Object.","Tile session creation is finished for ProcessName from endpoint Endpoint with result Error, and SessionId is assigned as session id. Queued Closes = QueuedTileCloses, Queued Cleanups = QueuedTileCleanups.","Tile session SessionId is being closed.","Tile session SessionId is closed with error code Error.","Toast session creation is requested for ProcessName from endpoint Object.","Toast session creation is finished for ProcessName from endpoint Endpoint with result Error, and SessionId is assigned as session id.","Toast session SessionId is being closed.","Toast session SessionId is closed with error code Error.","Endpoint Object is being cleanedup.","Toast with notification tracking id TrackingId is being delivered to AppUserModelId on session SessionId.","Some toast notifications have been cleared - informed session SessionId.","NotificationType are being cleared for AppUserModelId - informed session SessionId.","Presentation Endpoint received a call to close session SessionId.","Presentation Endpoint ended a call to close session SessionId.","The device (DeviceName) will not be used for a ReadyBoost cache because the device is too small. Size: IntValue MB. Minimum Size: SecondIntValue MB.","A defrag. operation has completed. A boot plan will be calculated soon. Defrag. Timestamp (UTC): DeviceName.","Remote Assistance COM server has started.","Remote Assistance COM server has ended.","Remote Desktop Protocol will use the RemoteFX guest mode module to connect to the client computer.","Connection ConnectionName created.","The connection ConnectionName was assigned to session SessionID.","TMT: ConnectionName=ConnectionName, PromptForCredentials=PromptForCredentials, PromptForCredentialsDone=PromptForCredentialsDone, GfxChannelOpened=GfxChannelOpened, FirstGraphicsReceived=FirstGraphicsReceived [ms].","The listener listens with display driver DisplayDriverName available.","The connection ConnectionName uses display driver DisplayDriverName.","Interface method called: Interface_method_called.","A TCP connection has been successfully established.","The server has confirmed that the client's multi-transport capability.","The network characteristics detection function has been disabled because of ReasonString.","The server has terminated main RDP connection with the client.","The disconnect reason is ReasonCode.","Client timezone is TimezoneBiasHour hour from UTC.","Received Disconnect Provider Indication from the client.","The server is using TransportProtocolName to bind to port Port.","The server accepted a new ConnType connection from client ClientIP.","A channel ChannelName has been connected between the server and the client using transport tunnel: TunnelID.","PerfCounter session started with instance ID InstanceID.","TCP socket READ operation failed, error error.","TCP socket WRITE operation failed, error error.","Channel ChannelName has been closed between the server and the client on transport tunnel: TunnelID.","The client supports RDP 7.1 or lower protocol. Server: Server.","The resolution requested by the client: Monitor MonitorNum: (MonitorWidth, MonitorHeight), origin: (MonitorX, MonitorY). Server: ServerName.","The client operating system type is (MajorType, MinorType). Server: ServerName.","StateTransition: An error was encountered when transitioning from PreviousStateName in response to EventName (error code ErrorCode).","Disconnect trace:Disconnect_trace %2, Error code:%3.","The connection is not using advanced RemoteFX RemoteApp graphics.","The Windows Resource Exhaustion Detector started.","The Windows Resource Exhaustion Detector stopped.","The Windows Resource Exhaustion Resolver started.","The Windows Resource Exhaustion Resolver received a notification to perform memory leak diagnosis. This notification was processed and dropped.","The Windows Resource Exhaustion Resolver received an event from the Windows Resource Exhaustion Detector.","Starting session - .","Ending session started .","Shutting down application or service 'VMware Snapshot Provider'.","Machine restart is required.","Application 'C:\\Program Files\\WindowsApps\\MicrosoftWindows.Client.WebExperience_423.23500.0.0_x64__cw5n1h2txyewy\\Dashboard\\Widgets.exe' (pid 6212) cannot be restarted - 1.","Windows is starting up.","Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.","Invalid use of LPC port.","A monitored security event pattern has occurred.","Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.","User / Device claims information.","An IPsec main mode security association was established. Extended mode was not enabled. Certificate authentication was not used.","An IPsec main mode security association was established. Extended mode was not enabled. A certificate was used for authentication.","An IPsec main mode negotiation failed.","An IPsec quick mode negotiation failed.","An IPsec main mode security association ended.","A handle to an object was requested with intent to delete.","An attempt was made to create an application client context.","An application attempted an operation.","An application client context was deleted.","An application was initialized.","An application attempted to access a blocked ordinal through the TBS.","Indirect access to an object was requested.","A trust to a domain was removed.","The IPsec Policy Agent service was started.","Data Recovery Agent group policy for Encrypting File System (EFS) has changed. The new changes have been applied.","The audit policy (SACL) on an object was changed.","Trusted domain information was modified.","A security-disabled local group was changed.","A member was added to a security-disabled local group.","A member was removed from a security-disabled local group.","A security-disabled local group was deleted.","A security-disabled universal group was changed.","A member was added to a security-disabled universal group.","A member was removed from a security-disabled universal group.","A security-disabled universal group was deleted.","A Kerberos service ticket request failed.","An account was mapped for logon.","An account could not be mapped for logon.","A basic application group was changed.","A member was added to a basic application group.","A member was removed from a basic application group.","A non-member was added to a basic application group.","A non-member was removed from a basic application group.","A basic application group was deleted.","A basic application group was changed.","An LDAP query group was deleted.","The Password Policy Checking API was called.","The screen saver was invoked.","The screen saver was dismissed.","RPC detected an integrity violation while decrypting an incoming message.","Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.","Central Access Policies on the machine have been changed.","A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions.","A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions.","Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group.","SID History was removed from an account.","A namespace collision was detected.","A trusted forest information entry was removed.","A trusted forest information entry was modified.","Certificate Services backup completed.","Certificate Services restore started.","Certificate Services restore completed.","Certificate Services retrieved an archived key.","Certificate Services imported a certificate into its database.","A configuration entry changed in Certificate Services.","Certificate Services archived a key.","Certificate Services imported and archived a key.","Certificate Services published the CA certificate to Active Directory Domain Services.","Certificate Services template security was updated.","The CrashOnAuditFail value has changed.","The local policy settings for the TBS were changed.","The group policy settings for the TBS were changed.","Central Access Policy on the object was changed.","An Active Directory replica source naming context was established.","An Active Directory replica source naming context was modified.","An Active Directory replica destination naming context was modified.","Synchronization of a replica of an Active Directory naming context has begun.","Synchronization of a replica of an Active Directory naming context has ended.","Attributes of an Active Directory object were replicated.","Replication failure begins.","Replication failure ends.","A lingering object was removed from a replica.","Windows Firewall settings were restored to the default values.","Windows Firewall ignored a rule because its major version number is not recognized.","Windows Firewall ignored parts of a rule because its minor version number is not recognized. Other parts of the rule will be enforced.","Group Policy settings for Windows Firewall were changed, and the new settings were applied.","Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.","IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.","IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.","During main mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.","During quick mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.","During extended mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.","IPsec main mode and extended mode security associations were established.","IPsec main mode and extended mode security associations were established.","IPsec main mode and extended mode security associations were established.","IPsec main mode and extended mode security associations were established.","An IPsec extended mode negotiation failed. The corresponding main mode security association has been deleted.","An IPsec extended mode negotiation failed. The corresponding main mode security association has been deleted.","The Windows Firewall service started successfully.","The Windows Firewall service was unable to retrieve the security policy from the local storage. Windows Firewall will continue to enforce the current policy.","Windows Firewall was unable to parse the new security policy. Windows Firewall will continue to enforce the current policy.","The Windows Firewall service failed to initialize the driver. Windows Firewall will continue to enforce the current policy.","The Windows Firewall service failed to start.","Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.","The Windows Firewall Driver started successfully.","The Windows Firewall Driver failed to start.","The Windows Firewall Driver detected a critical runtime error, terminating.","A registry key was virtualized.","A change was made to IPsec settings. An authentication set was added.","A change was made to IPsec settings. An authentication set was modified.","A change was made to IPsec settings. An authentication set was deleted.","A change was made to IPsec settings. A connection security rule was modified.","A change was made to IPsec settings. A crypto set was added.","A change was made to IPsec settings. A crypto set was modified.","A change was made to IPsec settings. A crypto set was deleted.","An IPsec security association was deleted.",0,"A file was virtualized.","A cryptographic self test was performed.","A cryptographic primitive operation failed.","Verification operation failed.","A kernel-mode cryptographic self test was performed.","A cryptographic provider operation was attempted.","A cryptographic context operation was attempted.","A cryptographic context modification was attempted.","A cryptographic function operation was attempted.","A cryptographic function modification was attempted.","A cryptographic function provider operation was attempted.","A cryptographic function property operation was attempted.","A cryptographic function property modification was attempted.","OCSP Responder Service Started.","OCSP Responder Service Stopped.","A Configuration entry changed in the OCSP Responder Service.","Signing Certificate was automatically updated by the OCSP Responder Service.","The OCSP Revocation Provider successfully updated the revocation information.","A directory service object was undeleted.","The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.","The DoS attack has subsided and normal processing is being resumed.","The Windows Filtering Platform has blocked a packet.","A more restrictive Windows Filtering Platform filter has blocked a packet.","A more restrictive Windows Filtering Platform filter has blocked a packet.","Spn check for SMB/SMB2 fails.","The requested credentials delegation was disallowed by policy.","The following callout was present when the Windows Filtering Platform Base Filtering Engine started.","An IPsec quick mode security association was established.","An IPsec quick mode security association ended.","IPsec Policy Agent applied Active Directory storage IPsec policy on the computer.","IPsec Policy Agent failed to apply Active Directory storage IPsec policy on the computer.","IPsec Policy Agent applied locally cached copy of Active Directory storage IPsec policy on the computer.","IPsec Policy Agent failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.","IPsec Policy Agent applied local registry storage IPsec policy on the computer.","IPsec Policy Agent failed to apply local registry storage IPsec policy on the computer.","IPsec Policy Agent failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.","IPsec Policy Agent loaded local storage IPsec policy on the computer.","IPsec Policy Agent failed to load local storage IPsec policy on the computer.","IPsec Policy Agent loaded directory storage IPsec policy on the computer.","IPsec Policy Agent failed to load directory storage IPsec policy on the computer.","IPsec Policy Agent failed to add quick mode filter.","The IPsec Policy Agent service failed to initialize its RPC server. The service could not be started.","A request was made to authenticate to a wireless network.","A request was made to authenticate to a wired network.","A Remote Procedure Call (RPC) was attempted.","Security policy in the group policy objects has been applied successfully.","One or more errors occured while processing security policy in the group policy objects.","Network Policy Server granted access to a user.","Network Policy Server discarded the request for a user.","Network Policy Server discarded the accounting request for a user.","Network Policy Server quarantined a user.","Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.","Network Policy Server granted full access to a user because the host met the defined health policy.","Network Policy Server locked the user account due to repeated failed authentication attempts.","Network Policy Server unlocked the user account.","BranchCache: Received an incorrectly formatted response while discovering availability of content.","BranchCache: Received invalid data from a peer. Data discarded.","BranchCache: The message to the hosted cache offering it data is incorrectly formatted.","BranchCache: The hosted cache sent an incorrectly formatted response to the client's message to offer it data.","BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.","BranchCache: Count instance(s) of event id EventId occurred.","Registered product ProductName failed and Windows Firewall is now controlling the filtering for Categories.","BranchCache: A service connection point object could not be parsed.","Code integrity determined that a file does not meet the security requirements to load into a process. This could be due to the use of shared sections or other issues.","The installation of this device was allowed, after having previously been forbidden by policy.","Process 'ProcessPath' (PID CallingProcessId) would have been blocked from generating dynamic code.","Process 'ProcessPath' (PID CallingProcessId) was blocked from generating dynamic code.","Process 'ProcessPath' (PID CallingProcessId) would have been blocked from creating a child process 'ChildImagePathName' with command line 'ChildCommandLine'.","Process 'ProcessPath' (PID CallingProcessId) was blocked from making system calls to Win32k.sys.","SLUI event written to notify Security and Maintenance of change in activation state.","Service is starting (Version parameter).","Contacted server UInt1 times, all succeeded, URI: Message1.","The device onboarded correctly. Normal operating notification; no action required. It might take several hours for the device to appear in the portal.","Windows Defender Advanced Threat Protection machine ID calculated: parameter.","Communication quotas are updated. Disk quota in MB: diskSizeQuotaValue, daily upload quota in MB: dailyUploadQuotaValue.","Connected User Experiences and Telemetry service registration succeeded with completion code: HRESULT. Requested disk quota in MB: diskSizeQuotaValue, requested daily upload quota in MB: dailyUploadQuotaValue.","The device is using a metered/paid network and contacts the server less frequently. Normal operating notification; no action required.","The device isn't using a metered/paid connection and contacts the server as usual. Normal operating notification; no action required.","The device has low battery level and contacts the server less frequently. Normal operating notification; no action required.","New cloud configuration applied successfully. Version: parameter.","Cloud configuration loaded from persistent storage, version: parameter.","Starting command: parameter.","Failed to run command CommandName, error: HRESULT.","Updating the start type of external service. Name: ServiceName, actual start type: ActualStartType, expected start type: ExpectedStartType, exit code: ErrorCode.","Starting stopped external service. Name: Starting_stopped_external_service_Name, exit code: exit_code.","Policy update: Latency mode - parameter.","The start type of the service is unexpected. Service name: ServiceName, actual start type: ActualStartType, expected start type: ExpectedStartType.","The service is stopped. Service name: parameter.","Succeeded to run command: parameter.","Tried to send first full machine profile report. Result code: HRESULT.","Sense starting for platform: platformBitMask.","Set Windows Defender Antivirus running mode. Force passive mode: forcePassiveMode, result code: HRESULT.","The SenseCE executable has started. Normal operating notification; no action required.","The SenseCE executable has ended. Normal operating notification; no action required.","The SenseNdr executable has started. Normal operating notification; no action required.","The SenseNdr executable has ended. Normal operating notification; no action required.","Successful registration to authentication service. Normal operating notification; no action required.","Successful crypto key generation. Normal operating notification; no action required.","Request for error_code rejected by authentication service. Hresult: requestType, error code: HRESULT .","Cyber upload temporarily suspended. Normal operating notification; no action required.","Cyber upload successfully resumed. Normal operating notification; no action required.","Starting a GetServerComponent request.","Completed processing the GetServerComponent request. Restart required: restartRequired.","Processing request to add Server Components: serverComponentNames.","Add request complete. Server Components added: serverComponentNames.","Server components require the Id property. Container Update: ptzMessage.","Server components require the DisplayName property. Container Update: ptzMessage.","Server components require the Description property. Feature: ptzMessage.","CBS Session message status. IsComplete: message2 hResult: ErrorCode.","Using existing component cache from memory. Count: value.","Component cache read from registry. Count: value.","Component cache loaded from Dism. Count: value.","Partial install detected. Component ptzMessage1 depends on uninstalled component ptzMessage2.","Loading the management provider.","Unloading the management provider.","Get performance collector state task start.","Get performance collector state task complete.","Get server inventory task started.","Get server inventory task complete.","Get server inventory task failed.","Failure opening metadata of the owning provider for channel: Name [hResult = hResult, hLastResult = hLastError].","Get server feature task started, flags: uValue.","Get server feature task complete, total features returned: uValue.","Get server feature task failed, error: hResult.","Get server event detail task started, number of logs: uValue.","Get server event detail task complete, number of results: uValue.","Get bpa result task start: TotalXPaths.","Get bpa result task complete: ResultsReturned.","Get server service detail task start. Number of service requested: uValue.","Get server service detail task complete. Number of services returned: uValue.","Failed to query the results of bpa xpath: XPath. error: Error, last error: LastError.","Refresh scheduler started.","Short circuit refresh.","Child job completed. Command: Command, Target: Target, State: State, Proxy Instance ID: ID.","Parent job completed. Command: Command, Target: Target, State: State, Proxy Instance ID: ID.","Plugin load started for Role Id roleId.","Plugin load stopped for Role Id roleId.","Plugin unload started for Role Id roleId.","Plugin registration information is loaded.","ARW launch command started.","ARW launch command completed.","Started initializing service provider.","Completed initializing service provider.","Boot loader started.","Boot loader completed.","Main window initialized.","Server manager shutdown started.","Splash screen started.","Splash screen stopped.","Server manager shutdown stopped.","User settings save started.","User settings save stopped.","Completed the post deployment task. Description. Source=Source.","Automation job created. Owner: Owner, Command: Command, Target: Target, Tracked: Tracked. Rehydrated: Rehydrated.","Exception reported to data collection. Server: MachineName. OperationName: OperationName. MessageID: MessageId. Message: Message.","Connection to M3P starting.","Connection to M3P completed.","Refresh session started. Source: RefreshTriggerSource. Categories: Category. Servers: Machines. Id: ID.","Refresh session completed. Id: ID.","Local server properties refresh started.","Local server properties refresh completed.","Completed services modification job.","Starting WinRM service status check. Status: serviceStatus, Exception: exception.","Completed WinRM service status check. Status: serviceStatus, Exception: exception.","Refresh item completed. Server: MachineName, Session Item Count: Count.","Creating new session. Server: serverName, Protocol: protocol, User: userName.","Invoke method started. Server: serverName, Namespace: namespaceName, Class: wmiClassName, Method: methodName.","Invoke method completed. Server: serverName, Namespace: namespaceName, Class: wmiClassName, Method: methodName.","Invoke method data received. Server: serverName, Namespace: namespaceName, Class: wmiClassName, Method: methodName.","Invoke method non-terminating error received. Server: serverName, Namespace: namespaceName, Class: wmiClassName, Method: methodName, Error Code: errorCode, Error Message: errorMessage.","Async job creation started. Command: Command, Target: Target, State: State, Proxy Instance ID: ID.","Deployment Wizard is launched. Target Server: serverName.","Deployment Wizard is closed. Target Server: serverName.","Deployment Wizard repository loading start. Target Server: serverName.","Deployment Wizard repository loading completed. Target Server: targetServer. Status: Message.","Deployment Wizard component selected. ComponentId: componentId. Display Name: displayName.","Deployment Wizard component unselected. ComponentId: componentId. Display Name: displayName.","Deployment Wizard target server collection has changed.","Deployment Wizard page enter. Page title: pageTitle.","Deployment Wizard page exit. Page title: pageTitle.","Deployment Wizard commit action started. Target Server: MachineName, Job: JobName.","Deployment Wizard commit action completed. Target Server: MachineName. Job: JobName. Status: Status. Reason Reason.","Deployment Wizard component selection step completed. ComponentId: componentId. Display Name: displayName.","Deployment Wizard component unselection completed. ComponentId: componentId. Display Name: displayName.","Deployment plugin loading started. RoleId: roleId.","Deployment plugin loading completed. RoleId: roleId. Status: Status.","Deployment component pages added. ComponentId: componentId.","Deployment component pages removed. ComponentId: componentId.","Add-_InternalWindowsRole workflow ended, TargetComputer:targetComputer, RequestState:requestState, RebootRequired: restartRequired, ErrorMessage: errorMessage, ErrorId: errorId, ErrorCategory: errorCategory, Warning: warnings.","Package CbsPackageChangeState.PackageIdentifier was successfully changed to the CbsPackageChangeState.IntendedPackageState state.","A reboot is necessary before package CbsPackageChangeState.PackageIdentifier can be changed to the CbsPackageChangeState.IntendedPackageState state.","Initiating changes to turn off update updateName of package identifier. Client id: client.","Selectable update CbsUpdateChangeState.UpdateName of package CbsUpdateChangeState.PackageIdentifier was successfully turned on.","Selectable update updateName of package identifier was successfully turned off.","A reboot is necessary before the selectable update CbsUpdateChangeState.UpdateName of package CbsUpdateChangeState.PackageIdentifier can be turned on.","Successfully logged Setup information.","Successfully logged OS information.","AppDefault Info: Info.","RunOnce commands started.","RunOnce commands finished.","Started enumeration of commands for registry key 'KeyName'.","Finished enumeration of commands for registry key 'KeyName'.","Finished execution of command 'Command' (PID PID).","AppResolver Scan Started.","AppResolver Scan Stopped.","AppResolver Cache Committed.","AppResolver has parsed the visual elements manifest for a tile.","Shortcut for application Name with ID AppID and flags Flags is updated in app resolver cache.","Starting to refresh app resolver cache for scenario Scenario with flags Flags.","Updating install state of package PackageFamilyName to 'InstallState' with HRESULT ErrorCode.","Package PackageFamilyName failed to install with HRESULT ErrorCode.","Logon task 'TaskName' started with flags LogonType.","Logon task 'TaskName' finished with flags LogonType.","OOBE Health Monitor. Version: DataVersion, Health flags: HealthStateFlags, Census flags: CensusFlags, Seconds since boot: SecondsSinceBoot, Image identifier: 'ImageIdentifier', Detailed info: 'TrackingInfo'.","Initialization of collection: collectionName has started. Reason: initializationReason.","The following selection data was used to choose an initial collection: layoutSelectionSerializedString.","The collection initialization pipeline is attempting to find an initial collection.","The collection initialization pipeline got an initial collection from the following provider: layoutProviderName.","Starting post processing of the selected initial collection.","The layoutProviderName post processor has succesfully completed its post processing of the initial collection.","Post processing of the selection initial collection complete.","The collection initialization pipeline is starting to write the collection data to permanent storage.","The collection is being written to the value data store.","The tileIdentifier tile was successfully written to storage.","The collection initialization pipeline has finished writing the collection data to permanent storage.","The automatic installation of placeholder tiles has started.","The automatic installation of placeholder tiles is complete.","appSize apps have been queued for auto-install.","The collection initialization background task has started processing.","The collection initialization background task has completed processing.","The following group was successfully writen to the collection: containerName X:containerXPosition Y:containerYPosition.","GetCollection was called for collection value which does not exist and will be initialized.","Created group with guid:itemId under parent containerId in collection: collectionName.","Created tile identifier:itemName and guid:itemId and added it to parent: containerId in collection: collectionName.","Removed tile identifier:itemName and guid:itemId from parent: containerId in collection: collectionName.","Item added to root named:value.","An update to the root container was saved to CDS.","Data Store Cache secondary data reconciliation start.","Data Store Cache secondary data reconciliation end.","Install progress state changed for package:packageFamilyName to state:InstallState.","Install completed for package:packageFamilyName with state: InstallState.","The server name cannot be resolved.","Added a TCP/IP transport interface.","Deleted a TCP/IP transport interface.","Added a TDI transport interface.","Deleted a TDI transport interface.","Endpoint added.","Endpoint removed.","One or more named pipes or shares have been marked for access by anonymous users. This increases the security risk of the computer by allowing unauthenticated users to connect to this server.","The file and printer sharing firewall ports are currently closed. This is the default configuration for a system that is not sharing content or is on a Public network.","Sent RDMA EventData.NotificationType event to LanmanServer for interface EventData.InterfaceName.","Send RDMA Endpoint notification failure - EventData.FailureType.","RDMA Send endpoint notification RPC failure for device EventData.DeviceName - EventData.FailureType.","Received Mib notification type EventData.NotificationType for interface EventData.InterfaceIndex.","TDI mode enabled: IsTdiEnabled.","SMB Session Authentication Failure.","Blocking requests [Options=Options, ClientId=ProcessId].","StateRepository service started [ProcessId=ProcessId].","ANALYZE command has run; database statistics are updated [Partition=Partition, ProcessId=ProcessId, Scope=Scope].","StateRepository partition Partition exists and ready for use [SchemaVersion=SchemaVersion].","RepositoryManagerServerUpgrade with options: Options.","Migration completed successfully [Machine: Disposition=MachineDisposition, PreviousVersion=PreviousMachineVersion] [Deployment: Disposition=DeploymentDisposition, PreviousVersion=PreviousDeploymentVersion].","Waiting TimeoutMSecmsec for requests in progress to complete.","Waited ElapsedTimeMSecmsec for requests in progress to complete.","Maintenance has been performed.","Checkpoint has been performed.","SRCache successfully initialized [Options=Options].","SRCache successfully updated [Options=Options].","The Windows Storage Provider host service was started successfully.","The Windows Storage Management WMI Provider was loaded.","A Windows Storage Management WMI enumeration operation was performed.","A Windows Storage Management WMI get instance operation was performed.","A Windows Storage Provider was loaded successfully.","Shutdown has been initiated for the Windows Storage Provider host service.","Shutdown for the Windows Storage Provider host service has been completed.","The Windows Storage Spaces and Disk provider was loaded.","Successfully initialized the Storage Management Provider.","Successfully initialized Extended Storage Spaces API.","Physical disk DriveId arrived.","Completing a failed non-ReadWrite SCSI SRB request.","Process Name: Process Name.","State Machine: Thread ID: State Machine Name: Dispatch: Event Name => Current State.","State Machine: Thread ID: Current State Change: New State => State Machine Name.","NVMe Health Information Log for Storport Device (Port = PortNumber, Path = PathID, Target = TargetID, Lun = LUN).","The miniport logged a health event.","The miniport logged a health event.","Error summary for Storport Device (Port = PortNumber, Path = PathID, Target = TargetID, Lun = LUN) whose Corresponding Class Disk Device Guid is ClassDeviceGuid.","Performance summary for Storport Device (Port = PortNumber, Path = PathID, Target = TargetID, Lun = LUN) whose Corresponding Class Disk Device Guid is ClassDeviceGuid.","The miniport logged an event.","The miniport logged an event.","This is the first instance of the error seen during this time period.","Storport Device (Port = PortNumber, Path = PathID, Target = TargetID, Lun = LUN) was surprise removed.","Storport Device (Port = PortNumber, Path = PathID, Target = TargetID, Lun = LUN) has arrived.","Storport Device AdapterGuid (Port = PortNumber) was rescanned and changes were detected.","The miniport logged an event.","Storport storage D3 setting.","For internal use only.","For internal use only.","This event is generated when the system clipboard contents change.","Scoping started for shadowcopy .","Scoping completed for shadowcopy .","Scoping successfully completed for shadowcopy .","Maintenance state changed to Name (Last Run: hc_stateid).","Maintenance Task \"Name\" requests computer wakeup during next regular maintenance run.","Task Scheduler started \"UserContext\" instance of the \"Name\" task for user \"TaskName\".","Task Scheduler failed to start \"Name\" task for user \"TaskName\". Additional Data: Error Value: UserContext.","Task Scheduler successfully finished \"UserContext\" instance of the \"Name\" task for user \"TaskName\".","Task Scheduler failed to start instance \"TaskName\" of \"Name\" task for user \"InstanceId\" . Additional Data: Error Value: UserContext.","User \"TaskName\" registered Task Scheduler task \"Name\".","Task Scheduler launched \"TaskName\" instance of task \"Name\" due to a time trigger condition.","Task Scheduler launched \"TaskName\" instance of task \"Name\" according to an event trigger.","Task Scheduler launched \"TaskName\" instance of task \"Name\" according to a registration trigger.","Task Scheduler launched \"TaskName\" instance of task \"Name\" for user \"InstanceId\" .","Task Scheduler terminated \"TaskName\" instance of the \"Name\" task.","Task Scheduler could not launch task \"Name\" as scheduled. Instance \"TaskName\" is started now as required by the configuration option to start the task when available, if schedule is missed.","Task Scheduler launched \"TaskName\" instance of task \"Name\" due to system startup.","Task Scheduler launched \"UserName\" instance of task \"Name\" due to user \"TaskName\" logon.","User \"TaskName\" updated Task Scheduler task \"Name\".","Task Scheduler failed to complete task \"Name\" , instance \"TaskName\" , action \"TaskInstanceId\" . Additional Data: Error Value: ActionName.","Task Scheduler failed to launch action \"TaskInstanceId\" in instance \"TaskName\" of task \"Name\". Additional Data: Error Value: ActionName.","Task Scheduler did not launch task \"Name\" because instance \"TaskName\" of the same task is already running.","Task Scheduler queued instance \"TaskName\" of task \"Name\" and will launch it as soon as instance \"QueuedTaskInstanceId\" completes.","Task Scheduler queued instance \"TaskName\" of task \"Name\".","Task Scheduler stopped instance \"TaskName\" of task \"Name\" as request by user \"TaskInstanceId\" .","Task Scheduler service has started.","Task Scheduler service is shutting down.","Task Scheduler service started Task Compatibility module.","The user \"EventInfo.Username\", on client computer \"EventInfo.IpAddress\", met resource authorization policy requirements and was therefore authorized to connect to resource \"EventInfo.Resource\".","The user \"EventInfo.Username\", on client computer \"EventInfo.IpAddress\", connected to resource \"EventInfo.Resource\". Connection protocol used: \"EventInfo.ConnectionProtocol\".","The user \"EventInfo.Username\", on client computer \"EventInfo.IpAddress\", has initiated an outbound connection. This connection may not be authenticated yet.","Remote Desktop Services: Shell start notification received.","Plugin EventXML.messageName has been successfully initialized.","Remote Desktop Services is not accepting logons because setup is running.","Session has been disconnected, reason code.","Begin session arbitration.","End session arbitration.","Local multi-user session manager received system shutdown message.","Listener has started listening.","Listener received a connection.","RD Session Host Server role is not installed.","The Remote Connection Manager selected Kernel mode RDP protocol stack.","W32time service has started at Name (UTC), System Tick Count CurrentTime(UTC).","W32time service is stopping at Name (UTC), System Tick Count CurrentTime(UTC) with return code: TickCount.","NTP Client provider periodic status.","W32time Service periodic configuration and status message.","W32time service has set the system time to Name(UTC). Previous system time was NewTime(UTC). System Tick Count: OldTime.","W32time service has adjusted the system clock rate by Name PPM and the new nominal clock rate is AdjustmentPPM. Previous nominal clock rate was NewClockRate. System Tick Count: OldClockRate.","W32time Service configuration parameters have been updated. This may impact the fine-grained time synchronization accuracy.","NTP Client observed a change peer reachability. Ntp Client is now receiving time data from the following NTP Servers: Name. System Tick Count: AllNtpServers.","The time service is now synchronizing the system time with the reference time source Name with reference id TimeSource. Current local stratum number is TimeSourceRefId, System Tick Count: LocalStratumNumber.","W32time Service received notification to rediscover its time sources and/or resynchronize time. Reason Code:Name System Tick Count: ReasonCode.","Leap second configuration.","The time service is now synchronizing the system time with the time source Name with reference id TimeSource. Current local stratum number is TimeSourceRefId.","The time provider NtpClient is currently receiving valid time data from Name.","The time service has set the time with offset Name seconds.","NtpClient succeeds in resolving manual peer Name after a previous failure.","The time service has started advertising as a time source.","The time service has started advertising as a good time source.","Secure Boot Dbx update applied successfully.","This event triggers the TBS device identifier generation.","TZSync start.","TZSync stop.","Tenant IKey has been registered for telemetry usage.","Connection state - All connections have succeeded since the previous period.","Connection state - Some connections have failed since the previous period.","Connection state - Some connections have failed since the previous period.","The service has been started to the following state: Status.","Is the Internet available: State.","Is a free network available: State.","Is the Battery Saver state enabled: State.","Is the device in connected standby: State.","Diagnostic Data Collection Level.","The task Folder\\TaskName was successfully enabled.","Failed to enable task Folder\\TaskName. Error: ErrorCode.","Automatic registration failed at join phase.","Automatic registration failed. Failed to lookup the registration service information from Active Directory. Exit code: ExitCode. See http://go.microsoft.com/fwlink/?LinkId=623042.","Automatic device join pre-check tasks completed. Details.","Windows Hello for Business provisioning has encountered an error during policy evaluation.","The Workstation Service logged a device registration message.","The automatic device registration task will be triggered.","The User Profile Service has started successfully.","The User Profile Service has stopped.","Recieved user logon notification on session Session.","Finished processing user logon notification on session Session.","Recieved user logoff notification on session Session.","Finished processing user logoff notification on session Session.","Registry file File is loaded at HKU\\Key.","Disable background user hive upload task succeeded.","Logon type: LogonType.","Process ProcessPath (process ID:ProcessPid) reset policy scheme from OldSchemeGuid to NewSchemeGuid.","A reboot is required to complete device installation of device 'ERR_DEVICE_ID.DeviceId'.","The DeviceInstall service has started.","The DeviceInstall service is stopping (idle).","The DeviceInstall service is stopping (shutdown).","The DeviceInstall service has stopped.","The DeviceInstall service is starting.","The DeviceInstall service will not idle stop.","Driver Management concluded the process to install driver for Device Instance ID with the following status: .","Driver Management has concluded the process to add Service AddServiceID.ServiceName for Device Instance ID AddServiceID.DeviceInstanceID with the following status: AddServiceID.AddServiceStatus.","The VHD VhdFileName has come online (surfaced) as disk number VhdDiskNumber.","The VHD VhdFileName has been removed (unsurfaced) as disk number VhdDiskNumber.","Handle for virtual disk '' created successfully. VM ID = , Type = , Version = , Flags = , AccessMask = , WriteDepth = , GetInfoOnly = , ReadOnly = , HandleContext = , VirtualDisk = .","Virtual disk handle closed: HandleContext = HandleContext, VirtualDisk = VirtualDisk.","Virtual disk object created: VirtualDisk.","Virtual disk object destroyed: VirtualDisk.","Starting to open handle for virtual disk.","Starting to create the handle for the file backing virtual disk 'VhdFileName'.","Handle for the file backing virtual disk 'VhdFileName' created successfully.","Beginning to bring the VHD VhdFileName online (surface).","Beginning to remove the VHD VirtualDisk (unsurface).","Starting to close the handle for the file backing virtual disk 'VhdFileName'.","Handle for the file backing virtual disk 'VhdFileName' closed successfully.","Starting to close virtual disk handle: HandleContext = HandleContext, VirtualDisk = VirtualDisk.","The volume snapshot driver has begun processing for volume online.","The volume snapshot driver has completed processing for volume online.","The volume snapshot driver has begun processing for dismount.","The volume snapshot driver has completed processing for dismount.","CDE reported a state change.","A Group Policy change was processed.","A Terminal Services session change was processed.","CDE reported an L2 adapter arrival.","WCM Preferred Order List.","CDE reported an NDIS adapter arrival.","WCMSVC: Start WCM Service Startup.","WCMSVC: Complete WCM Service Startup.","WCMSVC: Start Service Shutdown.","WCMSVC: Complete Service Shutdown.","WebAuthN ApiVersion: value.","Ctap service started successfully.","Ctap service stopped successfully.","Transaction Watchdog Timeout.","Product Name scan has started.","Product Name scan has finished.","Product Name scan has been stopped before completion.","ProductName has detected malware or other potentially unwanted software.","ProductName has detected a suspicious behavior.","Endpoint Protection client is up and running in a healthy state.","Endpoint Protection client health report (time in UTC).","Product Name security intelligence version updated.","Product Name has encountered an error trying to update security intelligence.","Product Name engine version has been updated.","Product Name used cloud protection to get additional security intelligence.","Product Name platform update to Product Version has succeeded.","Product Name has uploaded a file for further analysis.","ProductName Real-Time Protection feature has encountered an error and failed.","ProductName Real-time Protection feature has restarted. It is recommended that you run a full system scan to detect any items that may have been missed while this agent was down.","Product Name Real-time Protection feature configuration has changed.","Product Name service feature has encountered an error and failed.","Network profile changed on an interface.","Windows Defender Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.","Tenant Restrictions Policy Update.","Tenant Restrictions Policy Update.","Added a Duplicate Rule.","A rule has been modified in the Windows Defender Firewall exception list.","A rule has been modified in the Windows Defender Firewall exception list.","Http Proxies Changed.","Capability Changed.","WinSAT Application Start: StartTimeOfDay.","WinSAT Application Command Line CommandLine.","WinSAT Application Stop: ExitCode.","Windows Update successfully found updateCount updates.","Windows Update failed to download an update.","An update was downloaded.","Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on schedinstalldate at schedinstalltime: updatelist.","Installation Successful: Windows successfully installed the following update: updateTitle.","Restart Required: To complete the installation of the following updates, the computer must be restarted. Until this computer has been restarted, Windows cannot search for or download new updates: updatelist.","Restart Required: To complete the installation of the following updates, the computer will be restarted within restarttime minutes: updatelist.","Automatic Updates is now paused.","Automatic Updates is now resumed.","Installation Started: Windows has started installing the following update: updateTitle.","Windows Update started downloading an update.","LSASS.exe was started as a protected process with level: .","Credential Guard configuration.","Credential Guard and/or VBS Key Isolation are configured but the secure kernel is not running; continuing without them.","Authentication started.","Authentication stopped. Result Win32Status.","The winlogon notification subscriber <SubscriberName> began handling the notification event (Event).","The winlogon notification subscriber <SubscriberName> finished handling the notification event (Event).","User Logon Notification for Customer Experience Improvement Program.","User Logoff Notification for Customer Experience Improvement Program.","Initializing WSMan API.","Creating WSMan Session. The connection string is: connection.","Setting WSMan Session Option (optionCode) - optionName with value (optionValue) completed successfully.","Creating WSMan shell with the ResourceUri: resourceUri and ShellId: shellId.","Running WSMan command with CommandId: commandId.","Closing WSMan command.","Closing WSMan shell.","Initialization of WSMan API completed successfuly.","WSMan Create Session operation completed successfuly.","The WinRM protocol handler has began loading for application applicationID.","The WinRM protocol handler started to create a session at the following destination: destination.","The WinRM protocol handler closed the session.","The WinRM protocol session began an operation of type operationType to the server. The operation accesses class className under the namespaceName namespace.","The WinRM protocol session successfully completed the operation.","The WSMan host process was unexpectedly terminated. Error code errorCode.","Creating WSMan shell on server with ResourceUri: resourceUri.","WSMan operation operationName completed successfully.","WSMan operation operationName failed, error code errorCode.","WSMan operation operationName started with resourceUri resourceUri.","Request for user param1 (param2) will be executed using WinRM virtual account param3 (param4).","The Winrm service is starting.","The Winrm service started successfully.","The Winrm service is stopping.","The Winrm service was stopped successfully.","Activity Transfer.","LSP LSPName was installed in the Catalog-bit catalog by Installer (GUID=GUID, Category ID=Category).","The following application was terminated because it was hung: .","WLAN AutoConfig service has successfully connected to a wireless network.","WLAN AutoConfig service has successfully disconnected from a wireless network.","Windows Management Instrumentation Service started sucessfully.","Windows Management Instrumentation Service subsystems initialized successfully.","Service 'ServiceName' started.","Service 'ServiceName' stopped.","Product: . The file is being used by the following process: Name: , Id .","Product: . Restart required.","Product: . Version: . Language: . Configuration change completed with status: . Manufacturer: .","Product: . Version: . Language: . Update: . Update installation completed with status: . Manufacturer: .","Product: . Version: . Language: . Reboot required. Reboot Type: . Reboot Reason: . Manufacturer: .","The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is [1]. {{The arguments are: [2], [3], [4]}}.","Network connection to host created successfully.",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,"Code Integrity determined an unsigned kernel module FileNameBuffer is loaded into the system. Check with the publisher to see if a signed version of the kernel module is available.",0,"The driver FileNameBuffer is blocked from loading as the driver has been revoked by Microsoft.",0,"Windows is unable to verify the integrity of the file FileNameBuffer because the signing certificate has been revoked. Check with the publisher to see if a new signed version of the kernel module is available.",0,"Code Integrity determined that a process (Process Name) attempted to load File Name that did not meet the Requested Signing Level signing level requirements or violated code integrity policy.",0,0,"DPAPIDefInformationEvent.",0,0,0,0,0,"The DHCP service has successfully loaded one or more callout DLLs.",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,"NTLM client blocked audit: Audit outgoing NTLM authentication traffic that would be blocked.",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,"ProductName has restored an item from quarantine.","Microsoft Defender Exploit Guard audited an operation that is not allowed by your IT administrator.","Your IT administrator would have caused Microsoft Defender Exploit Guard to block a potentially dangerous network connection.","Your IT administrator has caused Microsoft Defender Exploit Guard to block a potentially dangerous network connection.","A user has allowed a blocked Microsoft Defender Exploit Guard operation.","ProductName has blocked an operation that your administrator doesn't allow.","ProductName has audited an operation.","ProductName has blocked an operation that your administrator doesn't allow.","ProductName has audited an operation.","ProductName scanning for spyware and other potentially unwanted software is disabled.","ProductName scanning for viruses is disabled.",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,"Executed command of length.",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,"Device HW profile FOUND: Instance:Device_HW_profile_FOUND_Instance Version:Version Revision:Revision Mode:Mode.","Device HW profile ERROR: Instance:Device_HW_profile_ERROR_Instance Version:Version Revision:Revision Mode:Mode.","PrepareController MBARLEN mapped: PA:VA LEN:MBAR VA:PA.","PrepareController ERROR: Can't map MMIO for MBARLEN PA:STATUS LEN:MBAR - STATUS:PA.","Device HW profile FOUND: Instance:Device_HW_profile_FOUND_Instance Version:Version Revision:Revision Mode:Mode.","Device HW profile ERROR: Instance:Device_HW_profile_ERROR_Instance Version:Version Revision:Revision Mode:Mode.","PrepareHardware MBARLEN mapped: PA:VA LEN:MBAR VA:PA.","PrepareHardware ERROR: Can't map MMIO for MBARLEN PA:STATUS LEN:MBAR - STATUS:PA.","The security package does not cache the user's sign on credentials.","Open Provider Failure.","Open Provider Failure.","DNS query is called for the name QueryName, type QueryType, query options QueryOptions, Server List ServerList, isNetwork query IsNetworkQuery, network index NetworkQueryIndex, interface index InterfaceIndex, is asynchronous query IsAsyncQuery.","The document PrintOnProcFailedEd.Param1, owned by PrintOnProcFailedEd.Param2, failed to print on printer PrintOnProcFailedEd.Param3. Try to print the document again, or restart the print spooler.","A directory service object was modified.","A directory service object was modified during a background cleanup task.","Vault Find Credential.",0,"The Federation Service started successfully. The following service hosts have been added.","There was an error in enabling endpoints of Federation Service. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.","The Federation Service stopped successfully.","An authentication provider was successfully loaded: Identifier: 'Event.EventData', Context: 'data1'.","During processing of the Federation Service configuration, the attribute store 'Event.EventData' could not be loaded.","Trust monitoring cycle initiated.","Trust monitoring cycle completed.","The Federation Service configuration could not be loaded correctly from the AD FS configuration database.","A change to the token service configuration was detected, but there was an error reloading the changes to configuration.","Attribute store 'Event.EventData' is loaded successfully.","The SAML artifact resolution endpoint is not configured or it is disabled.","The Windows Hello for Business key receipt certificate background task will not run.","The certificate management cycle was initiated.","The certificate management cycle was completed.","Token validation failed.","A SQL operation in the AD FS configuration database with connection string Event.EventData failed.","Encountered error during federation passive request.","AD FS detected that none of the service certificates that are configured to be managed by the administrator are due to expire.","AD FS detected that all the service certificates have appropriate access given to the AD FS service account.","AD FS detected that none of the partner certificates that are configured to be managed by the administrator are due to expire.","The federation server loaded the HTTP proxy configuration from WinHTTP settings.","AD FS detected that none of the service certificates that are configured to be managed by the administrator are archived.","More information for the event entry with Instance ID Event.EventData. There may be more events with the same Instance ID with more information.","Heartbeat is performed at primary server.","The session cookies were successfully deleted using the OAuth logout path.","The specified redirect URL did not match any of the OAuth client's redirect URIs. The logout was successful but the client will not be redirected.","The following threat detection module was successfully loaded.","Encountered error during OAuth authorization request.","Encountered error during OAuth token request.","Client Json Web Key Set (JWKS) synchronization initiated.","Client Json Web Key Set (JWKS) synchronization completed.","The Device Registration Service started successfully.","The Device Registration Service was stopped successfully.","The root issuing certificate for the Device Registration Service could not be found. Refer to earlier event logs for additional information.","Failed to find the Device Registration Service object at Data1.","No certificate could be found on the Device Registration Service object that can be used as the issuing certificate.","Successfully polled the Device Registration Service configuration from server Data1.","Error Instrument: ProcessName: Error_Instrument_ProcessName WindowTitle: WindowTitle MsgCaption: MsgCaption MsgText: MsgText CallerModuleName: CallerModuleName BaseAddr: BaseAddr ImageSize: ImageSize ReturnAddr: ReturnAddr.","ERROR: Invalid bank number: ERROR_Invalid_bank_number.","requested: Interrupts mask set to:failed (requested:BankName, failed:MaskSet).","raw: Interrupts queried active:mask (raw:BankName, mask:Active).","requested: Interrupts status cleared with mask:failed (requested:BankName, failed:MaskSet).","SpbCx DDI: EvtSpbTargetConnect: SpbController:SpbCx_DDI_EvtSpbTargetConnect_SpbController SpbTarget:SpbTarget.","SpbCx DDI: EvtSpbTargetDisconnect: SpbController:SpbCx_DDI_EvtSpbTargetDisconnect_SpbController SpbTarget:SpbTarget.","SpbCx DDI: EvtSpbControllerLock: SpbController:SpbCx_DDI_EvtSpbControllerLock_SpbController SpbTarget:SpbTarget SpbRequest:SpbRequest.","SpbCx DDI: EvtSpbControllerUnlock: SpbController:SpbCx_DDI_EvtSpbControllerUnlock_SpbController SpbTarget:SpbTarget SpbRequest:SpbRequest.","SpbCx DDI: EvtSpbIoRead: SpbController:SpbCx_DDI_EvtSpbIoRead_SpbController SpbTarget:SpbTarget SpbRequest:SpbRequest Length:Length.","SpbCx DDI: EvtSpbIoWrite: SpbController:SpbCx_DDI_EvtSpbIoWrite_SpbController SpbTarget:SpbTarget SpbRequest:SpbRequest Length:Length.","SpbCx DDI: EvtSpbIoSequence: SpbController:SpbCx_DDI_EvtSpbIoSequence_SpbController SpbTarget:SpbTarget SpbRequest:SpbRequest TransferCount:TransferCount.","SpbCx DDI: EvtSpbOtherInCallerContext: SpbController:SpbCx_DDI_EvtSpbOtherInCallerContext_SpbController FxRequest:FxRequest.","SpbCx DDI: EvtSpbOther: SpbController:SpbCx_DDI_EvtSpbOther_SpbController SpbTarget:SpbTarget SpbRequest:SpbRequest InLength:InLength OutLength:OutLength IoCtrlCode:IoCtrlCode.","Request INFO: Addr:Request_INFO_Addr Idx:Idx Cnt:Cnt - context configured for SlaveAddress (type:Count) with length Direction.","Request ERROR: Addr:Request_ERROR_Addr Idx:Idx Cnt:Cnt - invalid request direction SlaveAddress (type:Count) with length Direction.","Request ERROR: Addr:Request_ERROR_Addr Idx:Idx Cnt:Cnt - invalid transfer length SlaveAddress (size), supported max is 64KB.","Request ERROR: Addr:Request_ERROR_Addr Idx:Idx Cnt:Cnt - invalid transfer length SlaveAddress (alignment), supported is 8, 16, 32.","Request INFO: Addr:Request_INFO_Addr Idx:Idx Cnt:Cnt - transfer delayed for SlaveAddress us.","Request INFO: Addr:Request_INFO_Addr Idx:Idx Cnt:Cnt - delay timer expired - start transfer.","Interrupt ISR: Status:Interrupt_ISR_Status.","Interrupt DPC: HW_Status:Interrupt_DPC_HWStatus SW_Status:SWStatus.","Target ERROR: Invalid bus type (current:Target_ERROR_Invalid_bus_type_current, supported:I2C).","Controller ERROR: Invalid capability (Type:Controller_ERROR_Invalid_capability_Type, Capability:Capability).","Controller INFO: Addr:Controller_INFO_Addr Idx:Idx Cnt:Cnt - Configured for WRITE SlaveAddress bytes.","Controller INFO: Addr:Controller_INFO_Addr Idx:Idx Cnt:Cnt - Configured for READ SlaveAddress bytes.","Controller ERROR: Addr:Controller_ERROR_Addr Idx:Idx Cnt:Cnt - Other transfer is not supported.","Controller INFO: Addr:Controller_INFO_Addr Idx:Idx Cnt:Cnt - DMA Processing.","Controller INFO: Addr:Controller_INFO_Addr Idx:Idx Cnt:Cnt - PIO Processing.","Controller ERROR: Addr:Controller_ERROR_Addr Idx:Idx Cnt:Cnt - I2C Bus busy on controler init start.","Controller ERROR: Addr:Controller_ERROR_Addr Idx:Idx Cnt:Cnt - Timeout disabling controller.","Controller ERROR: Addr:Controller_ERROR_Addr Idx:Idx Cnt:Cnt - Timeout enabling controller.","Controller ERROR: Addr:Controller_ERROR_Addr Idx:Idx Cnt:Cnt - Controller initialization failed - STATUS:Controller_initialization_failed__STATUS.","Controller INFO: Addr:Controller_INFO_Addr Idx:Idx Cnt:Cnt - Transfer ended with SlaveAddress bytes processed - STATUS:Count.","User UserSid logged off notification is received.","Automatic restart sign on successfully configured the autologon credentials for.","Automatic restart sign on failed to configure the autologon credentials with error.","An error occurred while processing new Central Access Policies for this machine. Validation failed for the following Central Access Rule referenced by one or more of the Central Access Policies.","The Security System has detected a downgrade attempt when contacting the 3-part SPN.","AmsiScanBuffer.","Microsoft Defender Antivirus took action to protect this machine from malware or other potentially unwanted software.","Microsoft Defender Antivirus encountered an error when taking action on malware or other potentially unwanted software.","Microsoft Defender Antivirus restored an item from quarantine.","Microsoft Defender Antivirus encountered an error trying to restore an item from quarantine.","Microsoft Defender Antivirus deleted an item from quarantine.","Microsoft Defender Antivirus encountered an error trying to delete an item from quarantine.","Microsoft Defender Antivirus removed history of malware and other potentially unwanted software.","Microsoft Defender Antivirus encountered an error trying to remove history of malware and other potentially unwanted software.","Microsoft Defender Antivirus detected a suspicious behavior.","Microsoft Defender Antivirus detected malware or other potentially unwanted software.","Microsoft Defender Antivirus took action to protect this machine from malware or other potentially unwanted software.","Microsoft Defender Antivirus encountered a noncritical error when taking action on malware or other potentially unwanted software.","Microsoft Defender Antivirus encountered a critical error when taking action on malware or other potentially unwanted software.","Controlled Folder Access blocked an untrusted process from potentially modifying disk sectors.","Microsoft Defender Antivirus client is up and running in a healthy state.","Antivirus client health report.","Antivirus signature version was updated.","Microsoft Defender Antivirus encountered an error trying to update signatures.","Microsoft Defender Antivirus engine version was updated.","Microsoft Defender Antivirus encountered an error trying to update the engine.","Microsoft Defender Antivirus encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.","Microsoft Defender Antivirus encountered an error trying to update the platform.","Microsoft Defender Antivirus used Dynamic Signature Service to retrieve more signatures to help protect your machine.","Microsoft Defender Antivirus used Dynamic Signature Service to discard obsolete signatures.","Microsoft Defender Antivirus encountered an error trying to use Dynamic Signature Service.","Microsoft Defender Antivirus downloaded a clean file.","Microsoft Defender Antivirus encountered an error trying to download a clean file.","Microsoft Defender Antivirus encountered an error trying to download and configure offline antivirus.","Microsoft Defender Antivirus Real-Time Protection feature encountered an error and failed.","Microsoft Defender Antivirus Real-time Protection restarted a feature. It's recommended that you run a full system scan to detect any items that might have been missed while this agent was down.","Microsoft Defender Antivirus real-time protection feature configuration changed.","Microsoft Defender Antivirus configuration changed. If this event is unexpected, you should review the settings as the event might be the result of malware.","Microsoft Defender Antivirus engine was terminated due to an unexpected error.","Microsoft Defender Antivirus entered a grace period and will soon expire. After expiration, this program will disable protection against viruses, spyware, and other potentially unwanted software.","Microsoft Defender Antivirus grace period has expired. Protection against viruses, spyware, and other potentially unwanted software is disabled.","Part or all packages un-publish failed.","Part or all groups un-publish failed.","IAppVClient::IAppVClient COM method entered.","IAppVClient::IAppVClient COM method exited. Name.","Publishing refresh status changed.","License install failed for license Id Type.","License install storage failed for license Id Type.","License refresh failed for license Id Type.","Unable to remove matching ClipSp data for license Id Type.","UnlockToken install failed for license Id Type.","CallStack event description message: cValue.","CallStackModule event description message: BaseAddress.","BudgetCreate event description message: dwTag.","BudgetUpdate event description message: dwTag.","BudgetDelete event description message: dwTag.","CodeMarker event description message: EventData.","SqmD event description message: dwDatapoint.","SqmDA event description message: dwDatapoint.","SqmS event description message: dwDatapoint.","BudgetSetRate event description message: dwTag.","PCX Debug.","PCX Infomation.","PCX Warning.","PCX Error.","PCX Call Start.","PCX Call Stop.","PCX Function Start.","PCX Function Stop.","PCX Job Start.","PCX Job Stop.","PCX Create Persona.","PCX Create New Persona.","PCX Create Persona Linked.","PCX PersonInfo.","PCX Person Contact Type.","PCX Resolution Properties.","PCX Person Property Update.","PCX OutLook Contact Property Update.","PCX Contact Card Infomation.","PCX Presence Infomation.","PCX Presence Property Update.","PCX Search Result.","CallStack event description message: cValue.","CallStackModule event description message: BaseAddress.","PerfWatson Debug.","Register idle task 'cookie': priority dwID, scheduler wzName, flags priority, release scheduler, tolerable delay grfTaskFlags.","Deregister idle task 'cookie'.","Modify idle task 'cookie': change flags dwID, priority wzName, scheduler grfModifyFlags, flags priority, release scheduler, tolerable delay grfTaskFlags.","Idle execution starting: timer only fTimerOnly, tracking fTracking, resume fResuming.","Idle execution ending.","Idle execution preempted.","Idle task 'cookie' moved to run queue.","Idle task 'cookie' demoted to wait queue.","Idle task 'cookie' executing.","Idle timer message received.","Idle timer scheduled to msecDelay ms for task 'msecsTolerableDelay'.","PCX Search Result Dedupped.","PCX Search Results Posted.","PCX ContactInfo.","Idle update queued for task 'cookie': type grfUpdateType.","SecureReader Debug.","Window Message wzMessageName(dwValue) registered.","PCX Contact Linking.","PCX Contact Linking Pair.","PCX Feed Item Info.","PCX Feed Provider Info.","PCX Feed Sanitized HTML Info.","PCX Contact Sync Friend Info.","PCX Contact Sync Schedule Info.","PerfWatson Debug.","PerfWatson Debug.","Met Infomation.","Met Warning.","Met Error.","Met Call Start.","Met Call Stop.","CallStack event description message: cValue.","CallStackModule event description message: BaseAddress.","PCX ContactInfoPropertyUpdate.","MSO Logging.","User requested opening of the New Unified Group dialog.","User dismissed the New Unified Group dialog.","User requested creation of a Unified Group.","Create unified group operation finished.","Started check for group ID availability.","Started check for group ID availability.","User requested opening of the Edit Unified Group dialog.","User dismissed the Edit Unified Group dialog.","User started edit of a Unified Group.","One of the operations involved in updating the group finished.","Edit Unified Group operation finished.","Edit group photo button was clicked.","Group membership finished loading.","Group details finished loading.","User requested opening of the Edit Unified Group dialog.","User dismissed the Edit Unified Group dialog.","User started edit of a Unified Group.","Edit Unified Group operation finished.","Group card actions event, including open card, switch to members tab, and all actions on group cards.","Group local folder creation finished.","Bulk add members.","Password expiration claims. Seconds: Password_expiration_claims_Seconds URI: URI.","Password expiration fields. Status: Password_expiration_fields_Status Date: Date URI: URI.","Get device token. Resource: Get_device_token_Resource ClientID: ClientID Scope: Scope.","CA cert hash (keyID): CA_cert_hash_keyID Correlation ID: Correlation_ID.","Logon failure. Status: Logon_failure_Status Correlation ID: Correlation_ID.","Get user realm failure. Status: Get_user_realm_failure_Status Correlation ID: Correlation_ID.","Get credential keys failure. Status: Get_credential_keys_failure_Status Correlation ID: Correlation_ID.","OAuth request retry. Correlation ID: OAuth_request_retry_Correlation_ID Retry: Retry.","Refresh token failure. Status: Refresh_token_failure_Status Correlation ID: Correlation_ID.","Can't decrypt OAuth response. Error: Cant_decrypt_OAuth_response_Error.","AadCloudAPPlugin S4U logon failed. Status: AadCloudAPPlugin_S2U_logon_failed_Status.","Logon failure. Status: Logon_failure_Status Correlation ID: Correlation_ID.","Logon failure. Status: Logon_failure_Status Correlation ID: Correlation_ID.","Logon failure. Status: Logon_failure_Status Correlation ID: Correlation_ID.","Logon failure. Status: Logon_failure_Status Correlation ID: Correlation_ID.","Logon failure. Status: Logon_failure_Status Correlation ID: Correlation_ID.","Logon failure. Status: Logon_failure_Status Correlation ID: Correlation_ID.","On-prem tgt error: Onprem_tgt_error.","DoGetToken Diagnostic Event.","DoGetEnterpriseToken Diagnostic Event.","DoRefreshToken Diagnostic Event.","DoRefreshEnterpriseToken Diagnostic Event.","P2P certificate update error. Status: P2P_certificate_update_error_Status Correlation ID: Correlation_ID.","CA certificate update error. Status: CA_certificate_update_error_Status Correlation ID: Correlation_ID.","The Windows All-User Install Agent could not delete the registered packages after the profile was deleted for user SID Additional_information. Error code: UserSid. Additional information: Error.","The Program Compatibility Troubleshooter queried the application genome for information about an application. Results are below.","An instance of the Steps Recorder ran with the following information.","An OperationInvoker invoked the 'MethodName' method. Caller information: 'CallerInfo'.","The Dispatcher invoked 'AfterReceiveReply' on a MessageInspector of type 'TypeName'.","The Dispatcher invoked 'BeforeSendRequest' on a MessageInspector of type 'TypeName'.","An OperationInvoker completed the call to the 'MethodName' method. The method call duration was 'Duration' ms.","The transport received a message from 'ListenAddress'.","The transport sent a message to 'DestinationAddress'.","The Client completed executing Action 'Action' associated with the 'ContractName' contract. The message was sent to 'Destination'.","There was an unhandled exception of type 'ExceptionTypeName' during message processing. Full Exception Details: ExceptionToString.","ServiceChannelOpen started.","ServiceChannelOpen completed.","ServiceChannelCall started.","Message dispatching started.","Start authorization for message dispatching.","Message dispatching completed.","ServiceChannel Open Start.","ServiceChannel Open Stop.","msg Connection pool key: key.","Pending connections ratio: cur/max.","Concurrent calls ratio: cur/max.","Concurrent sessions ratio: cur/max.","Outbound connections per endpoint ratio: cur/max.","Concurrent instances ratio: cur/max.","Created new 'itemTypeName'.","The 'OperationName' operation was dispatched successfully.","SocketId:SocketId to remote address Uri had a connection reset error.","WindowsStreamSecurity initiating security upgrade.","Windows streaming security on accepting upgrade.","SocketId:SocketId is aborting.","Available memory (bytes): Available_memory_bytes.","Handling an exception. Exception details: data1.","Throwing an exception. Source: data1. Exception details: data2.","Throwing an exception. Source: data1. Exception details: data2.","Throwing an exception. Source: data1. Exception details: data2.","Pool allocating Size Bytes.","BufferPool of size PoolSize, changing quota by Delta.","IO Thread scheduler callback invoked.","IO Thread scheduler callback invoked.","The Client is executing Action 'Action' associated with the 'ContractName' contract. The message will be sent to 'Destination'.","IncrementBusyCount called. Source : IncrementBusyCount_called_Source.","DecrementBusyCount called. Source : DecrementBusyCount_called_Source.","Not using channel factory from cache, i.e. caching disabled for instance.","A message with size 'Size' bytes was read by the encoder.","A message with size 'Size' bytes was written by the encoder.","Connection accept started.","ListenerId:ListenerHashCode accepted SocketId:SocketHashCode.","Pool for PoolKey has no available connection and busy busy connections.","Dispatcher started deserialization the request message.","Dispatcher completed deserialization the request message.","Dispatcher started serialization of the reply message.","Dispatcher completed serialization of the reply message.","Client request serialization started.","Client completed serialization of the request message.","Client started deserializing the reply message.","Client completed deserializing the reply message.","Service instance retrieval started.","Service instance retrieved.","ChannelHandlerId:ChannelId - Message receive loop started.","ChannelHandlerId:ChannelId - Message receive loop stopped.","ChannelFactory created .","Connection establishment started for Key.","Connection established.","Session preamble for 'Via' understood.","Security impersonation succeeded.","BinaryMessageEncoder started encoding the message.","BinaryMessageEncoder started decoding the message.","SocketId:SocketId read 'Size' bytes read from 'Endpoint'.","SocketId:SocketId read 'Size' bytes read from 'Endpoint'.","SocketId:SocketId writing 'Size' bytes to 'Endpoint'.","Client sending preamble start.","Client sending preamble stop.","ImportKnownTypes start.","ImportKnownTypes stop.","DataContract generate Kind writer for TypeName start.","DataContract generate writer stop.","DataContract generate Kind reader for TypeName start.","DataContract generation stop.","SecurityToken (type 'tokenType' and id 'tokenID') validation started.","SecurityToken (type 'tokenType' and id 'tokenID') validation succeeded.","Handling an exception. Exception details: data1.","PackageBuffer was prevented from running.","PackageBuffer was prevented from running.","Updated current dependency graph (Removal : Updated_current_dependency_graph_Removal) with Source Removal and Target SrcPsmKey for type TargetPsmKey in return Type.","CheckTerminationBeforeSwitch: Should terminate: CheckTerminationBeforeSwitch_Should_terminate, Aumid=MaxTterminate, HRESULT=AUMID, reason=ErrorCode, fIsMisbehaving=Reason.","EvaluateAndTerminatePid: PID: EvaluateAndTerminatePid_PID. HRESULT: HRESULT. Package State: Package_State.","Package Exemption Manager: ReferenceAdded:Package_Exemption_Manager_ReferenceAdded, Added ref to application Type. The ref counts are now LAUNCH=PsmKey, PSMREG=Exemption, and PSMREGPENDING=RegistrationRef.","RPC exemption was granted for application Runaway_RPC. KernelRequest Value: PsmKey. Runaway RPC: KernelRequest. RPC Debounce RunawayRpc.","RegisterForActivationStateChanges: Act:RegisterForActivationStateChanges_Act App:App HRESULT is ActivationType. Cookie is ApplicationType.","Couldn't open process: Couldnt_open_process.","BM: Queued evaluate WorkItem: BM_Queued_evaluate_WorkItem EventType: EventType Action: Action PsmKey: PsmKey HostJobType: HostJobType EntryPoint: EntryPoint.","BM: Evaluate returned WorkItem: BM_Evaluate_returned_WorkItem EventType: EventType Action: Action PsmKey: PsmKey HostJobType: HostJobType EntryPoint: EntryPoint.","BM: TaskActivated WorkItem: BM_TaskActivated_WorkItem Instance: Instance.","BM: TaskCompleted WorkItem: BM_TaskCompleted_WorkItem Instance: Instance.","BM: TaskCanceled WorkItem: BM_TaskCanceled_WorkItem Instance: Instance.","BM: Policy evaluate returned WorkItem: BM_Policy_evaluate_returned_WorkItem EventType: EventType Action: Action WallClockLimit: WallClockLimit PsmKey: PsmKey HostJobType: HostJobType.","BM: TaskActivating WorkItem: BM_TaskActivating_WorkItem Instance: Instance.","BM: TerminateHost WorkItem: BM_TerminateHost_WorkItem.","BM: ActivateDeferredWorkItem WorkItem: BM_ActivateDeferredWorkItem_WorkItem.","BM: Enter TaskInstanceId WorkItem: String TaskInstanceId: WorkItemId.","BM: Evaluate returned WorkItem: BM_Evaluate_returned_WorkItem EventType: EventType WallClockLimit: WallClockLimit PsmKey: PsmKey HostJobType: HostJobType EntryPoint: EntryPoint.","BM: TaskWallClockActive WorkItem: BM_TaskWallClockActive_WorkItem Instance: Instance.","BM: TaskWallClockExpired WorkItem: BM_TaskWallClockExpired_WorkItem Instance: Instance.","BM: Policy returned HRESULT: BM_Policy_returned_HRESULT for WorkItem: for_WorkItem PsmKey: PsmKey.","BM: WorkItem: BM_WorkItem is being debugged. Setting wallclock limit to 0.","BM: User Logon Session: BM_User_Logon_Session User: User HRESULT: HRESULT.","BM: User Logoff Session: BM_User_Logoff_Session User: User HRESULT: HRESULT.","BM: Flushing ignored EvaluationState: BM_Flushing_ignored_EvaluationState for WorkItem: for_WorkItem.","BM: ShellSuspendState changed, oldState: BM_ShellSuspendState_changed_oldState newState: newState.","BM: DPLKeyState changed, oldState: BM_DPLKeyState_changed_oldState newState: newState.","BM: Canceling WorkItem: BM_Canceling_WorkItem due to DPL policy.","BAM: Added Package: BAM_Added_Package UserSid: UserSid.","BAM: Removed Package: BAM_Removed_Package UserSid: UserSid.","BAM: Added Application: BAM_Added_Application UserSid: UserSid.","BAM: Removed Application: BAM_Removed_Application UserSid: UserSid.","FAM: NotifyTaskInstanceCompleted, TaskID:FAM_NotifyTaskInstanceCompleted_TaskID, hr:hr.","FAM: NotifyTaskInstanceRunning, TaskID:FAM_NotifyTaskInstanceRunning_TaskID Timer - p1_UInt32.","FAM: UiForeground:Memory:FAM_UiForegroundMemoryMB, CPU:MB_CPU%.","FAM: CreateAgentLaunchRequest, TaskID:FAM_CreateAgentLaunchRequest_TaskID, Queue:Queue, hr:hr.","FAM: CancelAgentRequest, TaskID:FAM_CancelAgentRequest_TaskID, CancelType=p1_UInt32, hr:p2_UInt32.","FAM: AbortAgentRequestsInternal, hr:FAM_AbortAgentRequestsInternal_hr.","FAM: CompleteAgent, TaskID:FAM_CompleteAgent_TaskID, hr:hr.","FAM: PrioritizeAgentRequest, TaskID:FAM_PrioritizeAgentRequest_TaskID, hr:hr.","FAM: NotifyConsumer, Notification:FAM_NotifyConsumer_Notification, TaskID:TaskID, hrResult:hrResult.","FAM: AcquireSharedResourceSet, ProductID:FAM_AcquireSharedResourceSet_ProductID, ConsumerPid:ConsumerPid, Pending:Pending, hr:hr.","FAM: AcquireResourceSet, #MB_CPU, Mem:hrMB, CPU:p1_UInt32%, hr:p2_UInt32.","AppModel Runtime status for package PackageFullName successfully updated to DesiredStatus (previous status = CurrentStatus).","API Exit for 'Result' (Process: User Result: ProcessId).","API Exit for 'Result' (Process: User Result: ProcessId).","API Exit for 'Result' (Process: User Result: ProcessId).","API Exit for 'Result' (Process: User Result: ProcessId).","API Exit for 'Result' (Process: User Result: ProcessId).","API Exit for 'Result' (Process: User Result: ProcessId).","API Exit for 'Result' (Process: User Result: ProcessId).","API Exit for 'Result' (Process: User Result: ProcessId).","error ErrorCode: While preparing to process the request, the system failed to register the CategoryName extension due to the following error: ErrorMessage.","error ErrorCode: Cannot register the PackageName package because the following error was encountered: ErrorText. Verify that the package's 'resources.pri' file in the package is valid.","error ErrorCode: Cannot register the PackageName package because the following error was encountered while reading the package repository: ErrorText.","error ErrorCode: Failure to get staging session for: PackageUri.","The package deployment operation is blocked by the \"Allow deployment operations in special profiles\" policy.","Deployment of package PackageFullName to volume MountPoint failed because deployments to non-system volumes are blocked by the \"Disable deployment of Windows Store apps to non-system volumes\" policy.","Package PackageFullName is blocked by a platform policy: PolicyReason.","Package PackageFullName is blocked by a platform policy: PolicyReason.","User UserSid had outdated package OldMainPackageFullName, which will be updated to NewMainPackageFullName. User was online: Online.","Removed registry for package MainPackageFullName for user UserSid. This package will be installed for the user on next logon.","error ErrorCode: Opening the package from location PackageUri failed.","error ErrorCode: Deleting file FilePath failed.","There were ErrorCount additional files that failed to be deleted under the folder FilePath.","Error ErrorCode: Opening the Msixvc package from location PackageUri failed. Please check whether the Msixvc support services are installed.","The file system entries for package PackageName could not be cleaned up after reboot. The package is removed from the purge list.","Windows cannot remove PackageMoniker because the current user does not have that package installed. Use Get-AppxPackage to see the list of packages installed.","OnDemandRegisterPackage found existing package PackageMoniker, set PACKAGE_STATUS_REGISTRATION_REQUIRED_BLOCKING.","OnDemandRegisterPackage PackageMoniker, update Staged to Installed.","Removing registrations for DownlevelInstalled package PackageMoniker.","Error NextDeploymentState: Failure in the early preparatory steps of the request or in the DeploymentState state handler.","Package SupplierPackageName does not satisfy a dependency for package DependentPackageName. Reason: Reason.","Windows cannot remove PackageMoniker because the PreserveApplicationData flag can only be used on a package that was deployed in development mode.","Opening registry key: RegistryKeyName failed with error: ErrorCode.","Getting registration status of package family PackageFamilyName for user UserSid.","These hardlinks did not have packages in repository: Path.","Error while deleting file filename. Error Code : Error.","FileName(Line,Column): error ErrorCode: Cannot register the PackageName package because the following error was encountered while parsing the ExtendedData extension: ErrorText. Try again and contact the package publisher if the problem persists.","(,): error : Cannot register the package because the following error was encountered while registering the activatable class: . Try again and contact the package publisher if the problem persists.","AppExecutionAlias directory missing, error code is ErrorCode.","ErrorCode: PackagedServiceDEH EvaluateRequest completed successfully.","ErrorCode: PackagedServiceDEH CommitRequest completed successfully.","ErrorCode: PackagedServiceDEH RemoveRequest completed successfully.","FileName(Line,Column): PackagedServiceDEH successfully parsed manifest for package PackageName install.","Finished servicing singleton package PackageFullName. Setting the singleton package state to enabled returned with ErrorCode.","Installing EventLog manifest for package: 'PackageFullName' (See 'Details' for extended information).","Uninstalling EventLog manifest for package: 'PackageFullName' (See 'Details' for extended information).","Installed EventLog manifest for package: 'PackageFullName' (See 'Details' for extended information).","Uninstalled EventLog manifest for package: 'PackageFullName' (See 'Details' for extended information).","Unsetting active EventLog manifest for package: 'PackageFullName' (See 'Details' for extended information).","Evaluating request for DEH: DEH 'DehName' in Phase 'DehPhase'.","Encountered package in DEH package evaluation: Direction 'Direction', DEH 'DehName', Package 'PackageFullName', PostOsUpgrade 'PostOsUpgrade', Phase 'DehPhase', State 'DehState' (See 'Details' for extended information).","The bundle reader was created successfully for bundle packageFullName.","Checking SIP support for file.","Check for SIP support completed.","Checking AppxBundle SIP support for file.","Check for AppxBundle SIP support completed.","Event fired when an asynchronous operation is created.","Event fired when an asynchronous operation is completed.","Event fired when a synchronous work item starts.","Event fired when a synchronous work item starts.","Event fired when a synchronous work item completes.","Event fired when a synchronous work item completes.","The Block Level Backup Engine service has successfully started.","The Block Level Backup Engine service has stopped.","Successfully created metadata file. Volume: Volume, Offset: Offset, Read Length: Length, Copy: Copy, Number of Copies: TotalCopies, TpAllocationSize: SlabSize.","BITS accessed group policy value Title : PolicyValue.","BITS defaulted group policy value Title : PolicyValue.","BITS service has detected a 'SystemEvent' system event.","The service is generating its common global data.","The service is reading its group policy settings.","The service is creating its performance counters.","The service is reading the job list from the disk.","The service is updating its list of logged-in users.","The service is creating the Volume Shadow Copy writer.","The service is registering its COM objects.","The BITS service has started successfully.","The service is shutting down.","The BITS service failed to start. Error ErrorCode.","Background task for package PackageFullName with entry point EntryPoint did not complete in response to a cancel notification.","The background task with entry point TaskEntryPoint and name TaskName failed to activate with error code Result.","A hash of type Algorithm, length Length and value Value is being searched for in subsystem Subsystem.","The hash search completed and was found in Count catalogs. Status Status.","For more details for this event, please refer to the \"Details\" section.","For more details for this event, please refer to the \"Details\" section.","For more details for this event, please refer to the \"Details\" section.","For more details for this event, please refer to the \"Details\" section.","For more details for this event, please refer to the \"Details\" section.","For more details for this event, please refer to the \"Details\" section.","For more details for this event, please refer to the \"Details\" section.","For more details for this event, please refer to the \"Details\" section.","For more details for this event, please refer to the \"Details\" section.","For more details for this event, please refer to the \"Details\" section.","For more details for this event, please refer to the \"Details\" section.","For more details for this event, please refer to the \"Details\" section.","Automatic certificate enrollment for Context failed to download certificates for StoreName store from LdapStore (ErrorCode). ErrorMsg.","Certificate enrollment for Context could not access local resources or retrieve TemplateName certificate template information (CA). Enrollment was not performed.","Certificate enrollment for Context could not find any valid certificate templates. Enrollment was not performed.","A certificate has been deleted. Please refer to the \"Details\" section for more information.","A new certificate has been installed. Please refer to the \"Details\" section for more information.","A certificate has been deleted from Active Directory. Please refer to the \"Details\" section for more information.","Active Directory Certificate Services did not start: Unable to initialize the database connection for Name. CACommonName.","Active Directory Certificate Services could not process request Name due to an error: RequestId. The request was for ErrorCode.","Active Directory Certificate Services for Name was started.CACommonNameDCSpecifier.","Active Directory Certificate Services for Name was stopped.","The \"Name\" Policy Module \"PolicyModuleDescription\" method returned an error. param4 The returned status code is MethodName. ErrorCode.","Active Directory Certificate Services could not publish a Base CRL for key Name to the following location: CAKeyIdentifier. URL.param4param5.","The \"Name\" Policy Module logged the following warning: PolicyModuleDescription.","Active Directory Certificate Services encountered an error loading key recovery certificates. Requests to archive private keys will not be accepted. Name.","Entering Function FunctionName.","Exiting Function FunctionName.","FunctionName failed with return code LastError.","Running inside LSA.","Opening Machine Store? Value: Opening_Machine_Store_Value.","Pku2u is disabled by policy.","Provider Provider is not enabled.","Saving Id and merging with 'theirs' data. 'Theirs' data has size Size and is version Version.","Successfully loaded CorrelationVector. See event details for more information.","Successfully saved CorrelationVector. See event details for more information.","The object ObjectName has an unexpected security descriptor. Recovering by resetting the security descriptor. See event details for more information.","The cache invalidator has started.","The cache invalidator has stopped.","Code Integrity determined a revoked kernel module FileNameBuffer is loaded into the system. Check with the publisher to see if a new signed version of the kernel module is available.","Code Integrity determined a revoked kernel module FileNameBuffer is loaded into the system. The image is allowed to load because kernel mode debugger is attached.","Code Integrity determined a revoked image FileNameBuffer is loaded into the system. The image is allowed to load because kernel mode debugger is attached.","Code Integrity determined kernel module FileNameBuffer that did not meet the WHQL requirements is loaded into the system. Check with the publisher to see if a WHQL compliant kernel module is available.","Code Integrity policy refresh started for NumberOfPolicies policies.","Code Integrity policy refresh finished for NumberOfPolicies policies.","Ignoring refresh for Code Integrity policy ID PolicyGUID. Status Status.","Trying to refresh Code Integrity policy with policy ID PolicyGUID.","Information from.","The mtstocom launching routine has started.param1.","The mtstocom launching routine has completed.param1.","The mtstocom migration utility is attempting to retry populating the packages collection because it failed its first attempt.param1.","Application image succesfully dumped.param1.","Application image dump failed.param1.","MSMQ Workgroup configuration does not provide sender identity for a COM+ application that has security enabled. The usage is accepted.param1.","MSMQ Message Authentication disabled for a COM+ application that has security enabled. The usage is accepted.param1.","The COM+ sub system is suppressing duplicate event log entries for a duration of seconds. The suppression timeout can be controlled by a REG_DWORD value named under the following registry key: HKLM\\.","The average call duration has exceeded the configured threshold.param1.","A new CRM log file was created. This CRM log file is not secure because the application Identity is Interactive User or the file system is not NTFS. param1.","A new CRM log file was created. This CRM log file is secure. param1.","[SmsRouter::SmsRouter:AnsiStringName] LineNumber.","[SmsRouter] SmsRouter is started.","[SmsRouter] SmsRouter is stoped.","[SmsRouter::AnsiStringName:LineNumber] Error HResultName: Context.","[SmsRouter] SmsBroker is started.","[SmsRouter] SmsBroker is stoped.","DPAPI Master key file open failed.","DPAPI Protect failed .","DPAPI Unprotect failed .","Credential key does not exist.","Protect Key operation failed.","Unprotect Key operation failed.","Protect Secret operation failed.","Unprotect Secret operation failed.","Files were skipped during the volume scan.","Files were skipped during the volume scan.","Failed to enqueue job of type \"JobType\" on volume \"Param1\".","Volume job memory requirements.","Volume reconciliation has completed.","An operation succeeded after one or more retries. Operation: Operation; FileId: FileId; Number of retries: NumberOfRetries.","Volume job has started.","Volume job has started.","Volume job has started.","Volume job has completed.","Full job has completed.","Full job has completed.","Volume job has completed.","Volume job has been queued.","Volume job has been queued.","Volume job has been queued.","Volume job has been queued.","Volume job has been queued.","Priority Volume job has started.","Volume job has started.","Volume job has completed.","Volume job has been queued.","DataPort status update.","Update file list entries (Remove: Update_file_list_entries_Remove, Add: Add).","CodeIntegrity attempted to load the policy located at PolicyFilePath, but failed with status code ErrorCode.","MDM Enroll: Certificate policy request sent successfully.","MDM Enroll: Certificate policy response processed successfully.","MDM Enroll: Certificate enrollment request sent successfully.","MDM Enroll: Certificate enrollment response parsed successfully.","MDM Enroll: OMA-DM client configuration succeeds.","MDM Push: Failed to create WNS Push Channel for MDM Push Sessions. Result: (HRESULT).","MDM Unenroll: Unenroll alert sent to server.","MDM Enroll: Provisioning succeeded.","MDM Unenroll: Unenrollment initiated by entity other than user (server or device) (Message1).","MDM Enroll: Server specifed hashAlgorithmOIDReference (Message1) is a OID of group (Message2), expected an OID in group CRYPT_HASH_ALG_OID_GROUP_ID.","MDM Unenroll: Changing dmwappushservice startup type to demand-start. Result: (HRESULT).","MDM Enroll: Succeeded.","MDM Unenroll: Finished user independant unenroll.","MDM Unenroll: Succeeded.","MDM Unenroll: Unenroll origin is: (Message1).","MDM Session: OMA-DM message sent.","MDM Session: OMA-DM message failed to be sent. Result: (HRESULT).","MDM Session: OMA-DM server message received and parsed successfully.","MDM Session: OMA-DM client started. CV: (Message1).","MDM Session: OMA-DM session Init: UserSID(Message1), EnrolledUser(UInt2), UserToken(UInt3), DeviceToken(UInt4), EnrollmentType(UInt5), SyncType(UInt6).","MDM Session: OMA-DM session ended with status: (HRESULT).","MDM Session: OMA-DM session started: Session ID(UInt1), Server ID(Message2), User SID(Message3), Initiation ID(Message4), Origin(UInt5).","MDM Session: OMA-DM session Loaded: Initiation ID(Message1), Status(HRESULT2), Total Count(UInt3), Orphaned Count(UInt4), Loaded Count(UInt5), Parent Initiation ID(Message6), Completed Count(UInt7).","MDM Session: OMA-DM session Handled: Account ID(Message1), Initiation ID(Message2), Session ID(UInt3), Initiator(UInt4), Origin(UInt5).","MDM ConfigurationManager: Command failure status. Configuration Source ID: (Message1), Enrollment Name: (Message2), Provider Name: (Message3), Command Type: (InternalCmdType), CSP URI: (Message5), Result: (HexInt1).","MDM PushRouter: Pushrouter failed to start because the dmwappushservice service is disabled.","MDM ConfigurationManager: Command failure status. Configuraton Source ID: (Message1), Enrollment Type: (Message2), CSP Name: (Message3), Command Type: (InternalCmdType), CSP URI: (Message5), Result: (HexInt1).","MDM ResourceManager: DeleteResource EnrollmentID: (Message1) UserSID: (Message2) URI: (Message3).","DMClient Configuration Service Provider: Server initiated unenroll started. Enrollment ID: (Message1).","EnterpriseDesktopAppManagement CSP: A node instance of was created successfully. MSI ProductCode: Message1, MSI UpgradeCode: Message2, User SID: (Message3).","EnterpriseDesktopAppManagement CSP: MDMAppInstaller task has started.","EnterpriseDesktopAppManagement CSP: Application content download started. MSI ProductCode: Message1, User SID: (Message2), BITS job: (Message3).","EnterpriseDesktopAppManagement CSP: Application content download completed. MSI ProductCode: Message1, User SID: (Message2), BITS job: (Message3).","EnterpriseDesktopAppManagement CSP: The MDMAppInstaller process is terminating with no errors.","EnterpriseDesktopAppManagement CSP: An application install has started. MSI ProductCode: Message1, User SID: (Message2).","EnterpriseDesktopAppManagement CSP: An application install has succeeded. MSI ProductCode: Message1, User SID: (Message2), Result: (HRESULT).","EnterpriseDesktopAppManagement CSP: An application status alert was sent to the device management service. LocURI: (Message1), Alert Data: (HRESULT).","DeviceStatus CSP: WscGetSecurityProviderHealth(Message1) returned status HexInt1 and HRESULT HRESULT.","[MDM Schedule Enrollment Cert Renew Session Start] EnrollmentId: Message1, Renew period: UInt3; Renew retry interval: UInt4; Robo mode: UInt5; Cert Expiration: Message2.","[MDM Schedule Enrollment Cert Renew Session End] Error: HRESULT: HRESULT.","Function Name: (Message1) HRESULT:(HRESULT).","MDM Session: OMA-DM sessions triggered: User SID (Message1), Account ID(Message2), Initiation ID(Message3), Parent Initiation ID(Message4), Origin(UInt5), Session ID(UInt6), Sessions Queued (UInt7), Session Result (HRESULT8), Result(HRESULT9).","MDM Declared Configuration: Enter function: ().","MDM Declared Configuration: Exit function: () with Result: ().","MDM PushRouter Service: Successfully created RPC Server Interface group. Result: (HRESULT).","MDM PushRouter Service: Successfully activated RPC Server Interface group. Result: (HRESULT).","MDM PushRouter Service: Successfully deactivated RPC Server Interface group. Result: (HRESULT).","MDM PushRouter Service: Successfully closed RPC Server Interface group. Result: (HRESULT).","MDM PushRouter Service: PushRouter RPC interface Idle status changed. Is group idle: (HexInt1).","MDM PushRouter Service: Number of PushRouter clients remaining: (HRESULT). Operation: (Message1).","MDM PushRouter Service: All clients handled. Number of PushRouter clients remaining: (HexInt1).","MDM PushRouter Service: PushRouter::Open called by a client needing a handle to PushRouter.","MDM PushRouter Service: PushRouter::Open called by a client needing to interact with PushRouter succeeded. Client id: (Message1), Content Type: (Message2):, App Id: (Message3), Result: (HRESULT).","MDM PushRouter Service: PushRouter was submitted a message from the same service PushRouter is running in. Message origin: (HexInt1).","MDM PushRouter Service: PushRouter was submitted a message from the same service PushRouter is running in. Message submission succeeded. Sender Address: (), Content Type: (), App Id: (), Result: ().","MDM PushRouter Service: PushRouter was submitted a message by a RPC client. Message submission succeeded. Message origin: (HexInt1), Result: (HRESULT).","MDM PushRouter Service: PushRouter was created successfully. Result: (HRESULT).","MDM PushRouter Service: PushRouter close called by a client interacting with it succeeded. Client id: (Message1), Result: (HRESULT).","MDM PushRouter Service: A client initiated a get message operation from PushRouter.","MDM PushRouter Service: PushRouter was instantiated.","MDM Message Persistence: Persisted message found. Location: (Message1).","MDM Message Persistence: No persisted message found.Location: (Message1).","MDM Message Persistence: Successfully processed persisted messages. Result: (HRESULT).","MDM PushRouter Service: PushRouter started routing a message.","MDM PushRouter Service: Message routed successfully. Content: (Message1), Application: (Message2), Sender: (Message3), Client: (Message4), Queue Id: (Message5), Result: (HexInt1).","MDM PushRouter Service: PushRouter started routing a new message.","MDM PushRouter Service: Successfully routed a new message. Result: (HRESULT).","MDM PushRouter Authentication: Loaded an authentication provider. Name: (Message1).","MDM PushRouter Authentication: Message authenticated successfully. Name: (Message1), Security account name: (Message2), Message headers: (Message3), Sender address: (Message4), Role: (HexInt1), Result: (HexInt3).","MDM PushRouter Authentication: SyncMl Authentication succeeded. Headers: (Message1), Message Body size: (HexInt1), Result: (HRESULT).","MDM PushRouter Authentication: Getting ServerID from the trigger succeeded. Result: (HRESULT).","MDM PushRouter Authentication: Validating trigger succeeded. Result: (HRESULT).","MDM PushRouter Authentication: Validating nonce succeeded. Type of nonce: (Message1), Result: (HRESULT).","MDM Common Utility for Policies: Policy query. Policy ID: (HexInt1), Policy Value: (HexInt2), Result: (HRESULT).","DmWapPushService: Failed to register WNF with EventAggregator for WAP messages received by SMS Router. Result: (HexInt1).","DmWapPushService: Successfully registered WNF with EventAggregator for WAP messages received by SMS Router. Result: (HexInt1).","DmWapPushService: There are pending RPC clients currently.","DmWapPushService: No pending RPC clients remain.","DmWapPushService: Setting the timer to check if all RPC clients are handled to fire after (HexInt1) seconds.","DmWapPushService: Idle timeout of DmWapPushService is currently set to (HexInt1) seconds.","DmWapPushService: Initialized idle stop-start for DmWapPushService.","DmWapPushService: Service status updated. Current state: (HexInt1), Exit code: (HexInt2), Wait hint: (HexInt3).","DmWapPushService: Successfully initialized service. Result: (HRESULT).","DmWapPushService: Successfully registered service's RPC interface. Result: (HRESULT).","DmWapPushService: Successfully uninitialized service. Result: (HRESULT).","DmWapPushService: Successfully unregistered service's RPC interface. Result: (HRESULT).","DmWapPushService: Service handler invoked. Opcode: (HexInt1), Current state: (HexInt2).","DmWapPushService: DmWapPushService is being initialized.","DmWapPushService: Stop Service handler registered. Status: (HexInt1), Result: (HRESULT).","Product for pfn IsFramework located: ProductId: Prop_ProductId, IsFramework: Prop_SoftwarePfn.","Product 'Missing_updates' was not updated to last activated version 'Missing_drivers'.","Referral request received for dfspath DfsPath from client with IPAddress ClientIpAddress and site ClientSite.","Request for creating new folder or adding target to existing folder completed with status:Status. DfsFolder:DfsPath TargetServer:ServerName TargetShare:ShareName.","Dfs received a referral request for \"path\". The return code is in the data.","Unplumbing OLD Config for the adapter: AdapterName.","Stack Media Connect: AdapterName. Creating new context.","MEDIA DISCONNECT: Someone still using context. So not destroying the context.","Waiting for Offer on AdapterName. Wait time is TimeToWaitLeft milliseconds.","Receiving a DHCP message on AdapterName. Error code is ErrorCode.","Locking Dhcp Context: [AdapterName].","Unlocking Dhcp Context: [AdapterName].","Destroying Dhcp Context: [AdapterName].","Successfully read fallback configuration.","RegQueryValueEx returned ErrorCode, Fallback config name type ConfigNameType.","Media Connect notification received on interface InterfaceId.","Media Disconnect notification received on interface InterfaceId.","DHCP is enabled on the interface with Interface Id InterfaceId.","DHCP is disabled on the interface with Interface Id InterfaceId.","Discover-Offer-Request-Ack is initiated on the interface with Interface Id InterfaceId.","Discover is sent from the interface InterfaceId. Status code is StatusCode.","The broadcast bit was toggled on the interface InterfaceId. The broadcast bit after toggling is BoolFlag.","Offer Receive Timeout has happened on the interface InterfaceId.","Cancelling pending renewals on the interface with the Interface Id InterfaceId.","An interface is added whose interface index is InterfaceId and Status Code is StatusCode.","DHCP has notified NLA for the configuration changes for the interface InterfaceId.","The broadcast bit BoolFlag was successfully set and cached on the interface InterfaceId.","DHCP has not received a Service Set Identifier(SSID) for the interface InterfaceId.","Firewall port DwordVal is exempted on interface InterfaceId. Error code is DwordVal1.","Firewall port DwordVal is closed on interface InterfaceId. Error code is DwordVal1.","Parameter request received on interface with LUID InterfaceLUID. Attempting to acquire the interface context.","Parameter request unblocked on interface with LUID InterfaceLUID and index InterfaceId.","Parameter request completed on interface with LUID InterfaceLUID and index InterfaceId. The status of the operation was StatusCode.","Firewall port DwordVal1 exemption triggered on interface InterfaceId.","Firewall port DwordVal1 close triggered on interface InterfaceId.","The DHCPv4 client received connected standby exit notification.","PERFTRACK: DHCP is not enabled on the interface InterfaceId.","PERFTRACK: DHCP is not enabled on the interface InterfaceId.","PERFTRACK (DHCPv4): Media Connect on interface InterfaceId.","PERFTRACK (DHCPv4): End of Media Connect on interface InterfaceId.","PERFTRACK (Discover-Timeout): No response is received for all 8 discovers on interface InterfaceId. Fallback address is not set.","Entered ProcessDhcpRequestForever.","ProcessDhcpRequestForever Timed out.","Error in Media Connected. ErrorCode is ErrorCode.","Media Disconnected on AdapterName.","MEDIA DISCONNECT: Someone still using context. So not destroying the context.","Unable to get Link characteristics. Error code is ErrorCode.","Error in Querying for RA Settings. Error code is ErrorCode.","Error in Callback of Media Sense. Error code is ErrorCode.","Error in getting All parameters from stack. Error code is ErrorCode.","Media Connect notification has been received on interface with interface id InterfaceId.","Media Disconnect notification has been received on interface with interface id InterfaceId.","Solicit-Advertise-Request-Reply is initiated on the interface with Interface Id InterfaceId. Managed Flag value DwordVal1 OtherConfig Flag value DwordVal2.","Solicit is sent from the interface InterfaceId. Status code is StatusCode.","DHCP is changed from nondhcp to stateful mode on the interface InterfaceId. Status Code is StatusCode.","An interface is added whose interface index is InterfaceId. Status Code is StatusCode.","Firewall port DwordVal is exempted on interface InterfaceId. Error code is DwordVal1.","Firewall port DwordVal is closed on interface InterfaceId. Error code is DwordVal1.","DHCP is changing mode to NewMode on the interface InterfaceId.","Firewall port DwordVal1 exemption triggered on interface InterfaceId.","Firewall port DwordVal1 close triggered on interface InterfaceId.","The DHCPv6 client received connected standby exit notification.","The values of flags received on interface InterfaceId are: Managed Flag value DwordVal1 OtherConfig Flag value DwordVal2.","PERFTRACK (DHCPv6): Media Connect on interface InterfaceId.","PERFTRACK (DHCPv6): End of Media Connect on interface InterfaceId.","The Diagnostic Policy Service could not create a diagnostic module host instance for diagnostic module (). The error code was . The scenario , instance , original activity ID will be discarded.","Instance (CounterSetGuid, InstanceName, InstanceId) could not be created. Error: \"Error\".","Data collector set DataCollectorSetCreation.Name was created by DataCollectorSetCreation.UserName.","Data collector set DataCollectorSetEdit.Name was changed by DataCollectorSetEdit.UserName.","Data collector set DataCollectorSetDeletion.Name was deleted by DataCollectorSetDeletion.UserName.","Data collector set DataCollectorSetStart.Name started as DataCollectorSetStart.UserName.","Data collector set DataCollectorSetStop.Name stopped.","Application of machine policy caused a slow down in the system start up process.","The security account manager detected the use of a legacy password change or set RPC method from a network client.","The security account manager blocked a non-administrator from creating an Active Directory account in this domain with mismatched objectClass and userAccountControl account type flags.","DCOM was unable to communicate with the computer using any of the configured protocols; requested by PID (), while activating CLSID .","Interface: Interface Total DNS Server Count: TotalServerCount Index: Index Address: Address (DynamicAddress).","Name resolution for the name QueryName timed out after none of the configured DNS servers responded.","Name resolution for the name QueryName timed out after the DNS server Address did not respond.","A name not found error was returned for the name QueryName. Check to ensure that the name is correct. The response was sent by the server at Address.","The DNS server's response to a query for name QueryName indicates that no records of the type queried are available, but could indicate that other records for the same name are present.","Name resolution for the name, QueryName, will not fall back to LLMNR or NetBIOS.","Transaction ID of the response for query QueryName from server Address did not match.","DnsQueryEx for the name QueryName is pending.","Network query initiated for the name QueryName (is parallel query IsParallelNetworkQuery) on network index NetworkIndex with interface count InterfaceCount with first interface name AdapterName, local addresses LocalAddress and Dns Servers DNSServerAddress.","DNS Query sent to DNS Server DnsServerIpAddress for name QueryName and type QueryType.","Received response from DNS Server DnsServerIpAddress for name QueryName and type QueryType with response status ResponseStatus.","NETBIOS query is initiated for name QueryName on network index NetworkIndex with inteface count InterfaceCount with first interface name AdapterName and local addresses LocalAddress.","NETBIOS query is completed for name QueryName with status Status and results QueryResults.","NETBIOS query for the name QueryName is pending.","Cache lookup called for name QueryName, type QueryType, options QueryOptions and interface index InterfaceIndex.","Cache lookup for name QueryName, type QueryType and option QueryOptions returned Status with results QueryResults.","Query wire called for name QueryName, type QueryType, interface index InterfaceIndex and network index NetworkIndex.","Query response for name QueryName, type QueryType, interface index NetworkIndex and network index InterfaceIndex returned Status with results QueryResults.","The system failed to register pointer (PTR) resource records (RRs) for network adapter.","The DNS server has completed a scavenging cycle but no nodes were visited. Possible causes of this condition include.","The zone Zone was deleted. [virtualization instance: VirtualizationID].","A resource record of type Type, name NAME, TTL TTL and RDATA RDATA was created in scope ZoneScope of zone Zone. [virtualization instance: VirtualizationID].","A resource record of type Type, name NAME and RDATA RDATA was deleted from scope ZoneScope of zone Zone.","All resource records of type Type, name NAME were deleted from scope ZoneScope of zone Zone. [virtualization instance: VirtualizationID].","A record of type QTYPE, QNAME QNAME was purged from scope Scope in cache.","A resource record scavenging cycle has been started on the DNS Server.","The Active Directory-integrated zone Zone has been updated. Only ScavengeServers can run scavenging.","The Driver Manager service started successfully.","The Driver Manager service is starting a host process for device UMDFDriverManagerHostCreateStart.DeviceInstanceId.","The host process (UMDFDriverManagerHostCreateEnd.LifetimeId) started successfully.","The host process (UMDFDriverManagerHostShutdown.LifetimeId) is being asked to shutdown.","The host process (UMDFDriverManagerHostShutdown.LifetimeId) has been shutdown.","The UMDF Host Process (UMDFHostStartupBegin.LifetimeId) is starting up.","The UMDF Host Process (UMDFHostStartupEnd.LifetimeId) started successfully.","The UMDF Host is loading driver UMDFHostAddDeviceBegin.Service at level UMDFHostAddDeviceBegin.Level for device UMDFHostAddDeviceBegin.InstanceId.","The UMDF Host Process (UMDFHostModuleLoad.LifetimeId) has loaded module UMDFHostModuleLoad.ModulePath while loading drivers for device UMDFHostModuleLoad.InstanceId.","The UMDF Host successfully loaded the driver at level UMDFHostAddDeviceEnd.Level.","The UMDF Host Process (UMDFHostDeviceArrivalEnd.LifetimeId) has successfully loaded drivers for device UMDFHostDeviceArrivalEnd.InstanceId.","Completed a Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, UMDFHostDeviceRequest.RequestMinorCode) for device UMDFHostDeviceRequest.InstanceId with status UMDFHostDeviceRequest.Status.","Forwarded a Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, UMDFHostDeviceRequest.RequestMinorCode) for device UMDFHostDeviceRequest.InstanceId to the lower driver with status UMDFHostDeviceRequest.Status.","Received a Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, UMDFHostDeviceRequest.RequestMinorCode) for device UMDFHostDeviceRequest.InstanceId which was completed by the lower drivers with status UMDFHostDeviceRequest.Status.","The UMDF Host (UMDFHostShutdown.LifetimeId) has been asked to shutdown.","The UMDF Host (UMDFHostShutdown.LifetimeId) has shutdown.","RecycleRangeDestruction.","ESE EventLogInfo Trace.","ESE EventLogWarn Trace.","ESE EventLogError Trace.","RegisterEventSource legacy API was used to register ModuleName.","ReportEvent legacy API was used to write an event to ModuleName.","Legacy security-log clear event from Windows 2000/XP/2003. Superseded by EventID 1102 in Vista+.","Event log automatic backup.","The Fault Tolerant Heap service started.","The Fault Tolerant Heap service stopped.","Microsoft File Share Shadow Copy Provider is loaded.","Microsoft File Share Shadow Copy Provider is unloaded.","Microsoft File Share Shadow Copy Provider primary metadata store is created.","File System Filter 'Process' (Version File.Bypass_IO_Operation, Vetoing_Reason) vetoed bypass IO.","Begin IFunctionDiscovery::GetInstanceCollection(). Category: Begin_IFunctionDiscoveryGetInstanceCollection__Category.","End IFunctionDiscovery::GetInstanceCollection(). Category: End_IFunctionDiscoveryGetInstanceCollection__Category.","Begin IFunctionDiscovery::GetInstance(). FIID: Begin_IFunctionDiscoveryGetInstance__FIID.","End IFunctionDiscovery::GetInstance(). FIID: End_IFunctionDiscoveryGetInstance__FIID.","Begin IFunctionDiscovery::CreateInstanceCollectionQuery(). Category: Begin_IFunctionDiscoveryCreateInstanceCollectionQuery__Category.","End IFunctionDiscovery::CreateInstanceCollectionQuery(). Category: End_IFunctionDiscoveryCreateInstanceCollectionQuery__Category.","Begin IFunctionDiscovery::CreateInstanceQuery(). FIID: Begin_IFunctionDiscoveryCreateInstanceQuery__FIID.","End IFunctionDiscovery::CreateInstanceQuery(). FIID: End_IFunctionDiscoveryCreateInstanceQuery__FIID.","Begin IFunctionDiscovery::AddInstance(). Category: Begin_IFunctionDiscoveryAddInstance__Category.","End IFunctionDiscovery::AddInstance(). Category: End_IFunctionDiscoveryAddInstance__Category.","Begin IFunctionDiscovery::RemoveInstance(). Category: Begin_IFunctionDiscoveryRemoveInstance__Category.","End IFunctionDiscovery::RemoveInstance(). Category: End_IFunctionDiscoveryRemoveInstance__Category.","Begin IFunctionInstanceCollectionQuery::Execute(). Category: Begin_IFunctionInstanceCollectionQueryExecute__Category.","End IFunctionInstanceCollectionQuery::Execute(). Category: End_IFunctionInstanceCollectionQueryExecute__Category.","Begin IFunctionInstanceCollectionQuery2::Advise(). Category: Begin_IFunctionInstanceCollectionQuery2Advise__Category.","End IFunctionInstanceCollectionQuery2::Advise(). Category: End_IFunctionInstanceCollectionQuery2Advise__Category.","Begin IFunctionInstanceCollectionQuery2::Unadvise(). Category: Begin_IFunctionInstanceCollectionQuery2Unadvise__Category.","End IFunctionInstanceCollectionQuery2::Unadvise(). Category: End_IFunctionInstanceCollectionQuery2Unadvise__Category.","Begin IFunctionInstanceCollectionQuery2::Start(). Category: Begin_IFunctionInstanceCollectionQuery2Start__Category.","End IFunctionInstanceCollectionQuery2::Start(). Category: End_IFunctionInstanceCollectionQuery2Start__Category.","Begin IFunctionInstanceCollectionQuery2::Stop(). Category: Begin_IFunctionInstanceCollectionQuery2Stop__Category.","End IFunctionInstanceCollectionQuery2::Stop(). Category: End_IFunctionInstanceCollectionQuery2Stop__Category.","Begin IFunctionInstanceCollectionQuery2::QueryService(). Category: Begin_IFunctionInstanceCollectionQuery2QueryService__Category.","End IFunctionInstanceCollectionQuery2::QueryService(). Category: End_IFunctionInstanceCollectionQuery2QueryService__Category.","Begin IFunctionInstanceQuery::Execute(). Category: Begin_IFunctionInstanceQueryExecute__Category.","End IFunctionInstanceQuery::Execute(). Category: End_IFunctionInstanceQueryExecute__Category.","Begin IFunctionDiscoveryProvider::Initialize(). Category: Begin_IFunctionDiscoveryProviderInitialize__Category.","End IFunctionDiscoveryProvider::Initialize(). Category: End_IFunctionDiscoveryProviderInitialize__Category.","Begin IFunctionDiscoveryProvider::Query(). Category: Begin_IFunctionDiscoveryProviderQuery__Category.","End IFunctionDiscoveryProvider::Query(). Category: End_IFunctionDiscoveryProviderQuery__Category.","Begin IFunctionDiscoveryProvider::EndQuery(). Category: Begin_IFunctionDiscoveryProviderEndQuery__Category.","End IFunctionDiscoveryProvider::EndQuery(). Category: End_IFunctionDiscoveryProviderEndQuery__Category.","Begin IFunctionDiscoveryProvider::InstancePropertyStoreValidateAccess(). FIID: Begin_IFunctionDiscoveryProviderInstancePropertyStoreValidateAccess__FIID.","End IFunctionDiscoveryProvider::InstancePropertyStoreValidateAccess(). FIID: End_IFunctionDiscoveryProviderInstancePropertyStoreValidateAccess__FIID.","Begin IFunctionDiscoveryProvider::InstancePropertyStoreOpen(). FIID: Begin_IFunctionDiscoveryProviderInstancePropertyStoreOpen__FIID.","End IFunctionDiscoveryProvider::InstancePropertyStoreOpen(). FIID: End_IFunctionDiscoveryProviderInstancePropertyStoreOpen__FIID.","Begin IFunctionDiscoveryProvider::InstancePropertyStoreFlush(). FIID: Begin_IFunctionDiscoveryProviderInstancePropertyStoreFlush__FIID.","End IFunctionDiscoveryProvider::InstancePropertyStoreFlush(). FIID: End_IFunctionDiscoveryProviderInstancePropertyStoreFlush__FIID.","Begin IFunctionDiscoveryProvider::InstanceQueryService(). FIID: Begin_IFunctionDiscoveryProviderInstanceQueryService__FIID.","End IFunctionDiscoveryProvider::InstanceQueryService(). FIID: End_IFunctionDiscoveryProviderInstanceQueryService__FIID.","Begin IFunctionDiscoveryProvider::InstanceReleased(). FIID: Begin_IFunctionDiscoveryProviderInstanceReleased__FIID.","End IFunctionDiscoveryProvider::InstanceReleased(). FIID: End_IFunctionDiscoveryProviderInstanceReleased__FIID.","Begin IProviderPublishing::CreateInstance(). Category: Begin_IProviderPublishingCreateInstance__Category.","End IProviderPublishing::CreateInstance(). Category: End_IProviderPublishingCreateInstance__Category.","Begin IProviderPublishing::RemoveInstance(). Category: Begin_IProviderPublishingRemoveInstance__Category.","End IProviderPublishing::RemoveInstance(). Category: End_IProviderPublishingRemoveInstance__Category.","Begin asyncronous query. Category: Begin_asyncronous_query__Category.","Asynchronous query complete. Category: Asynchronous_query_complete__Category.","Starting periodic policy processing for user PrincipalSamName.","Starting to save policies to the local datastore.","Successfully saved policies to the local datastore.","Completed periodic policy processing for user PrincipalSamName in PolicyElaspedTimeInSeconds seconds.","This machine is configured to retrieve Group Policy files from a file share in an insecure way.","A user signed into the device with the following information.","A user is signing into the device with the following gesture information.","Windows Hello for Business On-Premise authentication configurations.","Windows Hello is validating that the device can satisfy all applicable policies.","A user failed to sign into the device with the following information.","Windows Hello for Business detected the user running in a remote desktop session.","Windows Hello for Business successfully added a user entry to the Username/SID cache with the following information.","Windows Hello for Business successfully removed a user entry to the Username/SID cache with the following information.","Windows Hello for Business found a user entry with a duplicate SID and successfully removed the unused username from the Username/SID cache.","Windows Hello for Business found a user entry with a duplicate username and successfully removed the unused SID from the Username/SID cache.","Windows Hello for Business found a stale SID in the Username/SID cache.","Windows Hello for Business found a stale username in the Username/SID cache.","Windows Hello for Business removed a stale SID from the Username/SID cache.","Windows Hello for Business removed a stale username from the Username/SID cache.","Windows Hello for Business PIN was changed by a user with the following information.","Core initialization failed. Details: Core_initialization_failed__Details.","Page initialization failed. Details: Page_initialization_failed__Details Page: Page.","GetHomeGroupStatus failed. Details: GetHomeGroupStatus_failed__Details.","GetSharingFlags failed. Details: GetSharingFlags_failed__Details.","PopulateSharedFolderList failed. Details: PopulateSharedFolderList_failed__Details.","Retrieve file sharing failed. Details: Retrieve_file_sharing_failed__Details.","Retrieve public folder failed. Details: Retrieve_public_folder_failed__Details.","Retrieve printer sharing failed. Details: Retrieve_printer_sharing_failed__Details.","Retrieve media sharing failed. Details: Retrieve_media_sharing_failed__Details.","Commit network discovery failed. Details: Commit_network_discovery_failed__Details Context: Context.","Commit file sharing failed. Details: Commit_file_sharing_failed__Details Context: Context.","Commit public folder failed. Details: Commit_public_folder_failed__Details Context: Context.","Commit printer sharing failed. Details: Commit_printer_sharing_failed__Details Context: Context.","Commit media sharing failed. Details: Commit_media_sharing_failed__Details Context: Context.","Share folder failed. Details: Share_folder_failed__Details FolderId: FolderId Context: Context.","Retrieve printer sharing failed. Details: Retrieve_printer_sharing_failed__Details.","Commit public folder failed. Details: Commit_public_folder_failed__Details Context: Context.","HNS failed to create vmswitch with error 'Parameter0' and adapter id = 'Parameter1'.","Guest Network Service state changed. Id: 'GnsId', State: 'GnsState'.","RPC request received. Type: 'Data_0', Entity: 'Request', Id: 'Entity', Access Level: 'RpcAccessLevel', Data: 'Id'.","Hot-add information: Current UxNumberOfProcessors: Hotadd_information_Current_UxNumberOfProcessors, comment: comment.","Thread pool extension. Pool type: Thread_pool_extension_Pool_type, active pools: active_pools.","Thread ready. Pool type: Thread_ready_Pool_type, active pools: active_pools, thread count: thread_count.","Thread pool trim. Pool type: Thread_pool_trim_Pool_type, active pools: active_pools.","Thread gone. Pool type: Thread_gone_Pool_type, active pools: active_pools, thread count: thread_count.","QUIC Connection. QuicConnectionId: QUIC_Connection_QuicConnectionId, Connection: Connection, Local IP: Remote_IP, Remote IP: ErrorCode, SNI: QuicConnectionId, ErrorCode: LocalAddressLength, Status: LocalAddress.","QUIC Connection Callback. Connection: QUIC_Connection_Callback_Connection, Event: Event, EventParam: EventParam.","QUIC Stream. QuicStreamId: QUIC_Stream_QuicStreamId, Connection: Connection, Stream: Stream.","QUIC Stream Callback. Stream: QUIC_Stream_Callback_Stream, Connection: Connection, StreamType: StreamType, Event: Event, EventParam: EventParam.","SSL handshake failed. Local IP: Remote_IP, Remote IP: Thumbprint, SNI: Client_Initiated_Disconnect, Thumbprint: Connection_Status, Client Initiated Disconnect: LocalAddressLength, Abortive Disconnect: LocalAddress, Connection Status: RemoteAddressLength.","SSL renegotiate timed out. Local IP: Remote_IP, Remote IP: Thumbprint, SNI: Connection_Buffer_Full, Thumbprint: LocalAddress, Connection Buffer Full: RemoteAddressLength.","HTTP 11 Required. Verb: HTTP_11_Required_Verb, Fault Code: Fault_Code.","QUIC Registration Failed. Status: QUIC_Registration_Failed_Status.","Create URL group UrlGroupId. Status Status. Process Id ProcessId Executable path ExecutablePath, User UserSid.","Attempted to add URL (Url) to URL group (UrlGroupId). Status: Status. Process Id ProcessId Executable path ExecutablePath, User UserSid.","SSL Certificate Settings deleted for endpoint : Endpoint. Status Status. Process Id ProcessId Executable path ExecutablePath, User UserSid.","SSL Certificate Settings created by an admin process for endpoint : Endpoint. Status Status. Process Id ProcessId Executable path ExecutablePath, User UserSid.","'VmlEventLog.VmName' successfully booted an operating system. (Virtual machine ID VmlEventLog.VmId).","'VmlEventLog.VmName' failed to boot an operating system. (Virtual machine ID VmlEventLog.VmId).","[VmlEventLog.SystemId] Start compute system, result VmlEventLog.Result.","[VmlEventLog.SystemId] Terminate compute system, result VmlEventLog.Result.","[VmlEventLog.SystemId] Pause compute system, options 'VmlEventLog.Parameter0', result VmlEventLog.Result.","[VmlEventLog.SystemId] Modify compute system, settings 'VmlEventLog.Parameter0', result VmlEventLog.Result.","[VmlEventLog.SystemId] Query compute system notification, result VmlEventLog.Result, notification VmlEventLog.Parameter0 / VmlEventLog.Parameter1.","[VmlEventLog.SystemId] Save compute system, options 'VmlEventLog.Parameter0', result VmlEventLog.Result.","The dynamic memory balancer timer was started.","Hypervisor Load Options - LoadOptions.","Host processor features mask: BankCount.","Hyper-V successfully created a new partition (partition PartitionId).","Hyper-V successfully deleted a partition (partition PartitionId).","Hypervisor successfully started.","Hypervisor scheduler type is SchedulerType.","Hypervisor initialized I/O remapping.","Hypervisor configured mitigations for CVE-2018-3646 for virtual machines.","The queried interface version Max is not supported (Min : CurrentVersion, Max : MinVersion).","Hypervisor configured mitigations for CVE-2019-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130 for virtual machines.","AMD PSP PCI device discovered. Segment: AMD_PSP_PCI_device_discovered_Segment, bus: bus, device: device, function: function.","NDK PnP event failed. PnPEvent: NDK_PnP_event_failed_PnPEvent Miniport: 'MiniportNameLen' FailureReason: NetEvent Status: Status.","VF adapter bind failed. FailureReason: VF_adapter_bind_failed_FailureReason MsgStatus: MsgStatus.","IO latency summary.","IO latency summary.","'VmNicNoAvailableMac.VmName' VmNicNoAvailableMac.NicName (VmNicNoAvailableMac.NicGuid) started successfully. (Virtual Machine ID VmNicNoAvailableMac.VmId).","'VmNicNoAvailableMac.VmName' VmNicNoAvailableMac.NicName (VmNicNoAvailableMac.NicGuid) Connected to virtual network. (Virtual Machine ID VmNicNoAvailableMac.VmId).","'VmlEventLog.VmName': VmlEventLog.ErrorCodeString (VmlEventLog.String) started successfully. (Virtual machine ID VmlEventLog.VmId).","Found a certificate for server authentication. Remote access to virtual machines is now possible.","Auto-generating a self-signed certificate for server authentication.","A new virtual machine 'VmlEventLog.VmName' was created. (Virtual machine ID VmlEventLog.VmId).","The virtual machine 'VmlEventLog.VmName' was deleted. (Virtual machine ID VmlEventLog.VmId).","Virtual Machine Management service is started successfully.","Shut down physical computer. Stopping/saving all virtual machines...","The Virtual Machine Management service is waiting for a servicing operation (VmlEventLog.Parameter0) to complete.","The Virtual Machine Management service has successfully waited for the VmlEventLog.Parameter0 servicing operation to complete.","Failed to modify service settings.","'VmlEventLog.VmName' failed to start. (Virtual machine ID VmlEventLog.VmId).","Created configuration store for 'VmlEventLog.Parameter0'.","'VmlEventLog.VmName' failed to start worker process: VmlEventLog.ErrorMessage (VmlEventLog.ErrorCode). (Virtual machine ID VmlEventLog.VmId).","The Hyper-V Virtual Machine Management service encountered an unexpected error: VmlEventLog.ErrorMessage (VmlEventLog.ErrorCode).","The operation failed.","The Virtual Machine Management service successfully completed the export operation of virtual machine 'VmlEventLog.VmName' (VMID VmlEventLog.VmId).","The virtual machine 'VmlEventLog.VmName' was realized. (VMID VmlEventLog.VmId).","The WMI provider 'VmlEventLog.Parameter0' has started.","The WMI provider 'VmlEventLog.Parameter0' has shut down.","'VmlEventLog.VmName' background disk merge has been started. (Virtual machine ID VmlEventLog.VmId).","'VmlEventLog.VmName' background disk merge has been finished successfully. (Virtual machine ID VmlEventLog.VmId).","'VmlEventLog.VmName' background disk merge has been interrupted. (Virtual machine ID VmlEventLog.VmId).","The selected security settings of virtual machine 'VmlEventLog.VmName' cannot be changed without a valid key protector configured. Configure a valid key protector and try again. (Virtual machine ID VmlEventLog.VmId).","Successfully started the Virtual Machine migration connection manager.","Failed to set security info for 'VmlEventLog.Parameter0': 'VmlEventLog.Parameter1'('VmlEventLog.Parameter2').","The Virtual Machine Management service successfully completed the storage migration of virtual machine 'VmlEventLog.VmName' (Virtual machine ID VmlEventLog.VmId).","Trying to assign Virtual FibreChannel Resource to a Virtual FibreChannel Connection Pool (Virtual SAN) with PoolId: 'VmlEventLog.Parameter0'. This is not supported on Windows Client SKUs.","Failed to create a resource pool.","Replication health limits.","Replication health limits.","Replication health limits.","Replication health limits.","Change tracking has defined following limits for free disk space.","Change tracking has defined following limits for pending log file size.","Incremental Replication will timeout after VmlEventLog.Parameter0 hours. Minimum value for timeout is VmlEventLog.Parameter1 hours.","Hyper-V would age out CDP reference points after VmlEventLog.Parameter0 hours.","'VmlEventLog.VmName' The VmlEventLog.RepositoryName repository has logged performance summary (Virtual machine ID VmlEventLog.VmId) [VmlEventLog.Comments]: VmlEventLog.PerformanceSummary.","Switch created, name='VmlEventLog.Parameter0', friendly name='VmlEventLog.Parameter1'.","Switch deleted, name='VmlEventLog.Parameter0', friendly name='VmlEventLog.Parameter1'.","Switch port created, switch name = 'VmlEventLog.Parameter0', switch friendly name = 'VmlEventLog.Parameter2', port name = 'VmlEventLog.Parameter1', port friendly name='VmlEventLog.Parameter3'.","Internal miniport created, name = 'VmlEventLog.Parameter0', friendly name = 'VmlEventLog.Parameter1', MAC = 'VmlEventLog.Parameter2'.","Internal miniport deleted, name = 'VmlEventLog.Parameter0', friendly name = 'VmlEventLog.Parameter1'.","Ethernet switch port connected (switch name = 'VmlEventLog.Parameter0', port name = 'VmlEventLog.Parameter1', adapter GUID = 'VmlEventLog.Parameter2').","Ethernet switch port disconnected (switch name = 'VmlEventLog.Parameter0', port name = 'VmlEventLog.Parameter1').","The system is compacting 'VmlEventLog.PathName'.","The system successfully compacted 'VmlEventLog.PathName'.","The system mounted 'VmlEventLog.PathName'.","The system is creating 'VmlEventLog.PathName'.","The system successfully created 'VmlEventLog.PathName'.","The system is resizing 'VmlEventLog.PathName'.","The system successfully resized 'VmlEventLog.PathName'.","Switch SwitchName (Friendly Name: SwitchFName) info successfully set.","Delete complete for Switch SwitchName (Friendly Name: SwitchFName).","Port PortName (Friendly Name: PortFName) successfully created on switch SwitchName (Friendly Name: SwitchFName).","Port PortName (Friendly Name: PortFName) successfully deleted - switch SwitchName (Friendly Name: SwitchFName).","Delete complete for port PortName (Friendly Name: PortFName).","NIC NicName (Friendly Name: NicFName) restarted.","Media connected on NIC NicName (Friendly Name: NicFName).","Media disconnected on NIC NicName (Friendly Name: NicFName).","Virtual RSS configuration update succeeded on NIC NicName (Friendly Name: NicFName) of switch SwitchName (Friendly Name: SwitchFName).","Ndk Oid NdisOid for external NIC PtNicName (Friendly Name: PtNicFName) on behalf of virtual NIC NicName (Friendly Name: NicFName). Status: Status. Reason: FailReason.","Status change (NicStatus) sent to Nic NicName (Friendly Name: NicFName) on port PortName (Friendly Name: PortFName) on switch SwitchName (Friendly Name: SwitchFName). NicStatus: NicStatus, Status: Status.","Miniport NIC NicName (Friendly Name: NicFName) successfully enabled.","Miniport NIC NicName (Friendly Name: NicFName) successfully initialized.","Switch SwitchName (Friendly Name: SwitchFName) successfully initialized.","Failed to initialize switch SwitchName (Friendly Name: SwitchFName), status = Status, UniqueEvent = UniqueEvent.","Switch SwitchName (Friendly Name: SwitchFName) successfully deleted.","Networking driver in VMName is loaded and the protocol version is negotiated to the most recent version (Virtual machine ID VMId).","NIC NicName (Friendly Name: NicFName) successfully connected to port PortName (Friendly Name: PortFName) on switch SwitchName(Friendly Name: SwitchFName).","The operation 'Operation' succeeded on nic NicName (Friendly Name: NicFName), Instance Id NicInstanceId.","NIC NicName successfully disconnected from port PortName.","Internal or External Port PortName (Friendly Name: PortFName) successfully created on switch SwitchName (Friendly Name: SwitchFName).","'VMName': VSMB Share is creating ShareName: 'ShareName' SharePath: 'SharePath' ShareFlags: ShareFlags. (Virtual machine ID VMId).","'VmlEventLog.VmName' The VmlEventLog.RepositoryName repository has logged performance summary (Virtual machine ID VmlEventLog.VmId) [VmlEventLog.Comments]: VmlEventLog.PerformanceSummary.","'VmlEventLog.VmName' started successfully. (Virtual machine ID VmlEventLog.VmId).","'VmlEventLog.VmName' was turned off. (Virtual machine ID VmlEventLog.VmId).","'VmlEventLog.VmName' saved successfully. (Virtual machine ID VmlEventLog.VmId).","'VmlEventLog.VmName' was paused. (Virtual machine ID VmlEventLog.VmId).","'VmlEventLog.VmName' was resumed. (Virtual machine ID VmlEventLog.VmId).","'VmlEventLog.VmName' was restored successfully. (Virtual machine ID VmlEventLog.VmId).","'VmlEventLog.VmName' properties were successfully initialized. (Virtual machine ID VmlEventLog.VmId).","'VmlEventLog.VmName': Virtual machine successfully negotiated Virtual PCI protocol version VmlEventLog.Parameter1 on 'VmlEventLog.Parameter0'. (Virtual machine ID VmlEventLog.VmId).","'VmlEventLog.VmName': A virtual PCI device was successfully offered to the virtual machine: 'VmlEventLog.Parameter0'. PnpID = 'VmlEventLog.Parameter1', FunctionType = VmlEventLog.Parameter2. (Virtual machine ID VmlEventLog.VmId).","'VmlEventLog.VmName': The guest operating system powered on a virtual PCI device: 'VmlEventLog.Parameter0'. (Virtual machine ID VmlEventLog.VmId).","An error has occurred: Message.","Unable to find schema for config section 'SectionPath'. This section will be ignored.","Changes have successfully been committed to 'ConfigPath'.","Connecting to IPAM database failed with.","IPAM provisioning failed with error: ErrorMessage.","The IPAM audit task for collection of audit information has started.","The user 'UserName' is allowed to perform operation 'OperationName' as the user is part of 'GroupName' group.","Starting Teredo Offload with.","IPHTTPS: InterfaceName:IPHTTPS_InterfaceName InterfaceType:InterfaceType RegistryState:RegistryState CurrentState:CurrentState URL:URL AuthenticationMode:AuthenticationMode.","Local Prefix Discovered: InterfaceLuid PrefixLength, Prefix: InterfaceLuid, PrefixLength: Prefix.","464xlat Enabled: InterfaceLuid RemotePrefix, Metric: RemotePrefixLength, RemotePrefix: LocalPrefix, RemotePrefixLength: LocalPrefixLength, LocalPrefix: InterfaceLuid, LocalPrefixLength: Metric.","464xlat Disabled: InterfaceLuid RemotePrefix, Metric: RemotePrefixLength, RemotePrefix: LocalPrefix, RemotePrefixLength: LocalPrefixLength, LocalPrefix: InterfaceLuid, LocalPrefixLength: Metric.","Remote Prefix Discovered: InterfaceLuid PrefixLength, Prefix: InterfaceLuid, PrefixLength: Prefix.","Secure Trustlet ImageName Id TrustletIdentity and Pid NormalProcessId started with status Status.","Secure Trustlet Id TrustletIdentity and Pid NormalProcessId stopped with status Status.","Secure Kernel started with status Status and flags Flags.","Secure Trustlet ImageName Id TrustletIdentity and Pid NormalProcessId started with status Status.","The Key Distribution Center (KDC) cannot find a suitable certificate to use. This KDC is not enabled for smart card or certificate authentication.","The Key Distribution Center (KDC) is being started.","The Key Distribution Center (KDC) uses the below KDC certificate for smart card or certificate authentication.","VSM Identity Key Provisioning. Unsealing cached copy status: CachedCopyStatus. New key generation status: IdkGenerationStatus. Measuring to PCR status: MeasuringStatus. Sealing and caching status: SealingAndCachingStatus.","Measured Boot Measurement Failure. Status: Measured_Boot_Measurement_Failure_Status.","TPM Measurement Failure. Status: TPM_Measurement_Failure_Status.","SMM isolation level decreased. Reason: SMM_isolation_level_decreased_Reason.","Soft reboot call to checkpoint failed: Function (checkpoint: Status).","SMM isolation detected. Level: SMM_isolation_detected_Level.","Crash dump disable failed. NT status: Crash_dump_disable_failed_NT_status.","Crash dump load driver failed. NT status: Crash_dump_load_driver_failed_NT_status.","Crash dump reconfigured. NT status: Crash_dump_reconfigured_NT_status.","Dump disabled forcefully (ForceDumpDisabled: Dump_disabled_forcefully_ForceDumpDisabled).","Session \"SessionName\" stopped due to the following error: ErrorCode.","The maximum file size for session \"SessionName\" has been reached. As a result, events might be lost (not logged) to file \"FileName\". The maximum files size is currently set to MaxFileSize bytes.","Error setting traits on Provider ProviderGuid. Error: ErrorCode.","TxR init phase for hive ExtraString (TM: TmId, RM: RmId) finished with result=Status (Internal code=InternalCode).","Writing dump file ended. NT Status: Writing_dump_file_ended_NT_Status. Total NTStatus bytes (Header|Primary|Secondary: TotalBytes|HeaderBytes|PrimaryDataBytes bytes). DumpWriteDuration: SecondaryDataBytesms.","Sizing Workflow: Allocation. NT: Sizing_Workflow_Allocation_NT bytes. Hypervisor: Primary NtPrimaryDataBytes bytes. Secondary HvPrimaryDataBytes bytes.","TCPv4: size bytes transmitted from saddr:sport to daddr:dport.","TCPv4: size bytes received from saddr:sport to daddr:dport.","TCPv4: Connection attempted between saddr:sport and daddr:dport.","TCPv4: Connection closed between saddr:sport and daddr:dport.","TCPv4: Connection established between saddr:sport and daddr:dport.","TCPv4: Reconnect attempt between saddr:sport and daddr:dport.","TCPv4: size bytes copied in protocol on behalf of user for connection between saddr:sport and daddr:dport.","TCPv6: size bytes transmitted from saddr:sport to daddr:dport.","TCPv6: size bytes received from saddr:sport to daddr:dport.","TCPv6: Connection attempted between saddr:sport and daddr:dport.","TCPv6: Connection closed between saddr:sport and daddr:dport.","TCPv6: Connection established between saddr:sport and daddr:dport.","UDPv4: size bytes transmitted from saddr:sport to daddr:dport.","UDPv4: size bytes received from saddr:sport to daddr:dport.","UDPv6: size bytes transmitted from saddr:sport to daddr:dport.","UDPv6: size bytes received from saddr:sport to daddr:dport.","Device Driver_Name failed configuration.","Device Driver_Name had its configuration blocked by policy.","Device DeviceInstanceId was deleted.","Device Veto_type has completed a platform-level device reset.","Timer tick distribution policy.","The last sleep transition was unsuccessful. This error could be caused if the system stopped responding, failed, or lost power during the sleep transition.","Firmware S3 times. SuspendStart: Firmware_S3_times_SuspendStart, SuspendEnd: SuspendEnd.","The system has detected a system initiated reboot from AdaptiveTargetState.","Process ProcessID started at time ProcessSequenceNumber by parent CreateTime running in session ParentProcessID with name ParentProcessSequenceNumber.","Process ProcessID (which started at time CreateTime) stopped at time ExitTime with exit code ExitCode.","Thread ThreadID (in Process ProcessID) started.","Thread ThreadID (in Process ProcessID) stopped.","Process ProcessID had an image loaded with name ImageName.","Process ProcessID had an image unloaded with name ImageName.","Base CPU priority of thread ThreadID in process ProcessID was changed from OldPriority to NewPriority.","CPU priority of thread ThreadID in process ProcessID was changed from OldPriority to NewPriority.","Page priority of thread ThreadID in process ProcessID was changed from OldPriority to NewPriority.","I/O priority of thread ThreadID in process ProcessID was changed from OldPriority to NewPriority.","Job Container ID started with status code Job ID.","Job Container ID terminated with status code Job ID.","Machine Check Event reported is a Bus or Interconnect error.","Machine Check Event reported is a Bus or Interconnect timeout error.","Machine Check Event reported is a fatal Bus or Interconnect error.","Machine Check Event reported is a fatal Bus or Interconnect timeout error.","A Wired_Group_Policy_Name Wired Group Policy was applied to your computer.","LAPS is using the following domain controller.","LAPS was unable to bind over LDAP to the domain controller.","The current policy is configured to backup the password to Azure Active Directory, but has a configured PasswordAgeDays value that is less than the required minimum.","Error: HRESULT: Error_HRESULT Location: Location Line Number: Line_Number.","Error Propagated: HRESULT: Error_Propagated_HRESULT Location: Location Line Number: Line_Number.","ActiveSyncProvider:[Ctrl] [meeting_id] [MeetingResponsesSyncSession] Setting placeholder meeting server id for successful response (request id: Prop_Dword_1, meeting id: Prop_String1).","ActiveSyncProvider:[Ctrl] [meeting_id] [MeetingResponsesSyncSession] Deleting placeholder meeting for succesful response (request id: Prop_Dword_1, meeting id: Prop_String1).","ActiveSyncProvider: Detected invalid change for item expected_parent (change type: expected_parent_type, expected parent: actual_parent, expected parent type: actual_parent_type, actual parent: Prop_String1, actual parent type: Prop_Dword1).","DavSyncProvider: Uploading change (item id: DavSyncProvider_Uploading_change_item_id, type: type).","DavSyncProvider: Uploaded change (item id: DavSyncProvider_Uploaded_change_item_id, type: type, status: status).","Error: HRESULT: Error_HRESULT Location: Location Line Number: Line_Number.","Error Propagated: HRESULT: Error_Propagated_HRESULT Location: Location Line Number: Line_Number.","Mms Mime: Invalid phone number: Mms_Mime_Invalid_phone_number.","Error: HRESULT: Error_HRESULT Location: Location Line Number: Line_Number.","Error Propagated: HRESULT: Error_Propagated_HRESULT Location: Location Line Number: Line_Number.","NetworkHelper::HttpTransport: Callback error: Handle: NetworkHelperHttpTransport_Callback_error_Handle Error: Error.","NetworkHelper::HttpTransport: Request Failure: Handle: NetworkHelperHttpTransport_Request_Failure_Handle Error: Error.","NetworkHelper::CrackUrl Failure. HR: NetworkHelperCrackUrl_Failure_HR Url: Url.","Http: Http: Unknown status: Unknown_status.","Http: Total bytes received: Http_Total_bytes_received.","Http: Http: Total Body Bytes sent: Total_Body_Bytes_sent.","Http: HTTP Error: Http_HTTP_Error.","Http: Content Lengtgh: Http_Content_Lengtgh.","Receive WNF event; current mode: Receive_WNF_event_current_mode, current value: current_value.","Allocation range.","Autopilot policy [Message1] not found.","AutopilotManager reported the state changed from InitialState to UpdateState.","AutopilotManager retrieve settings succeeded.","AutopilotManager determined download is not required and the device is not provisioned. Clean or reset the device to change this.","AutopilotManager determined Internet is available to attempt policy download.","AutopilotManager reported Internet is now available.","AutopilotManager reported that Autopilot profile download is now complete.","AutopilotManager is determining whether device has internet access.","AutopilotManager is determining Autopilot profile availability.","AutopilotSync: Using user SID: AutopilotSync_Using_user_SID.","Autopilot Provisioning change. Session Id: Autopilot_Provisioning_change_Session_Id, sequence number: sequence_number.","Autopilot downloader saved the new profile to Message1.","Autopilot downloader retrieved an empty profile for Message1.","Autopilot downloader cleared the local profile for Message1.","MDM Alert sync session: FeatureName: MDM_Alert_sync_session_FeatureName, IsCompleted: IsCompleted, SessionState: SessionState, SyncSessionId: SyncSessionId, EnrollmentId: EnrollmentId.","Diagnostic extraction failed. Error: Diagnostic_extraction_failed_Error, State: State.","AutopilotManager loaded configuration file Message1.","Management service starting.","Management service started.","Management service shutdown.","Management service cleared the local Autopilot cached state.","Management service will use Message1 for persisted storage.","Management service did not find Message1. Attempting to create it.","Management service created Message1.","Starting. Video: Starting_Video (Video_Bit_Rate,Region). Audio Channels: VideoX, Video Bit Rate: VideoY, Audio Bit Rate AudioChannels, Seek Offset VideoBitRatems.","Stopping. Bytes Muxed: Stopping_Bytes_Muxed, Video Frames Received: Video_Frames_Received, Video Frames Encoded: Video_Frames_Encoded, Audio Bytes Received: Audio_Bytes_Received, Audio Frames Encoded: Audio_Frames_Encoded.","Retrieving Max connections failed. MaxCon: Retrieving_Max_connections_failed_MaxCon. HResult: HResult.","MS DTC started with the following settings (OFF = 0 and ON = 1).","Unable to translate the MS DTC error code to the appropriate MS DTC error message. The MS DTC error code was: param1.","NCA PerfTrack Scenario Event. MachineId: NCA_PerfTrack_Scenario_Event_MachineId, SessionId: SessionId, DeploymentId: DeploymentId, StopState: StopState.","NCA PerfTrack Scenario Event. MachineId: NCA_PerfTrack_Scenario_Event_MachineId, SessionId: SessionId, DeploymentId: DeploymentId, StopState: StopState.","NCA PerfTrack Scenario Event. MachineId: NCA_PerfTrack_Scenario_Event_MachineId, SessionId: SessionId, DeploymentId: DeploymentId, StopState: StopState.","NCA PerfTrack Scenario Event. MachineId: NCA_PerfTrack_Scenario_Event_MachineId, SessionId: SessionId, DeploymentId: DeploymentId, StopState: StopState.","NCA PerfTrack Scenario Event. MachineId: NCA_PerfTrack_Scenario_Event_MachineId, SessionId: SessionId, DeploymentId: DeploymentId, StopState: StopState.","NCA PerfTrack Scenario Event. MachineId: NCA_PerfTrack_Scenario_Event_MachineId, SessionId: SessionId, DeploymentId: DeploymentId, StopState: StopState.","NCA PerfTrack Scenario Event. MachineId: NCA_PerfTrack_Scenario_Event_MachineId, SessionId: SessionId, DeploymentId: DeploymentId, StopState: StopState.","NCA PerfTrack Scenario Event. MachineId: NCA_PerfTrack_Scenario_Event_MachineId, SessionId: SessionId, DeploymentId: DeploymentId, StopState: StopState.","NCA PerfTrack Scenario Event. MachineId: NCA_PerfTrack_Scenario_Event_MachineId, SessionId: SessionId, DeploymentId: DeploymentId, StopState: StopState.","NCA PerfTrack Scenario Event. MachineId: NCA_PerfTrack_Scenario_Event_MachineId, SessionId: SessionId, DeploymentId: DeploymentId, StopState: StopState.","NCA PerfTrack Scenario Event. MachineId: NCA_PerfTrack_Scenario_Event_MachineId, SessionId: SessionId, DeploymentId: DeploymentId, StopState: StopState.","NCA PerfTrack Scenario Event. MachineId: NCA_PerfTrack_Scenario_Event_MachineId, SessionId: SessionId, DeploymentId: DeploymentId, StopState: StopState.","NCA PerfTrack Scenario Event. MachineId: NCA_PerfTrack_Scenario_Event_MachineId, SessionId: SessionId, DeploymentId: DeploymentId, StopState: StopState.","NCA PerfTrack Scenario Event. MachineId: NCA_PerfTrack_Scenario_Event_MachineId, SessionId: SessionId, DeploymentId: DeploymentId, StopState: StopState.","Network connected device (Name: Network_connected_device_Name; Model String1) got qualified for automatic setup.","Network connected device (Name: Network_connected_device_Name; Model String1) got disqualified for automatic setup because it was manually removed earlier.","Network connected device (Name: Network_connected_device_Name; Model String1) got disqualified for automatic setup because its device category is disqualified.","Network connected device (Name: Network_connected_device_Name; Model String1) got disqualified for automatic setup due to an unexpected error (String2).","Network connected device (Name: Network_connected_device_Name; Model String1) got disqualified for automatic setup because its device category property is missing.","Network connected device (Name: Network_connected_device_Name; Model String1) got disqualified for automatic setup because its device IP address property is missing.","Network connected device (Name: Network_connected_device_Name; Model String1) got disqualified for automatic setup because its device PnP-X Id property is missing.","Default gateway is set on GatewayIP (GatewayMAC Family: KnownProxyless GatewayIP: KnownOppInternet GatewayMAC: InterfaceGuid KnownHotspot: IfLuid KnownOppInternet: Family KnownProxiedOppInternet: IpAddressLength).","Next hop to Internet has changed on HasNextHopToInternet (NextHopAddress Family: InterfaceGuid HasNextHopToInternet: IfLuid NextHopAddress: NextHopAddressLength).","Preferred address change on HasPreferredAddress (AddressSuffixOrigins Family: InterfaceGuid HasPreferredAddress: IfLuid AddressSuffixOrigins: Family).","Preferred global address change on HasPreferredGlobalAddress (AddressSuffixOrigins Family: InterfaceGuid HasPreferredGlobalAddress: IfLuid AddressSuffixOrigins: Family).","Inside/Outside probe failed for interface Host.","Miniport Duration on processor Individual has an RST limit change from CurrentProcessorIndex to NumberOfNetBufferLists NBLs per indication (NumNbls: Cummulative, Duration: NetLuidIndex, Individual: ProcessingDurationMilliseconds, Cummulative: PreviousLimit).","Event source: Event_source: LayerCount, IfIndex: SourceId, LayerCount: SourceName.","Interface (Luid:Interface_Luid) added to per-interface list for proc _IfLuid at active index _ProcNum.","Flow Context (Flow Id:Flow_Context_Flow_Id) Refcount_FlowHandle.","NduUpdateProcessStatsForContainerOrVmId succeeded: CurrentProcNumber:NduUpdateProcessStatsForContainerOrVmId_succeeded_CurrentProcNumber PartitionId:PartitionId Direction:Direction IfLuid:IfLuid IfType:IfType BytesSent:BytesSent BytesRecvd:BytesRecvd.","OuterProcessId: VirtualIfLuid:IfAlias OuterProcessId:Title IfAlias:VirtualIfLuid.","Source Provider: SourceProvider Context: Context.","Source Provider: SourceProvider Context: Context.","Source Provider: SourceProvider Context: Context.","ControlChannelTrigger may have been reset due to Software_Slot. Slot types affected: Hardware Slot: ResetReason. Software Slot: HardwareSlotReset.","Autotrigger: auto trigger module initialization completed with Error = Error.","Autotrigger: auto trigger Config registry content completed with Error = Error.","Ignoring UNC Hardening Configuration Property: Unsupported property name.","Unable to parse UNC Hardening Configuration Entry: Unexpected token.","Unable to parse UNC Hardening Configuration Entry: Unable to parse integer.","Unable to parse UNC Hardening Configuration Entry: Unable to parse string.","SA Context 5nProtocol:\\nLocal Address: SaContextID:LocalMask\\nRemote Address: LocalAddr:LocalPort\\nProtocol: RemoteAddress.","Stop gateway resolution on interface NlnsState for MAC. Error: InterfaceGuid NlnsState: GatewayIpAddress MAC: MacAddrLen.","Gateway resolution failed on interface InterfaceGuid for GatewayIpAddress with error: ErrorCode.","NTFS KSR data retrieval failed.","File's duplicate info has been updated during flush.","NTFS KSR data prepare failed.","NTFS KSR data fill failed.","In the past SecondsElapsed seconds TotalCountDeleteFile files were deleted from the user's popular known folders (i.e. Desktop, Documents, Downloads, Music, Pictures, Videos, etc.).","A process has not acknowledged an NTFS oplock break in a long time.","The NTFS volume dismount failed.","NTFS failed to mount the volume.","WorkItem queued, WorkItem: WorkItem_queued_WorkItem, Reason: Reason.","WorkItem queue failed, WorkItem: WorkItem_queue_failed_WorkItem, Reason: Reason, Error: Error.","WorkItem started, WorkItem: WorkItem_started_WorkItem, Reason: Reason.","WorkItem completed, WorkItem: WorkItem_completed_WorkItem, Reason: Reason.","The system failed to flush data to the transaction log. Corruption may occur in VolumeId: VolumeId, DeviceName: DeviceName.","NTLM authentication failed because access control restrictions are required.","NTLM authentication succeded, but it will fail when Authentication Policy is enforced because access control restrictions are required.","NTLM client blocked: Outgoing NTLM authentication traffic to remote servers that is blocked.","NTLM Minimum Client Security Block.","NTLM Minimum Server Security Block.","Attempt to get credential key by call package blocked by Credential Guard.","[Nwf] [Status]: Nwf_Status: Status = StatusAnnotation , Context1 = Status.","[WorkerRequestHandler]: WorkerRequestHandler Context1 = StatusAnnotation, Context2 = Context1.","Notification message ActivityType: Status/Active: Message, ActivityType: StatusActive.","Activators received acknowledgement: Status: Activators_received_acknowledgement_Status, State: State.","Notification started: Type: Notification_started_Type, ClientContext:ClientContext, PDC Sequence:PDC_Sequence, Value:Value, WaitTime:WaitTime.","Control notification: Type: Control_notification_Type, Flags:Flags.","Invalid notification: Client: Invalid_notification_Client, Expected sequence number:Expected_sequence_number, Received sequence number:Received_sequence_number.","Notification received: Client: Notification_received_Client, Received sequence number:Received_sequence_number.","Notification message: Client Control, Message: Status, Control: PDC_Sequence, Status: Client; PDC Sequence: Message.","Resiliency Message ClientState, TransactionId: ClientStatus, ClientState: SendMessage, ClientStatus: UserModeMessage, SendMessage: Message, UserModeMessage: TransactionId.","PDC received monitor request ON/OFF: PDC_received_monitor_request_ONOFF, Console:Console.","PDC Suspend/Resume handler activated. :PDC_SuspendResume_handler_activated.","PDC Session handler - Session Connected, Console: SessionId, Connected: Console.","PDC Initialization - AoAc: PDC_Initialization__AoAc, Status:Status.","Suspend/resume message PowerEvent: Transaction id: Message, PowerEvent: TransactionId.","Suspend/resume started: Type: Suspendresume_started_Type, Session: Session, IteratioType: IteratioType, ClientContext:ClientContext, PDC Sequence:PDC_Sequence, Power Event:Power_Event, WaitTime:WaitTime.","Notification received: Client: Notification_received_Client, Received sequence number:Received_sequence_number.","Invalid notification: Client: Invalid_notification_Client, Expected sequence number:Expected_sequence_number, Received sequence number:Received_sequence_number.","PDC state changed: new: PDC_state_changed_new, old:old.","Rundown of PDC task client ReferenceCount - PDC identifier:Status, ReferenceCount:Name, Status:Client, Name:PdcId.","Rundown of PDC scenario client Active - PDC identifier:Status, Active:Name, Status:Client, Name:PdcId.","Rundown of SPM scenario Flags - GUID:State, Flags:Name, State:Scenario, Name:ScenarioNameLength.","NVDIMM Slot_number encountered an error while transferring your data to or from persistent media (see the Details tab for more information). Some of your data may have been lost.","NVDIMM Slot_number encountered an error that makes it unable to save your data if your computer shuts down. Consider backing up your data to another disk.","NVDIMM-N Slot_number encountered a serious problem that may cause data saved to this NVDIMM-N to be lost when the computer shuts down or restarts. Consider backing up your data to another disk.","The problem with NVDIMM-N Slot_number was resolved. Data saved to this NVDIMM-N is no longer at risk.","NVDIMM-N Slot_number is in a degraded health state and may soon encounter serious problems. Consider backing up your data to another disk.","NVDIMM-N Slot_number has encountered NfitHandle uncorrectable memory error(s). Uncorrectable memory errors can cause system instability and data loss. Consider replacing this NVDIMM-N.","CAD: Notifying Battery Driver - Id:CAD_Notifying_Battery_Driver_____Id MaxCurrent:MaxCurrent Info:Info Status:Status ChargerId:ChargerId.","CAD: Power Source Update Call - Id:CAD_Power_Source_Update_Call_____Id MaxCurrent:MaxCurrent Info:Info Status:Status ChargerId:ChargerId.","CAD: Start Charging IOCTL Call - Id:CAD_Start_Charging_IOCTL_Call____Id MaxCurrent:MaxCurrent Info:Info Status:Status ChargerId:ChargerId.","CAD: Stop Charging IOCTL Call - Id:CAD_Stop_Charging_IOCTL_Call_____Id.","CAD: Source Change Notification - Id:CAD_Source_Change_Notification___Id SourceOnline:SourceOnline.","Class Name = ClassName.","Serialization of a script property has been skipped, because there is no runspace to use for evaluation of the property.","Runspace Id: Runspace_Id Pipeline Id: Pipeline_Id. Server is sending data of size TargetInterface to client. DataType: Runspace_InstanceId TargetInterface: PowerShell_InstanceId.","Tracing ErrorRecord.","Tracing Job.","Runspace state changed to param1.","Runspace Id: SessionId Pipeline Id: PipelineId. WSMan reported an error with error code: ErrorCode.","CanRunTask failed. Details: CanRunTask_failed__Details.","Document DocumentDeleted.Param1, DocumentDeleted.Param2 owned by DocumentDeleted.Param3 was deleted on DocumentDeleted.Param4. No user action is required.","Spooling job JobDiag.JobId.","Printing job JobDiag.JobId.","Deleting job DeleteJobDiag.JobId.","Allow access to SettingName on this device setting has successfully changed from OldConsentValue to NewConsentValue by CallerProcessName.","The Diagnostic Data Value was changed from OldConsentValue to NewConsentValue by CallerProcessName.","The Tailored Experiences Value was changed from OldConsentValue to NewConsentValue by CallerProcessName.","The process 'param1' exited with exit code param2. The creation time for the exiting process was 0xparam3.","The process 'param1' was terminated by the process 'param2' with termination code param3. The creation time for the exiting process was 0xparam4.","[Sqlite][Informational] Status: SqliteInformational_Status. Message: Message.","[Sqlite][Other] Status: SqliteOther_Status. Message: Message.","WNP Keep Alive Detector stopping KA measurement.","An application resgistration was updated with the following parameters: PackageFullName [PackageFullName] AppUserModelId [AppUserModelId] AppSettings [Settings] AppType [AppType] ErrorCode [ErrorCode].","[Sqlite][Warning] Status: SqliteWarning_Status. Message: Message.","[Sqlite][Error] Status: SqliteError_Status. Message: Message.","(Packet(s)Drop Reason Source_Address :Number of packets:Destination_Address Source Address:Source_Port Destination Address:Destination_Port Source Port:Next_Protocol Destination Port:DropReason Next Protocol:NumberOfPackets).","ReFS failed to mount the volume.","Summary of disk space usage, since last event.","IO latency summary common data for volume.","IO latency summary.","An IO took more than File_name ms to complete.","A VolumeNameLength failed with ProcessName.","IO latency summary.","Stream Snapshot Periodic Operation Latencies (Part 1).","Stream Snapshot Periodic Operation Latencies (Part 2).","Windows cannot find the remote computer that contains the connection.","Windows cannot find the remote computer that contains the connection.","The URL you typed does not have a connection.","The URL you typed does not have a connection.","You have successfully set up the following connection.","The connection has been successfully removed.","Timestamp: Timestamp ms, heartbeats sent: ms_heartbeats_sent, data packet last sent: data_packet_last_sent ms, heartbeat last sent: ms_heartbeat_last_sent ms.","TCP socket was gracefully terminated.","The RDP display control module successfully changed the session monitor layout. New layout has NumMonitors monitors.","RPC Log Event.","Client RPC call started. InterfaceUuid: InterfaceUuid OpNum: ProcNum Protocol: Protocol NetworkAddress NetworkAddress Endpoint Endpoint Binding Options Options Authentication Level AuthenticationLevel Authentication Service AuthenticationService Impersonation Level ImpersonationLevel.","Server RPC call started. InterfaceUuid: InterfaceUuid OpNum: ProcNum Protocol: Protocol Endpoint Endpoint Authentication Level AuthenticationLevel Authentication Service AuthenticationService.","Client RPC call completed. Status: Status.","Server RPC call was completed. Status: Status.","Call failed due to RpcRaiseException. Status: Status.","RPC interface registered. Interface UUID InterfaceUuid TypeMgr TypeMgrUuid Flags Flags Max Calls Max Calls.","RPC interface unregistered. Interface UUID InterfaceUuid TypeMgr.","RPC Server bound to protocol. Protocol Protocol Endpoint Endpoint.","MediaCapture capture_time PhotoSequence photo available (start time: WinRTCaptureEngine, capture time: StartTime).","WebSocket Reason is receiving the close frame. Code: obj; Reason: statusCode.","pending_Winsock_requests.CompleteDelivery is pending with: outstanding read operations: data_available, pending Winsock requests: runtimeClass, data available: pendingOperations.","Server certificate thumbprint: 'contains_fatal_certificate_errors', certificate error count: certificateThumbprint, contains fatal certificate errors: intermediate_certificate_count, intermediate certificate count: errorCount.","Status - Line: functionName Status: lineNumber.","Current network cost: Internet available: Current_network_cost_Internet_available, Type: Type, Roaming: Roaming, Over data limit: Over_data_limit, Data limit [MB]: Data_limit_MB, Used [MB]: Used_MB.","Operation Remaining_bytes: Current response transfer stats: Elapsed Time [sec]: Transfer_Speed_bytessec, Remaining [bytes]: ETA_sec, Transfer Speed [bytes/sec]: OperationId, ETA [sec]: ElapsedTimeInSeconds.","Interrupt detected in ISR.","P-State change requested.","P-State change requested.","P-State change requested.","The Windows Search Service started.ExtraInfo.","The Windows Search service is creating the new search index {Reason: Reason}. ExtraInfo.","The Windows Search Service has successfully created the new search index. ExtraInfo.","Windows Search Service indexed data for user 'User' successfully removed in response to user profile deletion.","Legacy Kerberos pre-authentication failure event from Windows 2003. Superseded by EventID 4771 in Vista+.","The security permissions for Certificate Services changed.","Key access denied by Microsoft key distribution service.","A request was submitted to OCSP Responder Service.","The Windows Filtering Platform has blocked a packet.","A more restrictive Windows Filtering Platform filter has blocked a packet.","The FIPS mode crypto selftests succeeded.","The FIPS mode crypto selftests failed.","CheckCompliance end.","The service principal name (SPN) SPN is not registered, which caused Kerberos authentication to fail: ErrorCode. Use the setspn command-line tool to register the SPN.","The Kerberos client could not send a Kerberos proxy request.","The Kerberos client could not find a suitable credential to use with the authentication proxy.","The Kerberos client could not locate a domain controller for domain TargetDomain: ErrorCode. Kerberos authentication requires communicating with a domain controller.","Attempt to use Kerberos unconstrained delegation failed.","Attempt to export TGT session key failed.","The Kerberos client was bound to domain controller DesiredFlags for the domain CacheFlags but could not access this domain controller at the time.","A Kerberos error message was received.","Access to the a resource has been denied for a less privileged app container at FailureTime (StackHash: StackHash).","Process 'ProcessPath' (PID CallingProcessId) was blocked from creating a child process 'ChildImagePathName' with command line 'ChildCommandLine'.","Process 'ProcessPath' (PID ProcessId) would have been blocked from loading the non-Microsoft-signed binary 'ImageName'.","Process 'Arguments' (PID Impersonating) would have been blocked from following an untrusted redirection.","Process 'Arguments' (PID Impersonating) was blocked from following an untrusted redirection.","Netlogon failed to retrieve the password for account AccountName in domain AccountDomain. Status.","Netlogon denied an RPC call. The policy is in enforce mode.","Netlogon allowed an RPC call that normally would have been denied. The policy is in audit mode.","Windows Defender Advanced Threat Protection Network Detection and Response executable failed to start. Failure code: HRESULT.","Windows Defender Advanced Threat Protection Network Detection and Response failed to subscribe to event id of event log channel: , with provider: . Event data will not be collected until next reboot.","Starting action ActionType. Action ID: ActionId.","Succeeded to run action ActionType. Action ID: ActionId.","Windows Defender Advanced Threat Protection Incident Response executable started.","Windows Defender Advanced Threat Protection Incident Response executable terminated. Exit code: HRESULT.","Windows Defender Advanced Threat Protection Incident Response requested registration as an AIRS client. Result code: HRESULT.","Encountered unexpected error while getting actions from AIRS server. Error code: HRESULT.","Failed to execute AIRS request. Error code: HRESULT.","Starting to upload results of action ActionType. Action ID: ActionId.","Get-WindowsFeature cmdlet started.","Get-WindowsFeature cmdlet ended, Guid: requestGuid, Components: serverComponentNames.","Component message1 has state currentRoleId.","Add-WindowsFeature cmdlet started.","Add-WindowsFeature cmdlet ended. Guid: requestGuid, Components serverComponentNames.","Windows Servicing started a process of changing package identifier(releaseType) state from initialPackageStateLoc(initialPackageState) to packageStateLoc(packageState).","Windows Servicing is setting package identifier(releaseType) state to packageStateLoc(packageState).","Windows Servicing successfully set package identifier(releaseType) state to packageStateLoc(packageState).","Update CbsUpdateChangeState.UpdateName of package CbsUpdateChangeState.PackageIdentifier failed to be turned on. Status: CbsUpdateChangeState.ErrorCode.","CloudExperienceHost App Activity started. Source: 'Source', Experience: 'Experience'.","CloudExperienceHost App Activity stopped. Result: 'Result'.","CloudExperienceHost App Event 1. Name: 'Name'.","CloudExperienceHost App Event 2. Name: 'Name', Value: 'Value'.","CloudExperienceHost Web App Activity started. CXID: 'CXID'.","CloudExperienceHost Web App Activity stopped. Result: 'Result'.","CloudExperienceHost Web App Event 2. Name: 'Name', Value: 'Value'.","Started execution of command 'Command'.","Finished execution of command 'Command' (PID PID).","An image asset was successfully download to the following location: value.","Telemetry SmartScreen Event.","Failed to establish a network connection.","A network connection was disconnected.","The client lost its session to the server.","The client re-established its session to the server.","The connection to the share was lost.","The connection to the share was re-established.","The LmCompatibilityLevel value is different from the default.","The SMB client failed to connect to the share.","SMB1 access.","File and printer sharing firewall rule enabled.","SRV Disabled - The SMB1 negotiate request fails due to SMB1 is disabled.","The network name information changed.","LmCompatibilityLevel value is different from the default.","Access to AttemptedPath has been restricted by your Administrator by the default software restriction policy level.","Access to AttemptedPath has been restricted by your Administrator by location with policy rule SrpRuleGuid placed on path RulePath.","Access to AttemptedPath has been restricted by your Administrator by software publisher policy.","Access to AttemptedPath has been restricted by your Administrator by policy rule SrpRuleGuid.","Access to AttemptedPath has been restricted by your Administrator by policy rule SrpRuleGuid.","Count invalid foreign keys detected for Entity.Field [Filename=Filename, Ids=Ids].","Count invalid foreign keys corrected for Entity.Field [Filename=Filename].","Successfully cleaned up the Storage Management Provider.","Successfully cleaned up Extended Storage Spaces API.","Completing a failed upper level paging read request.","Completing a failed Read SCSI SRB request.","An IO took more than Threshold_ms ms to complete for Storport Device (Port = PortNumber, Path = PathID, Target = TargetID, Lun = LUN).","User \"TaskName\" disabled Task Scheduler task \"Name\".","Task Scheduler did not launch task \"Name\" as it missed its schedule. Consider using the configuration option to start the task when available, if schedule is missed.","Task Scheduler stopped instance \"TaskName\" of task \"Name\" because computer is no longer idle.","Task Scheduler service received a time system change notification.","To help optimize for performance, Task Scheduler has automatically disabled logging. To re-enable logging, please use Event Viewer.","TCP: endpoint Endpoint (Family=AddressFamily, PID=Pid) created with status = Status.","TCP: Tcb Tcb (local=LocalAddress remote=RemoteAddress) requested to connect.","TCP: Inspect Connect has been completed on Tcb Tcb with status = Status.","TCP: Tcb Tcb is going to output SYN with ISN = ISN, RcvWnd = RcvWnd, RcvWndScale = RcvWndScale.","TCP: endpoint (sockaddr=LocalAddressLength) bound.","TCP: endpoint (sockaddr=LocalAddressLength) closed.","TCP: endpoint (Family=CompartmentId PID=Status) created.","TCP: listener (local=LocalAddress remote=RemoteAddress) accept completed. TCB = Tcb. PID = ProcessId.","TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect proceeding.","TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect completed. PID = ProcessId.","TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect attempt failed with status = Status.","TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) close issued.","TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) abort issued.","TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) abort completed.","TCP: connection disconnect Injected, length=Length.","TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) disconnect completed.","TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) shutdown initiated (Status). PID = ProcessId.","TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) terminating: retransmission timeout expired.","TCP: connection Tcb transition from OldState to NewState, SndNxt = SndNxt.","TCP: Connection Tcb TimerType timer started. Scheduled to expire in WaitTimeMilliseconds ms.","TCP: Connection Tcb stopping TimerType timer.","TCP: Connection Tcb TimerType timer has expired.","TCP: connection Tcb: Received data with number of bytes = NumBytes. ThSeq = SeqNo.","TCP: connection Tcb: Entered loss recovery phase with SndUna = SndUna and SndMax = SndMax.","TCP: connection Tcb: Leaving loss recovery phase with SndUna = SndUna and SndMax = SndMax.","TCP: TcpReleaseIndicationList: Nbl = NBL.","TCP: connection (local=LocalAddress remote=RemoteAddress) starting receive window auto-tuning.","TCP: connection (local=LocalAddress remote=RemoteAddress) ending receive window auto-tuning.","TCP: SWS avoidance began on connection Tcb. Timer set for TimerValue ms. BytesToSend = BytesToSend, SendAvailable = SendAvailable, Cwnd = Cwnd, MaxSndWnd = MaxSndWnd.","TCP: Option OptionType is going to be set for connection Tcb.","TCP: Socket Option SoOptionType is going to be set for connection Tcb.","TCP: Connection Tcb Large Send Offload, Bytes in segment = BytesInSegment and Bytes remaining = BytesRemaining.","TCP: connection Tcb, delivery Delivery, Request Request posted for NumBytes bytes, flags = RequestFlags. RcvNxt = RcvNxt.","TCP: connection Tcb delivery Delivery indicated NumBytes bytes accepted Length bytes, status = RequestStatus. RcvNxt = RcvNxt.","TCP: connection Tcb delivery Delivery satisfied NumBytes bytes Length requested. IsFullySatisfied = FullySatisfiedORDelayedPush. RcvNxt = RcvNxt.","TCP: connection Tcb send Injected NumBytes bytes at SndNxt.","TCP: connection Tcb send transmitted NumBytes bytes at SndNxt.","TCP: connection Tcb send advance NumBytes bytes at SndNxt.","TCP: connection Tcb SRTT measurement complete (tick = Tick, sample = RttSample ms, new srtt = NewSrtt ms).","TCP: connection Tcb: SRTT measurement cancelled.","UDP: endpoint Endpoint (LocalAddress = LocalSockAddr, RemoteAddress = RemoteSockAddr) sending NumMessages messages and a total of NumBytes bytes. PID = Pid.","UDP: endpoint Endpoint (LocalAddress = LocalSockAddr, RemoteAddress = RemoteSockAddr) delivering NumBytes bytes. PID = Pid.","TCP: connection Tcb delivery Delivery flushing NumBytes bytes Length requested status = RequestStatus.","TCP: connection Tcb delivery Delivery injecting NumBytes bytes delta Length, IsUrgentDelivery = IsUrgentDelivery.","TCP: connection Tcb delivery Delivery accepting NumBytes bytes. RcvNxt = RcvNxt.","TCP: connection Tcb delivery Delivery delivering FIN. RcvNxt = RcvNxt.","TCP: Injecting fin on TCB completed. TCB = Tcb, Processor = NumBytes.","TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connection terminated: received RST.","TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) retransmitting connect attempt, RexmitCount = RexmitCount.","TCP: connection Tcb send keep-alive at SndUna = SndUna.","TCP: endpoint/connection PortAcquirer acquired port number PortNumber.","TCP: connection PortAcquirer attempted to acquire weak reference on port number PortNumber inherited from endpoint OriginalAcquirer. Successful = WeakReference.","TCP: endpoint/connection PortAcquirer released port number PortNumber. WeakReference = WeakReference.","TCP: connection Tcb BH receive ACK for full size seq. Seq = SndUna. IsSack = IsSack.","TCP: Connection Tcb entering reassembly at RcvNxt = SndUna.","TCP: Connection Tcb leaving reassembly at RcvNxt = SndUna.","IP: Interface rundown: Index = IfIndex, Linkspeed = CurrLinkSpeed bps, PhysicalMediumType = PhysicalMediumType, IP Address = IPv4 Address IPProtocol IPv6 Address.","TCPIP: NBL Nbl fell off the receive fast path, Reason: Reason. Protocol = IPTransportProtocol, Family = AddressFamily, Number of NBLs = NblCount. SourceAddress = Source IPv4 Address IPProtocol IPv6 Source Address. DestAddress = Dest IPv4 Address IPProtocol IPv6 Dest Address.","TCPIP: NBL Nbl fell off the send fast path, Reason: Reason. Protocol = IPTransportProtocol, Family = AddressFamily, Number of NBLs = NblCount. SourceAddress = Source IPv4 Address IPProtocol IPv6 Source Address. DestAddress = Dest IPv4 Address IPProtocol IPv6 Dest Address.","TCPIP: Transport (Protocol IPTransportProtocol, AddressFamily = AddressFamily) dropped PacketCount packet(s) with Local = LocalSockAddr, Remote = RemoteSockAddr. Reason = Reason.","TCPIP: Network layer (Protocol IPTransportProtocol, AddressFamily = AddressFamily) dropped PacketCount packet(s). SourceAddress = Source IPv4 Address IPProtocol IPv6 Source Address. DestAddress = Dest IPv4 Address IPProtocol IPv6 Dest Address. Reason = Reason.","TCP: Connection Tcb template changed. New template=TemplateType. Context=Context.","TCP: connection Tcb: RSC SCU received. CoalescedSegCount = CoalescedSegCount, DupAckCount = DupAckCount, RscTcpTimestampDelta = RscTcpTimestampDelta, HeaderFlags = HeaderFlags, EcnCePresent = EcnCePresent.","TCP: Connection Tcb send queue is idle. Cwnd = OldCwnd, Processor = Processor, CurrentTick = CurrentTick, IdleTick = IdleTick.","RSS: Rundown: interface InterfaceIndex with adapter AdapterIndex at port PortNumber.","RSS: Rundown: adapter AdapterIndex hash info HashInfo maximum processors MaximumProcessors group GroupNumber affinity GroupAffinity active processors ActiveAffinity active mode: ActiveMode.","TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) exists. State = State. PID = Pid.","Component timer rescheduled by processor Indicating Processor for processor Target Processor at Tick = Current Tick to Tick = Next Expiration Tick, OldScheduledExpiration = Old Scheduled Expiration NewScheduledExpiration = New Scheduled Expiration DueTime = Due Time Aperiodic = Aperiodic.","Component timer fired on processor Target Processor at Tick = Current Tick, was scheduled for = Next Expiration.","IP: Neighbor with IpAddress = IP Address DlAddress = DL Address on Interface = Interface changed state from Old Neighbor State to New Neighbor State due to Event = Neighbor Event.","IP: Neighbor Event on Interface = Interface from SourceIpAddress = Source IP Address for TargetIpAddress = Target IP Address.","IP: Address pair (Preferred Source IP Address, Preferred Destination IP Address) is preferred over (Non-Preferred Source IP Address, Non-Preferred Destination IP Address) by SortOptions = Sort Option, Rule = Rule Type Rule Major.Rule Minor.","TCP: connection Tcb: Cumulative Ack event, SeqNo = SeqNo, BytesAcked = BytesAcked, CWnd = Cwnd, SndWnd =SndWnd.","TCP: connection Tcb: TCP send event, SeqNo = SeqNo, BytesSent = BytesSent, CWnd = Cwnd, SndWnd = SndWnd, SRtt = SRtt, RttVar = RttVar, RTO = RTO.","TCP: connection Tcb: Rtt sample recorded RttSample SRTT SRTT RttVar RttVar.","TCP: connection Tcb: Duplicate ACK updated cwnd = Cwnd and updated ssthresh = SSThresh DupAckCount = DupAckCount SndUna = SeqNo.","TCP: connection Tcb entering Congestion Avoidance Phase with cwnd = Cwnd and ssthresh = SSThresh.","TCP: connection Tcb: Send Retransmit round with SndUna = SndUna, Round = RexmitCount, SRTT = SRTT, RTO = RTO.","IP: RouteLookup - API: API DstAddr: DestinationAddress ConstrainSrcAddr: ConstrainSourceAddress ConstrainIfIndex: ConstrainInterfaceIndex ConstraintOveridden: ConstraintOverridden ReturnConstrained: ReturnConstrained OutgoingIfIndex: OutgoingInterfaceIndex NextHopAddr: NextHopAddress Status: Status.","IP: SourceAddrLookup - DstAddr: DestinationAddress ConstrainSrcAddr: ConstrainSourceAddress ConstrainIfIndex: ConstrainInterfaceIndex OutgoingIfIndex: OutgoingInterfaceIndex ReturnConstrained: ReturnConstrained SelectedSrcAddr: SelectedSourceAddress.","WFP-ALE: leaving low memory state. HighMemoryEvent = HighMemoryEvent HighNonPagedPoolEvent = HighNonPagedPoolEvent.","WFP: Dpc for cleanup QUEUED or RE-QUEUED: LowMemoryEvent = LowMemoryEvent LowNonPagedPoolEvent = LowNonPagedPoolEvent.","TCP: Tail Loss Probe Send Connection = Tcb SndUna = SndUna, SndMax = SndMax, SendAvailable = SendAvailable, TailProbeSeq = TailProbeSeq, TailProbeLast = TailProbeLast, ControlsToSend = ControlsToSend, ThFlags = ThFlags.","TCP: Tail Loss Probe Event Connection = Tcb, Event = TlpEvent.","TCP: RACK Event Connection = Tcb, Event = RackEvent, MinRTT = RackMinRtt, ReoWind = RackReoWind, TimeSlotDeltaMin = RackTimeSlotDeltaMin, SeqNum = SequenceNumber, Timestamp = Timestamp, RttSample = RttSample.","UDP: endpoint Endpoint (family=AddressFamily pid=ProcessId) created.","UDP: endpoint Endpoint (sockaddr=LocalAddress) bound.","UDP: endpoint Endpoint (sockaddr=LocalAddress) closed.","UDP: endpoint Endpoint closed.","TCP: Early Retransmission, FACK or RACK, Connection = Tcb, SndUna = SndUna, SackIsLostSeq = SackIsLostSeq, DupAckCount = DupAckCount.","TCP: Fast Retransmit Send, Connection = Tcb, BytesToSend = BytesToSend, SndNxt = SndNxt.","TCP: SACK Retransmit Send, Connection = Tcb, BytesToSend = BytesToSend, SndNxt = SndNxt.","TCP: Limited Transmit Send, Connection = Tcb, BytesToSend = BytesToSend, SndNxt = SndNxt.","TCP: SACK Retransmit Additional Send, Connection = Tcb, BytesToSend = BytesToSend, SndNxt = SndNxt.","IPTransportProtocol: PathDirectionmessage. Type = IcmpType, Code = IcmpCode, CompartmentId = CompartmentId, SourceAddress = SourceAddress, DestAddress = DestAddress.","IPTransportProtocol: PathDirectionpath drop. Type = IcmpType, Code = IcmpCode, Reason = DropReason, Status = Status, CompartmentId = CompartmentId, SourceAddress = SourceAddress, DestAddress = DestAddress.","TCP: connection Tcb send complete NumBytes bytes at SndNxt (Injected).","TCP: connection : Cumulative Ack event, SeqNo = , BytesAcked = , CWnd = , SndWnd = , InRecovery = , TimeSinceLastLossMS = , CubicCwnd = , AimdCwnd = , K = , Wmax = , LastWmax = , MaxSndWnd = .","TCP: connection Tcb: Duplicate ACK updated cwnd = Cwnd and updated ssthresh = SSThresh DupAckCount = DupAckCount SndUna = SeqNo CwrMax = CwrMax.","IP: Route rundown. Interface = Interface, Compartment = Compartment, Prefix = DestinationPrefix/DestinationPrefixLength, NextHop = NextHopAddress, Metric = Metric, State = State, Origin = Origin, Age = Age, ValidLifetime = ValidLifetime, PreferredLifetime = PreferredLifetime, Flags = Flags.","INETINSPECT: Owner = Owner, InspectHandle = InspectHandle, InspectType = InspectType, Action = InspectAction, Status = Status.","INETINSPECT: Owner = Owner, InspectHandle = InspectHandle, InspectType = InspectType, Action = InspectPort, Status = Status.","IP: Setting source constraint for route lookup - Compartment: Compartment DstAddr: DestinationAddress ConstrainSrcAddr: ConstrainSourceAddress ConstrainIfIndex: ConstrainInterfaceIndex ConstraintFlags: ConstraintFlags.","WFP-ALE: RemoteEndPoint Insertion: (local=LocalAddress remote=RemoteAddress) PartitionId=PartitionId PartitionNumEntries=NumEntries.","WFP-ALE: RemoteEndPoint Deletion: (local=LocalAddress remote=RemoteAddress) PartitionId=PartitionId PartitionNumEntries=NumEntries.","TCP: CUBIC Hystart state change event. Connection Tcb, State State, CWnd Cwnd, SSThresh = SSThresh.","IP: Transmitting loopback Nbl Nbl. Interface=Interface, Compartment=Compartment, Src=SourceAddress, Dst=DestinationAddress, Proto=IPTransportProtocol.","TCP: Connection Tcb Transport (Protocol IPTransportProtocol, AddressFamily = AddressFamily) sent RST with Local = LocalSockAddr, Remote = RemoteSockAddr. Reason = Reason.","TCP connection failed with Status = Status, Local = LocalSockAddr, Remote = RemoteSockAddr, ProcessId = TcpState, TcpState = ProcessId at Hour:Minute:Second Reason = Reason.","UDP: Endpoint Endpoint segment message. SegmentSize = SegmentSize (0 == No Segmentation) MessageLength = MessageLength HwDatagrams = HwDatagrams HwSegments = HwSegments SwSegments = SwSegments Status = SubMssSegments.","IP: Failed to set socket option. Level = SocketOptionLevel. Option = SocketOptionValue. Status = Status.","TCP software RSC global disabled mask = TcpRscDisabledMask, UDP software URO global disabled mask = UdpUroDisabledMask.","Framing: Interface management request. Interface: IfIndex. Address Family: AddressFamily. Request code: FlicCode. Status: NtStatus.","TCPIP: Handler for upper layer protocol IPTransportProtocol for an AddressFamily packet returned with error Status.","IP: neighbor rundown: Interface = IfIndex, Compartment = CompartmentId, IpAddress = IPAddress, DlAddress = DLAddress, State = Neighbor State, LastReachable = LastReachableInMs ms, IsUnreachable = IsUnreachable, Flags = Flags.","Endpoint Endpoint socket option set with level Level, name Name, value Value.","TCP: connection = Tcb armed RACK timer. SndUna = SndUna, SndMax = SndMax, SackedBytes = SackedBytes, LossDetected = LossDetected, InRecovery = InRecovery, DeltaTicks = DeltaTicks.","TCP: connection = Tcb received a SACK block. SndUna = SndUna, SndMax = SndMax, Ack = Ack, SLE = SLE, SRE = SRE.","TCP: connection = received a SACK. SndUna = , SndMax = , Ack = , SackedBytes = , LossDetected = , InRecovery = , NumSackBlocks = , DSackCount = , NewSackInfo = , RecoveryMax = .","TCP: connection = Tcb enabled send tracker.","TCP: connection = Tcb send tracker acked a transmit. AckNo = AckNo, Start = Start, End = End, Timestamp = Timestamps, EverTransmitted = EverRetransmitted, SackedBytes = SackedBytes, BytesInFlight = BytesInFlight.","TCP: connection = Tcb send tracker enqueued a transmit. Start = Start, End = End, Timestamp = Timestamps, SackedBytes = SackedBytes, BytesInFlight = BytesInFlight.","TCP: connection = Tcb send tracker marked a transmit as lost. Start = Start, End = End, Timestamp = Timestamps, EverTransmitted = EverRetransmitted, InFlightCount = InFlightCount, SackedBytes = SackedBytes, BytesInFlight = BytesInFlight.","TCP: accept redirection: original listener = OriginalListener, redirected listener = RedirectedListener, succeeded = Succeeded, redirected = Redirected, codepath = CodePath, local address = SockAddrLength, remote address = LocalSockAddr, redirected address = RemoteSockAddr.","StateTransitionName: An error was encountered when transitioning from PreviousStateName to NewStateName in response to EventName (error code Error Code).","RDP ClientActiveX has connected to the server.","Server supports SSL = TraceMessage.","Base64(SHA256(UserName)) is = TraceMessage.","The multi-transport connection has been disconnected.","The server is using version Version of the RDP graphics protocol (client mode: ClientMode, AVC available: AvcEnabled).","The client is using software memory for the frame buffer.","Remote Desktop Service start failed. The relevant status code was EventXML.Param1.","An error occurred when transitioning from StateName in response to EventName. (ErrorCode ErrorCode).","Session EventXML.TargetSession has been disconnected by session EventXML.Source.","Redirection of additional supported devices is disabled by policy.","Remote Desktop Services accepted a connection from IP address EventXML.Param1.","Remote Desktop Services failed to shutdown within the time allocated.","User config info will be loaded from local machine for this EventXML.Param1 connection.","WDDM graphics mode is enabled.","The \"Limit the size of the entire roaming user profile cache\" Group Policy setting has been disabled.","Connection from listener EventXML.ListenerName will have terminal class of EventXML.Class.","Redirection of additional supported devices is disabled by policy.","The system time zone was set successfully to \"Time Zone\".","Tenant IKey has been unregistered for telemetry usage.","The daily upload quota for SENSE has crossed into a new tier.","Is device on battery power: State.","The diagnostic and feedback permission level has changed.","The discovery request send operation was successful.","The discovery operation callback was successful.","The initialization of the join request was successful. Inputs.","The join request was successfully sent to server. Inputs.","The get join response operation callback was successful.","The complete join response operation was successful.","The post join tasks for the Microsoft Entra Authentication Package completed successfully.","The registration status has been successfully flushed to disk.","Unable to retrieve the local computer's name in the specified format Format. Error: ErrorCode.","Unable to connect to the LDAP server Server:Port using authentication method AuthMethod. Error: ErrorCode.","Reapply power settings upon completion of the provisioning engine's turn Turn.","Virtual disk 'VhdFileName' (no host access) has been surfaced.","Virtual disk 'VhdFileName' (no host access) has been unsurfaced.","Failed to create handle for the file backing virtual disk 'VhdFileName'. Status = Status.","Starting to cleanup the backing store for virtual disk 'VhdFileName'.","Finished cleaning up the backing store for virtual disk 'VhdFileName'.","Starting to flush the backing store footer for virtual disk 'VhdFileName'.","Finished flushing the backing store footer for virtual disk 'VhdFileName'.","Performing VhdMetaOps VHD for VhdFileName (target 'TargetVhdFileName').","Successfully performed VhdMetaOps VHD VhdFileName.","IO latency summary.","IO latency summary.","Activation of discovered snapshots began.","Activation of discovered snapshots completed.","A persistent snapshot was activated.","Reading of a snapshot diff area's metadata began.","Reading of a snapshot diff area's metadata completed.","The volume snapshot driver has begun processing for volume offline.","The volume snapshot driver has completed processing for volume offline.","CDE reported an L2 adapter removal.","CDE reported an NDIS adapter removal.","WebAuthN remote RPC request.","WebAuthN remote RPC response.","Possible heap corruption detected (exception code Name). Initiating further diagnostics.","Crash on launch is detected. Initiating further diagnostics.","The computer has rebooted from a bugcheck. The bugcheck was: param1. A full dump was not saved.","The computer has rebooted from a bugcheck. The bugcheck was: param1. A dump was saved in: param2. Report Id: ReportId.","The dump file at location: param1 was deleted because the disk volume had less than param2 GB free space.","The computer has rebooted from a bugcheck. Potentially related driver: SuspectedDriver.","The computer has rebooted from a bugcheck. The bugcheck was: param1. A dump was saved in: param2. Report Id: ReportId.","IPsec: Main Mode SA Terminated.","A connection security rule was added to IPsec settings.","A connection security rule was deleted from IPsec settings.","A phase 1 crypto set was added to IPsec settings when Windows Defender Firewall started.","A phase 2 crypto set was added to IPsec settings when Windows Defender Firewall started.","An authentication set has been added to IPsec settings when Windows Defender Firewall started.","An authentication set has been added to IPsec settings when Windows Defender Firewall started.","A phase 1 crypto set was added to IPsec settings when Windows Defender Firewall started.","A phase 2 crypto set was added to IPsec settings when Windows Defender Firewall started.","All rules have been deleted from the Windows Defender Firewall configuration on this computer.","Windows Defender Firewall has been reset to its default configuration.","The following settings were applied to the Windows Defender Firewall at startup.","The following per profile settings were applied by Windows Defender Firewall.","A rule has been listed when the Windows Defender Firewall started.","A rule has been listed when the Windows Defender Firewall started.","All rules have been deleted from the Windows Defender Firewall configuration on this computer.","Windows Defender Firewall has been reset to its default configuration.","A Windows Defender Firewall setting in the profile has changed.","A Windows Defender Firewall setting has changed.","A rule has been added to the Windows Defender Firewall exception list.","Corp Subnets Changed.","Uninstallation Failure: Windows failed to uninstall the following update with error errorCode: updatelist.","Revert Failure: Windows failed to revert the following update with error errorCode: updatelist.","Commit Failure: Windows failed to commit the following update with error errorCode: updatelist.","Begin search for configuration file using DNS: DetectFlags=DetectFlags.","Search for WPAD configuration file using DNS failed: DetectFlags=DetectFlags, Error=Error.","AutoProxy SWPAD Decision (WPADNetworkDecision) NumConnections (NetworkCount).","Autoproxy full scenario started.","Autoproxy full scenario stopped.","Canceling EtwQueueActionType Thread Action (Context: Context).","Queue EtwQueueActionType Thread Action (Context: Context).","Stopping EtwQueueActionType Thread Action (Context: Context).","Starting EtwQueueActionType Thread Action (Context: Context).","The WinINet request header buffer captured.","The WinINet request payload buffer captured.","The WinINet response header buffer captured.","The WinINet response payload buffer captured.","Credential Guard was started and will protect LSA credentials.","VBS Key Isolation was started and will protect VSM-isolated keys.","Deinitializing WSMan API.","Closing WSMan Session.","WSMan shell creation failed, error code errorCode.","Deinitialization of WSMan API completed successfuly.","Closing WSMan Session completed successfuly.","The WinRM protocol handler completed unloading.","The WinRM protocol operation failed due to the following error: errorMessage.","The client got a timeout from the network layer (ERROR_WINHTTP_TIMEOUT).","Authenticating the user failed. The credentials didn't work.","The authorization of the user failed with error errorCode.","The WinRM service is not listening for param1 requests because there was a failure binding to the URL (param2) in HTTP.SYS.","The WS-Management client is not listening for pushed events because there was a failure binding to the URL (param1) in HTTP.SYS.","The WinRM service is not listening for HTTPS requests because there was a failure binding to the URL (param1) in HTTP.SYS.","The WS-Management client is not listening for pushed events because there was a failure binding to the URL (param1) in HTTP.SYS.","User authentication using Basic authentication scheme failed.","Request processing failed because the WinRM service cannot load data or event source: DLL=\"param1\".","The SSL configuration for IP param1 and port param2 is shared with another service, such as Internet Information Services (IIS).","The WinRM service is unable to start because of a failure during initialization.","The WinRM service has received an unsecure HTTP connection from param1.","The WinRM service is not listening for HTTP requests because there was a failure binding to the URL (param1) in HTTP.SYS.","The WS-Management client is not listening for pushed events because there was a failure binding to the URL (param1) in HTTP.SYS.","IP Filter param1 specified in the GPO policy for Auto Configuration of listeners is invalid and it will be ignored. Due to this issue, the WinRM service cannot use the autoconfigured listener.","The IP Range param1 is invalid and it will be ignored.","The WinRM service is not listening for policy changes because there was a failure registering for changes to the contents of the WS-Management policy key.","The WinRM service encountered a catastrophic security failure. The service can no longer run under its security context.","The WinRM service cannot migrate the listener with IP address param1 and Port param2 because the IP address does not exist on the destination computer. This listener was ignored during migration.","The WinRM service cannot migrate the listener with Address param1 and Transport param2 because the IP address param3 does not exist on the destination computer. This listener was ignored during migration.","The WinRM service cannot migrate the listener with IP address param1 and Port param2 because the MAC address param3 does not exist on the destination computer. This listener was ignored during migration.","The WinRM service cannot migrate the listener with Address param1 and Transport param2 because the MAC address param3 does not exist on the destination machine. This listener was ignored during migration.","The WinRM service cannot migrate the listener with IP address param1, Port param2 and Transport param3. A listener that has Address=param4 and Transport=param5 configuration already exists.","The WinRM service cannot migrate the listener with Address param1 and Transport param2. A listener that has the same Address and Transport configuration already exists.","The WinRM service had a failure during migration.","The WinRM service had a failure reading the current configuration and is stopping.","The WinRM service could not use the following listener to receive WS-Management requests. The listener is enabled but the listener does not have an IP address configured.","The WinRM service had a failure (param1) reading configuration during ip address change notification.","The WSMan IIS module failed to read configuration. The error received was : %.","The WinRM service failed to create the following SPNs: spn1; spn2.","The WSMan service failed to read configuration of the following plugin.","The WinRM service failed to initialize CredSSP.","The WinRM service received an error while trying to unloading a data or event source: DLL=\"param1\".","The WinRM service is listening on the default port and on (Compatibility) port for WS-Management requests. port is no longer the default port for the WinRM service.","socket: EnterExit: Process Process (ProcessId), Endpoint Endpoint, Family AddressFamily, Type SocketType, Protocol Protocol, Seq Location, Status Status.","closesocket: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status Status.","socket cleanup: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status Status.","send: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Seq Location, Status Status.","recv: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Seq Location, Status Status.","recvfrom: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Seq Location, Status Status.","sendto: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Addr Address, Seq Location, Status Status.","recvfrom: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Addr Address, Seq Location, Status Status.","recvmsg: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Seq Location, Status Status.","sendmsg: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Addr Address, Seq Location, Status Status.","recvmsg: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Addr Address, Seq Location, Status Status.","connect: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status Status.","connect: EnterExit: Process Process, Endpoint Endpoint, Address Address, Seq Location, Status Status.","ConnectEx: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status Status.","ConnectEx: EnterExit: Process Process, Endpoint Endpoint, Buffer Buffer, Length BufferLength, Address Address, Seq Location, Status Status.","AcceptEx: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status Status.","AcceptEx: EnterExit: Process Process, Endpoint Endpoint, Buffer Buffer, Length BufferLength, Address Address, Accept Endpoint AcceptEndpoint, Current Backlog CurrentBacklog, Seq Location, Status Status.","bind: EnterExit: Process Process, Endpoint Endpoint, Address Address, Seq Location, Status Status.","connection aborted: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Reason Reason.","Socket option: EnterExit: Process Process, Endpoint Endpoint, Option Option, Value Value, Seq Location, Status Status.","Connect indication: EnterExit: Process Process, Endpoint Endpoint, Address Address, Backlog Count CurrentBacklog, Seq Location, Status Status.","Data indication: EnterExit: Process Process, Endpoint Endpoint, Buffer Buffer, Length BufferLength, Seq Location.","Data indication: EnterExit: Process Process, Endpoint Endpoint, Buffer Buffer, Length BufferLength, Address Address, Seq Location.","disconnect indicated: EnterExit: Process Process, Endpoint Endpoint, Seq Location.","GetAddrInfoW is called for queryName NodeName, serviceName ServiceName, flags Flags, family Family, socketType SocketType, protocol Protocol and seq Location.","GetAddrInfoW is completed for queryName NodeName with status Status and result Result.","GetAddrInfoExW asynchronous query is pending for queryName: NodeName with cancel Handle CancelHandle.","GetAddrInfoExW is completed for queryName NodeName with status Status and result Result.","NSPLookupServiceBegin is called for provider ProviderGUID, queryName QueryName, serviceGUID ServiceGUID, interface index InterfaceIndex and control flags ControlFlags.","NSPLookupServiceBegin is completed for provider ProviderGUID, queryName QueryName serviceGUID ServiceGUID, interface index InterfaceIndex, control flags ControlFlags and lookup handle LookupHandle with status Status.","NSPLookupServiceNext is called for provider ProviderGUID, control Flags ControlFlags and lookup handle LookupHandle.","NSPLookupServiceNext is completed for provider ProviderGUID, control Flags ControlFlags and lookup Handle LookupHandle with status Status and result Result.","NSPLookupServiceEnd is called for provider ProviderGUID and lookup handle LookupHandle.","NSPLookupServiceEnd completed for provider ProviderGUID and lookup handle LookupHandle with status Status.","Wsa Startup. seq: Location.","Wsa Cleanup. seq: Location. Refcount: RefCount.","The following application attempted to veto the shutdown: VetoAppEvent.AppName.","The Windows Management Instrumentation service has detected an inconsistent system shutdown.","CorrelationId = CorrelationId; GroupOperationId = GroupOperationId; OperationId = OperationId; Operation = Operation; ClientMachine = ClientMachine; User = User; ClientProcessId = ClientProcessId; NamespaceName = ClientProcessCreationTime.","ProviderInfo for GroupOperationId = GroupOperationId; Operation = Operation; HostID = HostId; ProviderName = ProviderName; ProviderGuid = ProviderGuid; Path = Path.","Stop OperationId = OperationId; ResultCode = ResultCode.","OperationId = OperationId; Operation = Operation; ErrorID = ErrorId; Message = Message.","CorrelationId = CorrelationId; ProcessId = ProcessId; Protocol = Protocol; Operation = Operation; User = User; Namespace = Namespace.","Performing delete operation on the WMI repository. OperationID = OperationID; Operation = Operation.","Performing Update operation on the WMI repository. OperationID = OperationID; Operation = Operation; Flags = Flags.","CorrelationId = CorrelationId; GroupOperationId = GroupOperationId; OperationId = OperationId; ClassName= ClassName; MethodName = MethodName; ImplementationClass = ImplementationClass; ClientMachine = ClientMachine; User = User; ClientProcessId = ClientProcessId; NamespaceName = NamespaceName.","Activity Transfer.","Windows update UpdateTitle could not be installed because of error ErrorCode \"ErrorString\" (Command line: \"CommandLine\").","The machine ComputerName successfully joined the domain DomainName.","Could not retrieve an OCSP response.","The user SPID has renamed the remote computer.","The user SPID has renamed the remote computer.","The user SPID has added a note to the remote computer.","The user SPID has added a note to the remote computer.","The user SPID has moved the remote computer to a different group.","The user SPID has moved the remote computer to a different group.","The user SPID has deleted the remote computer from the team.","The user SPID has deleted the remote computer from the team.","The user SPID has restarted the streamer on the remote computer.","The user SPID has restarted the streamer on the remote computer.","The user SPID has triggered Normal Reboot on the remote computer.","The user SPID has triggered Normal Reboot on the remote computer.","The user SPID has triggered Safe Mode Reboot on the remote computer.","The user SPID has triggered Safe Mode Reboot on the remote computer.","The user SPID has disconnected a remote session on the remote computer.","The user SPID has disconnected a remote session on the remote computer.","The user SPID has tried to wake up the remote computer SRS_Name.","The user SPID has cleared the credential for the remote computer SRS_Name.","A Splashtop remote session (Session_ID) has started from this computer by the user SPID to the device SRS_Name.","The Splashtop remote session (Session_ID) has ended. The remote session lasted Duration_Time.","A file was transferred during the Splashtop remote session (Session_ID).","A file was transferred during the Splashtop remote session (Session_ID).","A file was transferred during the Splashtop remote session (Session_ID).","A file was transferred during the Splashtop remote session (Session_ID).","The user SPID enabled blank Screen on the remote computer SRS_Name during the Splashtop remote session (Session_ID).","The user SPID disabled blank Screen on the remote computer SRS_Name during the Splashtop remote session (Session_ID).","The user SPID has triggered Normal Reboot during the Splashtop remote session (Session_ID).","The user SPID has triggered Normal Reboot during the Splashtop remote session (Session_ID).","The user SPID has triggered Safe Mode Reboot during the Splashtop remote session (Session_ID).","The user SPID has triggered Safe Mode Reboot during the Splashtop remote session (Session_ID).","The user SPID has triggered Switch user during the Splashtop remote session (Session_ID).","The user SPID has triggered Switch user during the Splashtop remote session (Session_ID).","The user SPID has triggered Reconnect as admin during the Splashtop remote session (Session_ID).","The user SPID has triggered Reconnect as admin during the Splashtop remote session (Session_ID).","The user SPID has started a session recording during the Splashtop remote session (Session_ID).","The user SPID has ended the session recording during the Splashtop remote session (Session_ID).","The user SPID has ended the session recording during the Splashtop remote session (Session_ID).","The user SPID enabled Lock Keyboard and Mouse on the remote computer SRS_Name during the Splashtop remote session (Session_ID).","The user SPID disabled Lock Keyboard and Mouse on the remote computer SRS_Name during the Splashtop remote session (Session_ID).","The user SPID has changed to a different session during the Splashtop remote session (Session_ID).","The user SPID enabled Device Redirection on the remote computer SRS_Name during the Splashtop remote session (Session_ID).","The user SPID disabled Device Redirection on the remote computer SRS_Name during the Splashtop remote session (Session_ID).","The user SPID enabled Remote Microphone on the remote computer SRS_Name during the Splashtop remote session (Session_ID).","The user SPID muted Remote Microphone on the remote computer SRS_Name during the Splashtop remote session (Session_ID).","The user SPID unmuted Remote Microphone on the remote computer SRS_Name during the Splashtop remote session (Session_ID).","The user SPID enabled Remote Stylus on the remote computer SRS_Name during the Splashtop remote session (Session_ID).","The user SPID disabled Remote Stylus on the remote computer SRS_Name during the Splashtop remote session (Session_ID).","The user SPID enabled View Only mode on the remote computer SRS_Name during the Splashtop remote session (Session_ID).","The user SPID disabled View Only mode on the remote computer SRS_Name during the Splashtop remote session (Session_ID).","Splashtop Business app has been opened.","Splashtop Business app has been closed.","A user logged in Splashtop Business app.","A user logged in Splashtop Business app.","A user logged out of Splashtop Business app.","A Splashtop remote session (Session_ID) has started to this computer by SPID from the device SRC_Name.","The Splashtop remote session (Session_ID) has ended. The remote session lasted Duration_Time.","A file was transferred during the Splashtop remote session (Session_ID).","A file was transferred during the Splashtop remote session (Session_ID).","A file was transferred during the Splashtop remote session (Session_ID).","A file was transferred during the Splashtop remote session (Session_ID).","The user SPID enabled blank Screen during the Splashtop remote session (Session_ID).","The user SPID disabled blank Screen during the Splashtop remote session (Session_ID).","The user SPID triggered Normal Reboot during the Splashtop remote session (Session_ID).","The user SPID triggered Safe Mode Reboot during the Splashtop remote session (Session_ID).","The user SPID enabled Lock Keyboard and Mouse during the Splashtop remote session (Session_ID).","The user SPID disabled Lock Keyboard and Mouse during the Splashtop remote session (Session_ID).","The user SPID has changed to a different session during the Splashtop remote session (Session_ID).","The user SPID enabled Device Redirection during the Splashtop remote session (Session_ID).","The user SPID disabled Device Redirection during the Splashtop remote session (Session_ID).","The user SPID enabled Remote Microphone during the Splashtop remote session (Session_ID).","Splashtop streamer has been opened.","Splashtop streamer has been closed.","The streamer was logged in.","The streamer was logged out.","This computer was added to a Splashtop team.","This computer was removed from a Splashtop team.","Splashtop streamer went online.","Splashtop streamer went offline.","A remote user has renamed the computer.","A remote user has restarted the streamer.","A remote user has triggered Normal Reboot.","A remote user has triggered Safe mode reboot.","The oldest shadow copy of volume {VolumeNameLength} was deleted to keep disk space usage for shadow copies of volume {VolumeNameLength} below the user defined limit.",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,"PowerShell command executed — PowerShell ScriptBlockLogging captures the same surface.","CreateRemoteThread API call","Named pipe event","User account added to local group","File activity (any)","File created","Image load (any)","Logon succeeded","Logon failed","Connection succeeded","Process activity (any)","Registry activity (any)","Registry key deleted","Registry value set","Registry value deleted",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,"error ErrorCode: Deployment of package PackageFullName was blocked by AppLocker.",0,0,"The system catalog has been deleted.",0,0,0,"Active Directory Certificate Services denied request because . The request was for . Additional information.","Code Integrity determined an unsigned image FileNameBuffer is loaded into the system. Check with the publisher to see if a signed version of the image is available.","Windows blocked file FileNameBuffer which has been disallowed for protected processes.",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,"Unable to start a DCOM Server: param3 as param4/param5. The error.",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,"Changes to 'Configuration' at 'ConfigPath' have successfully been committed.",0,0,0,0,0,0,"ISATAP router address IsatapRouter was set with status ErrorCode.",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,"Document param1, param2 owned by param3 on param4 was printed on param5 through port param6. Size in bytes: SizeInBytes. Pages printed: PagesPrinted. No user action is required.",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,"The SMB client connection to the share was established.","The SMB client connection to the share was established.",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,"The Windows Defender Firewall service failed to load Group Policy.",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,"Defender event (any) — DeviceEvents is a catch-all; bridges only apply per-ActionType.","AMSI script detected — Defender-only; no Windows-native equivalent.","AMSI script content captured — Defender-only; no Windows-native equivalent.","Process injection detected — Defender-only; no Windows-native equivalent.","User account removed from local group","ASR audit event — Defender ASR audit; loosely maps to Defender-1121 channel events.","ASR — LSASS credential theft (audited) — Defender ASR; no native equivalent.","ASR — Office child process (audited) — Defender ASR; no native equivalent.","Antivirus report — Defender AV; loosely maps to Defender-1116/1117 detected/quarantined events.","Scheduled task created","Scheduled task deleted","Scheduled task updated","File modified — Sysmon-2 fires on FileCreateTime change specifically; Defender's FileModified is broader. Approximate bridge.","File deleted","File renamed — No clean Windows-native equivalent.","Image loaded","Device inventory snapshot — Inventory telemetry; no native event equivalent.","Logon activity (any)","Logon attempted (no result yet)","Network activity (any)","Connection failed","Inbound connection accepted","Listening connection created","Connection request","DNS connection inspected","DNS query / response","Device network configuration snapshot — Inventory telemetry; no native event equivalent.","Process created","Process opened (OpenProcess API call) — Sysmon-10 is ProcessAccess; Defender's OpenProcessApiCall is the closest equivalent.","Process primary token modified — No clean Windows-native equivalent.","Registry key created","TVM — secure configuration assessment","TVM — software inventory","TVM — software vulnerabilities","An error occurred while retrieving new Central Access Policies for this machine.","[conn][Connection] Send Blocked Flags: ReasonFlags.","[conn][Connection] IN: BytesRecv=BytesReceived.","[conn][Connection] CUBIC: SlowStartThreshold=SlowStartThreshold K=K WindowMax=WindowMax WindowLastMax=WindowLastMax.","[conn][Connection] Congestion event.","[conn][Connection] Recovery complete.","[conn][Connection] Rundown, IsServer=IsServer, CorrelationId=CorrelationId.","[conn][Connection] (SeqNum=SequenceNumber) New Source CID: Cid.","[conn][Connection] (SeqNum=SequenceNumber) New Destination CID: Cid.","[conn][Connection] New packet keys created successfully.","[conn][Connection] Key phase change (locally initiated=IsLocallyInitiated).","You do not have sufficient rights to be able to access the settings location template index key (or one of its subkeys) in the registry.","Unable to create the settings location template index key in the Registry.","Unable to create the settings location template index subkey for the program and template ID combination 'String1'.","Error while determining enabled/disabled state for template ID 'String1'.","Unable to determine which template should be used for a particular process. Settings cannot be synchronized for this process.","Error while setting enabled/disabled state for template ID 'String1'.","Error determining Microsoft account connection status with error code Ulong1.","Error Int1 occurred while retrieving the associated profile for settings template String1. Settings data will not be synchronized for this settings template.","A thread exception occurred while processing the settings package for settings location template \"WString1\". Exception Message: \"AnsiString2\" Error code: \"HRESULT1\".","Could not initialize COM while processing the settings package for settings location template \"WString1\". Error code: \"HRESULT1\".","An exception has occurred while processing the settings package for settings location template \"WString1\". Exception message: \"AnsiString2\" Error code: \"HRESULT1\".","An unknown exception has occurred while processing the settings package for settings location template \"WString1\". Exception message: \"AnsiString1\".","The initial settings package for settings location template \"stringValue1\" is invalid. The initial settings package will be replaced with a new copy.","A timeout occurred while waiting for a previous download request to complete.","A timeout occurred while waiting for a previous upload request to complete.","Error \"WString1\" occurred while rolling back the application settings from a failed attempt to apply settings to the local machine (template: \"WString2\").","Error \"WString1\" occurred while rolling back the initial package from a failed attempt to apply settings to the local machine (template \"WString2\").","Error \"WString1\" occurred while attempting to apply settings to the local machine. (template \"WString2\").","The settings directory for the settings location template Additional_error_data cannot be created. The error RecipeID was returned.","Enterprise STS OAuth Info response: Enterprise_STS_OAuth_Info_response.","AadCloudAPPlugin device P2P certificate update thread started.","AadCloudAPPlugin DisassembleOpaqueData Start.","Protected key error: Protected_key_error.","NGC call API returned error: Result.","Get Enterprise STS OAuth Info failure. Status: Status Correlation ID: CorrelationID.","Enterprise STS Refresh token failure. Status: Status Correlation ID: CorrelationID.","FilePathBuffer was allowed to run.","FilePathBuffer was allowed to run.","FilePathBuffer was allowed to run but would have been prevented from running if the AppLocker policy were enforced.","FilePath was prevented from running due to Config CI policy.","CLSID was prevented from running due to Config CI policy.","Package family name Version version GUID was allowed to install or update but would have been prevented if the Config CI policy (Name:PackageFamilyName ID:PolicyNameLength Version:PolicyName GUID:PolicyIDLength) were enforced. Status PolicyID.","Package family name Version version GUID was prevented from installing or updating due to Config CI policy (Name:PackageFamilyName ID:PolicyNameLength Version:PolicyName GUID:PolicyIDLength). Status PolicyID.","error errorCode: App manifest validation error: Line lineNumber, Column columnNumber, Reason: Attribute \"attributeName\" value \"attributeValue\" on element \"elementName\" must not contain a file having disallowed extensions such as disallowedFileExtensions.","Failed extract of third-party root list from auto update cab at: <1> with error: 2.","A certificate is about to expire. Please refer to the \"Details\" section for more information.","Windows was unable to update the boot catalog cache file. Status Status.","Code Integrity determined that a process (ProcessNameBuffer) attempted to load FileNameBuffer that did not meet the security requirements for RequirementType. However, due to system policy, the image was allowed to load.","Code Integrity was unable to verify a page for a module verified using hypervisor enforcement. Status Status.","Code Integrity determined that a process (Process Name) attempted to load File Name that did not meet the Requested Signing Level signing level requirements or violated code integrity policy.","Code Integrity determined that a process (Process Name) attempted to load File Name that did not meet the Requested Signing Level signing level requirements or violated code integrity policy.","Code Integrity determined that a process (ProcessNameBuffer) attempted to load FileNameBuffer that did not meet the signing requirements for Isolated User Mode.","Code Integrity testing module FileName against policy PolicyName. Status StatusCode.","Code Integrity testing module FileName against policy PolicyName. Status StatusCode.","Code Integrity testing module FileName against policy PolicyName. Status StatusCode.","Code Integrity policy PolicyGUID PolicyNameBuffer is set to unrefreshable. id PolicyIdBuffer. Status: Status.","No change in active Code Integrity policy PolicyGUID PolicyNameBuffer after refresh. id PolicyIdBuffer. Status Status.","Not allowed to refresh Code Integrity policy PolicyGUID PolicyNameBuffer. id PolicyIdBuffer. Status Status.","Code Integrity failed to switch from FromMode mode to ToMode mode with error code Status.","Code Integrity determined that a process (ProcessNameBuffer) attempted to load FileNameBuffer that did not meet the security requirements for RequirementType. However, due to system policy, the image was allowed to load.","Code Integrity testing module FileName against policy PolicyName. Status StatusCode.","Code Integrity testing module FileName against policy PolicyName. Status StatusCode.","The application-specific permission settings do not grant param1 access permission to the COM Server application param2 with APPID.","Device Association Service read ceremony data has started (provider inclusive).","Updated a blocking record. Record: (Message1). Uri: (Message2).","Attempted to save existing GP Value. GP Location: (Message1), GP ValueName: (Message2), Result: (HRESULT). Failures are expected if this location isn't set.","Enrollment Status Tracking: Status of resource is unknown. Resource Area: (Message1) Resource Name: (Message2) Resource Type: (Message3).","The failover state of server: Server for failover relationship: RelationName changed from: OldState to NewState.","The failover state of server: Server for failover relationship: RelationName changed from: OldState to NewState.","The server detected that it is out of time synchronization with partner server: Server for failover relationship: RelationName. The time is out of sync by: time seconds .","Server has established contact with failover partner server Server for relationship RelationName .","Server has lost contact with failover partner server Server for relationship RelationName .","Failover protocol message BINDING-UPDATE from server Server for failover relationship RelationName was rejected because message digest failed to compare.","Failover protocol message BINDING-UPDATE from server Server for failover relationship RelationName was rejected because message digest was not configured.","Failover protocol message BINDING-UPDATE from server Server for failover relationship RelationName is rejected because message digest was not present.","The failover state of server: Server for failover relationship: RelationName changed to : NewState.","The failover state of server: Server for failover relationship: RelationName changed to: NewState.","Failover protocol message BINDING-ACK from server Server for failover relationship RelationName was rejected because message digest failed to compare.","Failover protocol message BINDING-ACK from server Server for failover relationship RelationName was rejected because message digest was not configured.","Failover protocol message BINDING-ACK from server Server for failover relationship RelationName is rejected because message digest was not present.","Failover protocol message CONNECT from server Server for failover relationship RelationName was rejected because message digest failed to compare.","Failover protocol message CONNECT from server Server for failover relationship RelationName was rejected because message digest was not configured.","Failover protocol message CONNECT from server Server for failover relationship RelationName is rejected because message digest was not present.","Failover protocol message CONNECTACK from server Server for failover relationship RelationName was rejected because message digest failed to compare.","Failover protocol message CONNECTACK from server Server for failover relationship RelationName was rejected because message digest was not configured.","Failover protocol message CONNECTACK from server Server for failover relationship RelationName is rejected because message digest was not present.","Failover protocol message UPDREQALL from server Server for failover relationship RelationName was rejected because message digest failed to compare.","Failover protocol message UPDREQALL from server Server for failover relationship RelationName was rejected because message digest was not configured.","Failover protocol message UPDREQALL from server Server for failover relationship RelationName is rejected because message digest was not present.","Failover protocol message UPDDONE from server Server for failover relationship RelationName was rejected because message digest failed to compare.","Failover protocol message UPDDONE from server Server for failover relationship RelationName was rejected because message digest was not configured.","Failover protocol message UPDDONE from server Server for failover relationship RelationName is rejected because message digest was not present.","Failover protocol message UPDREQ from server Server for failover relationship RelationName was rejected because message digest failed to compare.","Failover protocol message UPDREQ from server Server for failover relationship RelationName was rejected because message digest was not configured.","Failover protocol message UPDREQ from server Server for failover relationship RelationName is rejected because message digest was not present.","Failover protocol message STATE from server Server for failover relationship RelationName was rejected because message digest failed to compare.","Failover protocol message STATE from server Server for failover relationship RelationName was rejected because message digest was not configured.","Failover protocol message STATE from server Server for failover relationship RelationName is rejected because message digest was not present.","Failover protocol message CONTACT from server Server for failover relationship RelationName was rejected because message digest failed to compare.","Failover protocol message CONTACT from server Server for failover relationship RelationName was rejected because message digest was not configured.","Failover protocol message CONTACT from server Server for failover relationship RelationName is rejected because message digest was not present.","BINDING UPDATE message for IP address IpAddress could not be replicated to the partner server ServerName of failover relation RelationName as the internal BINDING UPDATE queue is full.","A BINDING-ACK message with transaction id: TransactionId was sent for IP address: IPAddress with reject reason: (BndStatus) to partner server: PartnerServer for failover relationship: RelationName.","A BINDING-ACK message with transaction id: TransactionId was received for IP address: IPAddress with reject reason: (BndStatus ) from partner server: PartnerServer for failover relationship: RelationName.","Scope: for IPv4 is Configured by .","Scope: for IPv4 is Modified by .","Scope: for IPv4 is Deleted by .","Scope: for IPv4 is Activated by .","Scope: for IPv4 is DeActivated by .","Scope: for IPv4 is Updated with Lease Duration: seconds by . The previous configured Lease Duration was: seconds.","Scope: for IPv4 is Updated with Option Settings: by.","Scope: for IPv4 is Enabled for DNS Dynamic updates by .","Scope: for IPv4 is Disabled for DNS Dynamic updates by .","Scope: for IPv4 is Updated with DNS Settings by : to dynamically update DNS A and PTR records on request by the DHCP Clients .","Scope: for IPv4 is Updated with DNS Settings by : to always dynamically update DNS A and PTR records.","Scope: for IPv4 is Enabled for DNS Settings by : to discard DNS A and PTR records when lease is deleted.","Scope: for IPv4 is Disabled for DNS Settings by : to discard DNS A and PTR records when lease is deleted.","Scope: for IPv4 is Enabled for DNS Settings by : to dynamically update DNS A and PTR records for DHCP Clients that do not request updates.","Scope: for IPv4 is Disabled for DNS Settings by : to dynamically update DNS A and PTR records for DHCP Clients that do not request updates.","Policy based assignment has been disabled for scope .","Policy based assignment has been enabled for scope .","Name Protection setting is Enabled on Scope: for IPv4 by .","Name Protection setting is Disabled on Scope: for IPv4 by .","Scope: for IPv4 is Updated with support type: by . The previous configured state was: .","NAP Enforcement is Enabled on Scope: for IPv4 by .","NAP Enforcement is Disabled on Scope: for IPv4 by .","NAP Profile is configured on Scope: for IPv4 with the following NAP Profile: by .","NAP Profile is Updated on Scope: for IPv4 with the following NAP Profile: by . The previous configured NAP Profile was: .","The following NAP Profile: is deleted on Scope: by .","Scope: for Multicast IPv4 is Configured by .","Scope: for Multicast IPv4 is Deleted by .","SuperScope: for IPv4 is Configured by .","SuperScope: for IPv4 is Deleted by .","Scope: within SuperScope: for IPv4 is Activated by .","Scope: within SuperScope: for IPv4 is DeActivated by .","Scope: for IPv4 is Removed in Superscope: by . However, the Scope exists outside the Superscope.","Scope: for IPv4 is Deleted in Superscope: as well as Deleted permanently by .","Server level option for IPv4 has been updated by .","Reservation: for IPv4 is Configured under Scope by .","Reservation: for IPv4 is Deleted under Scope by .","Reservation: for IPv4 under Scope: is Enabled for DNS Dynamic updates by .","Reservation: for IPv4 under Scope: is Disabled for DNS Dynamic updates by .","Reservation: for IPv4 under Scope: is Updated with DNS Settings by : to dynamically update DNS A and PTR records on request by the DHCP Clients.","Reservation: for IPv4 under Scope: is Updated with DNS Settings by : to always dynamically update DNS A and PTR records.","Reservation: for IPv4 under Scope: is Enabled for DNS Settings by : to discard DNS A and PTR records when lease is deleted.","Reservation: for IPv4 under Scope: is Disabled for DNS Settings by : to discard DNS A and PTR records when lease is deleted.","Reservation: for IPv4 under Scope: is Enabled for DNS Settings by : to dynamically update DNS A and PTR records for DHCP Clients that do not request updates.","Reservation: for IPv4 under Scope: is Disabled for DNS Settings by : to dynamically update DNS A and PTR records for DHCP Clients that do not request updates.","Reservation: for IPv4 under Scope: is Updated with Option Setting: by .","Policy based assignment has been disabled at server level.","Policy based assignment has been enabled at server level.","Added exclusion IP Address range in the Address Pool for IPv4 under Scope: by .","Deleted exclusion IP Address range in the Address Pool for IPv4 under Scope: by .","Link Layer based filtering is Enabled in the Allow List of the IPv4 by.","Link Layer based filtering is Disabled in the Allow List of the IPv4 by.","Filter for physical address: , hardware type: added to the IPv4 Allow List by .","Filter for physical address: , hardware type: removed from the IPv4 Allow List by .","Link Layer based filtering is Enabled in the Deny List of the IPv4 by.","Link Layer based filtering is Disabled in the Deny List of the IPv4 by.","Filter for physical address: , hardware type: added to the IPv4 Deny List by .","Filter for physical address: , hardware type: removed from the IPv4 Deny List by .","Scope: for IPv6 is Deleted by .","Scope: for IPv6 is Activated by .","Scope: for IPv6 is DeActivated by .","Scope: for IPv6 is Updated with Lease Preferred Lifetime: by . The previous configured Lease Preferred Lifetime was: .","Scope: for IPv6 is Updated with Lease Valid Lifetime: by . The previous configured Lease Valid Lifetime was: .","Scope: for IPv6 is Updated with Option Setting: by .","Scope: for IPv6 is Enabled for DNS Dynamic updates by .","Scope: for IPv6 is Disabled for DNS Dynamic updates by .","Scope: for IPv6 is Updated with DNS Settings by : to dynamically update DNS AAAA and PTR records on request by the DHCP Clients.","Scope: for IPv6 is Updated with DNS Settings by : to always dynamically update DNS AAAA and PTR records.","Scope: for IPv6 is Enabled for DNS Settings by : to discard DNS AAAA and PTR records when lease is deleted.","Scope: for IPv6 is Disabled for DNS Settings by : to discard DNS AAAA and PTR records when lease is deleted.","Name Protection setting is Enabled on Scope: for IPv6 by .","Name Protection setting is Disabled on Scope: for IPv6 by .","Reservation: for IPv6 is Configured under Scope by .","Reservation: for IPv6 is Deleted under Scope by .","Reservation: for IPv6 under Scope: is Enabled for DNS Dynamic updates by .","Reservation: for IPv6 under Scope: is Disabled for DNS Dynamic updates by .","Reservation: for IPv6 under Scope: is Updated with DNS Settings by : to dynamically update DNS AAAA and PTR records on request by the DHCP Clients.","Reservation: for IPv6 under Scope: is Updated with DNS Settings by : to always dynamically update DNS AAAA and PTR records.","Reservation: for IPv6 under Scope: is Enabled for DNS Settings by : to discard DNS AAAA and PTR records when lease is deleted.","Reservation: for IPv6 under Scope: is Disabled for DNS Settings by : to discard DNS AAAA and PTR records when lease is deleted.","Reservation: for IPv6 under Scope: is Updated with Option Setting: by .","Added exclusion IP Address range in the Address Pool for IPv6 under Scope: by .","Deleted exclusion IP Address range in the Address Pool for IPv6 under Scope: by .","Scope: for IPv6 is Modified by .","DHCPv6 Stateless client inventory has been enabled for the scope .","DHCPv6 Stateless client inventory has been disabled for the scope .","DHCPv6 Stateless client inventory has been enabled for the server.","DHCPv6 Stateless client inventory has been disabled for the server.","Purge time interval for DHCPv6 stateless client inventory for scope has been set to hours.","Purge time interval for DHCPv6 stateless client inventory for server has been set to hours.","Scope: for IPv4 is Disabled for DNS Settings by : to disable dynamic updates for DNS PTR records.","Server level option for IPv6 has been updated by .","The DHCP service received the unknown option , with a length of . The raw option data is given below.","The DHCP service failed to register with Service Controller. The following error occurred.","The DHCP service failed to initialize its global parameters. The following error occurred.","The DHCP service failed to initialize its registry parameters. The following error occurred.","The DHCP service failed to initialize the database. The following error occurred.","The DHCP service failed to initialize Winsock startup. The following error occurred.","The DHCP service failed to start as a RPC server. The following error occurred.","The DHCP service failed to initialize Winsock data. The following error occurred.","The DHCP service is shutting down due to the following error.","The DHCP service encountered the following error while cleaning up the pending client records.","The DHCP service encountered the following error while cleaning up the database.","The DHCP service issued a NACK (negative acknowledgement message) to the client, , for the address, .","The DHCP client, , declined the address .","The DHCP Client, , released the address .","The DHCP service encountered the following error when backing up the database.","The DHCP service encountered the following error when backing up the registry configuration.","The DHCP service failed to restore the database. The following error occurred.","The DHCP service failed to restore the DHCP registry configuration. The following error occurred.","Scope, , is percent full with only IP addresses remaining.","The DHCP service could not load the JET database library successfully.","The DHCP service has initialized and is ready.","The DHCP service was unable to read the BOOTP file table from the registry. The DHCP service will be unable to respond to BOOTP requests that specify the boot file name.","The DHCP service was unable to read the global BOOTP file name from the registry.","The audit log file cannot be appended.","The DHCP service failed to initialize the audit log. The following error occurred.","The DHCP service was unable to ping for a new IP address. The address was leased to the client.","The audit log file could not be backed up. The following error occurred.","The DHCP service was unable to create or lookup the DHCP Users local group on this computer. The error code is in the data.","The DHCP server was unable to create or lookup the DHCP Administrators local group on this computer. The error code is in the data.","The DHCP service has started to clean up the database.","The DHCP service has cleaned up the database for unicast IP addresses -- leases have been recovered and records have been removed from the database.","The DHCP service has cleaned up the database for multicast IP addresses -- leases have expired (been marked for deletion) and records have been removed from the database.","The DHCP service successfully restored the database.","The DHCP service is not servicing any DHCPv4 clients because none of the active network interfaces have statically configured IPv4 addresses, or there are no active interfaces.","The DHCP/BINL service on the local machine has determined that it is authorized to start. It is servicing clients now.","The DHCP/BINL service on the local machine, belonging to the Windows Administrative domain , has determined that it is authorized to start. It is servicing clients now.","The DHCP/BINL service on the local machine has determined that it is not authorized to start. It has stopped servicing clients. The following are some possible reasons for this.","The DHCP/BINL service on the local machine has determined that it is authorized to start. It is servicing clients now.","The DHCP/BINL service on the local machine encountered an error while trying to find the domain of the local machine. The error was: .","The DHCP/BINL service on the local machine encountered a network error. The error was: .","The DHCP/BINL service on this workgroup server has encountered another server with IP Address, , belonging to the domain .","The DHCP/BINL service has encountered another server on this network with IP Address, , belonging to the domain: .","The DHCP/BINL service on this computer is shutting down. See the previous event log messages for reasons.","The DHCP service was unable to impersonate the credentials necessary for DNS registrations.","The DHCP service was unable to convert the temporary database to ESE format.","The DHCP service failed to initialize its configuration parameters. The following error occurred.","The DHCP service failed to see a directory server for authorization.","The DHCP service was unable to access path specified for the audit log.","The DHCP service was unable to access path specified for the database backups.","The DHCP service was unable to access path specified for the database.","There are no IP addresses available for lease in the scope or superscope \"%1\".","There are no IP addresses available for BOOTP clients in the scope or superscope \"%1\".","There were some orphaned entries deleted in the configuration due to the deletion of a class or an option definition. Please recheck the server configuration.","This computer has at least one dynamically assigned IP address. For reliable DHCP Server operation, you should use only static IP addresses.","The number pending DHCPOFFER messages for delayed transmission to the client is now below the server's capacity of 1000. The DHCP server will now resume processing all DHCPDISCOVER messages.","The DNS registration for DHCPv4 Client IP address , FQDN and DHCID has been denied as there is probably an existing client with same FQDN already registered with DNS.","There are no IP addresses available for lease in IP address range(s) of the policy in scope .","IP address range of scope is out of IP addresses.","Ip address range(s) for the scope policy is percent full with only IP addresses available .","The DNS IP Address is not a valid DNS Server Address.","IP address range of scope is percent full with only IP addresses available.","SuperScope, , is percent full with only IP addresses remaining. This superscope has the following scopes.","DHCPv6 confirmation has been declined because the address was not appropriate to the link or DHCPv6 renew request has a Zero lifetime for Client Address .","Renew, rebind or confirm received for IPv6 addresses for which there are no active lease available.","DHCPv6 service received the unknown option , with a length of . The raw option data is given below.","There are no IPv6 addresses available to lease in the scope serving the network with Prefix .","The DHCPv6 client, , declined the address .","DHCPv6 Scope serving the network with prefix , is percent full with only IP addresses remaining.","A DHCPV6 client has been deleted from DHCPV6 database.","A DHCPV6 message that was in the queue for more than 30 seconds has been dropped because it is too old to process.","An invalid DHCPV6 message has been dropped.","A DHCPV6 message that was not meant for this server has been dropped.","DHCV6 message has been dropped because it was received on a Uni-cast address and unicast support is disabled on the server.","DHCPV6 audit log file cannot be appended, Error Code returned .","A DHCPV6 message has been dropped because the server is not authorized to process the message.","The DHCPv6 service failed to initialize the audit log. The following error occurred.","DHCPv6 audit log file could not be backed up. Error code.","AThe DHCPv6 service was unable to access path specified for the audit log.","The DHCPv6 service failed to initialize Winsock startup. The following error occurred .","The DHCPv6 Server failed to receive a notification of interface list changes. Some of the interfaces will not be enabled in the DHCPv6 service.","The DHCPv6 service failed to initialize its configuration parameters. The following error occurred.","This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.","DHCPv6 service failed to initialize the database. The following error occurred.","The DHCPv6 service has initialized and is ready to serve.","DHCPv6 Server is unable to bind to UDP port number as it is used by another application. This port must be made available to DHCPv6 Server to start servicing the clients.","ERROR_LAST_DHCPV6_SERVER_ERROR.","The DNS registration for DHCPv6 Client IPv6 address , FQDN and DHCID has been denied as there is probably an existing client with same FQDN already registered with DNS.","The DHCP Server failed to receive a notification of interface list changes. Some of the interfaces will not be enabled in the DHCP service.","Scavenger started.","Scavenger ended.","DHCP Server is unable to bind to UDP port number as it is used by another application. This port must be made available to DHCP Server to start servicing the clients.","DHCP Services were denied to machine with hardware address , hardware type and FQDN/Hostname because it matched entry in the Deny List.","DHCP Services were denied to machine with hardware address , hardware type and FQDN/Hostname because it did not match any entry in the Allow List.","No DHCP clients are being served, as the Allow list is empty and the server was configured to provide DHCP services, to clients whose hardware addresses are present in the Allow List.","DHCP Services were denied to machine with hardware address , hardware type and unspecified FQDN/Hostname because it matched entry in the Deny List.","DHCP Services were denied to machine with hardware address , hardware type and unspecified FQDN/Hostname because it did not match any entry in the Allow List.","Address allocation triggered for the failover relationship .","Scavenger finished purging stateless entries.","The total leases deleted in scavenger are.","Scope which was part of failover relationship was not found in DHCP server database. Please restore the DHCP server database.","Policy for server is .","Policy for scope is .","The conditions for server policy have been set to . The conditions are grouped by logical operator .","The conditions for scope policy have been set to . The conditions are grouped by logical operator .","Policy was deleted from server.","Policy was deleted from scope .","The IP address range from was set for the scope policy .","The IP address range from was removed from the scope policy .","The value was set for the option for the server policy .","The value was set for the option for the scope policy .","The value was removed from the option for the server policy .","The value was removed from the option for the scope policy .","Server policy has been renamed to .","Scope policy has been renamed to .","Description of server policy was set to .","Description of scope policy was set to .","Processing order of server policy was changed to from .","Processing order of scope policy was changed to from .","Failover relationship between and has been deleted.","Scope has been added to the failover relationship with server .","Scope has been removed from the failover relationship with server .","The failover configuration parameter MCLT for failover relationship with server has been changed from seconds to seconds.","The failover configuration parameter auto switch over interval for failover relationship with server has been changed from seconds to seconds.","The failover configuration parameter reserve address percentage for failover relationship with server has been changed from to .","The failover configuration parameter load balance percentage for failover relationship with server has been changed from to on this server.","The failover configuration parameter mode for failover relationship with server has been changed from hot standby to load balance.","The failover configuration parameter mode for failover relationship with server has been changed from load balance to hot standby.","The failover state of server: for failover relationship: changed from: to .","The failover state of server: for failover relationship: changed from: to .","The server detected that it is out of time synchronization with partner server: for failover relationship: . The time is out of sync by: seconds .","Server has established contact with failover partner server for relationship .","Server has lost contact with failover partner server for relationship .","Failover protocol message BINDING-UPDATE from server for failover relationship was rejected because message digest failed to compare.","Failover protocol message BINDING-UPDATE from server for failover relationship was rejected because message digest was not configured.","Failover protocol message BINDING-UPDATE from server for failover relationship is rejected because message digest was not present.","The failover state of server: for failover relationship: changed to : .","The failover state of server: for failover relationship: changed to: .","Failover protocol message BINDING-ACK from server for failover relationship was rejected because message digest failed to compare.","Failover protocol message BINDING-ACK from server for failover relationship was rejected because message digest was not configured.","Failover protocol message BINDING-ACK from server for failover relationship is rejected because message digest was not present.","Failover protocol message CONNECT from server for failover relationship was rejected because message digest failed to compare.","Failover protocol message CONNECT from server for failover relationship was rejected because message digest was not configured.","Failover protocol message CONNECT from server for failover relationship is rejected because message digest was not present.","Failover protocol message CONNECTACK from server for failover relationship was rejected because message digest failed to compare.","Failover protocol message CONNECTACK from server for failover relationship was rejected because message digest was not configured.","Failover protocol message CONNECTACK from server for failover relationship is rejected because message digest was not present.","Failover protocol message UPDREQALL from server for failover relationship was rejected because message digest failed to compare.","Failover protocol message UPDREQALL from server for failover relationship was rejected because message digest was not configured.","Failover protocol message UPDREQALL from server for failover relationship is rejected because message digest was not present.","Failover protocol message UPDDONE from server for failover relationship was rejected because message digest failed to compare.","Failover protocol message UPDDONE from server for failover relationship was rejected because message digest was not configured.","Failover protocol message UPDDONE from server for failover relationship is rejected because message digest was not present.","Failover protocol message UPDREQ from server for failover relationship was rejected because message digest failed to compare.","Failover protocol message UPDREQ from server for failover relationship was rejected because message digest was not configured.","Failover protocol message UPDREQ from server for failover relationship is rejected because message digest was not present.","Failover protocol message STATE from server for failover relationship was rejected because message digest failed to compare.","Failover protocol message STATE from server for failover relationship was rejected because message digest was not configured.","Failover protocol message STATE from server for failover relationship is rejected because message digest was not present.","Failover protocol message CONTACT from server for failover relationship was rejected because message digest failed to compare.","Failover protocol message CONTACT from server for failover relationship was rejected because message digest was not configured.","Failover protocol message CONTACT from server for failover relationship is rejected because message digest was not present.","BINDING UPDATE message for IP address could not be replicated to the partner server of failover relation as the internal BINDING UPDATE queue is full.","A BINDING-UPDATE message with transaction id: was sent for IP address: with binding status: to partner server: for failover relationship: .","A BINDING-UPDATE message with transaction id: was received for IP address: with binding status: from partner server: for failover relationship: .","A BINDING-ACK message with transaction id: was sent for IP address: with reject reason: () to partner server: for failover relationship: .","A BINDING-ACK message with transaction id: was received for IP address: with reject reason: ( ) from partner server: for failover relationship: .","A UPDREQ message with transaction id: was sent to partner server: for failover relationship: .","A UPDREQ message with transaction id: was received from partner server: for failover relationship.","A UPDDONE message with transaction id: was sent to partner server: for failover relationship: .","A UPDDONE message with transaction id: was received from partner server: for failover relationship: .","A UPDREQALL message with transaction id: was sent to partner server: for failover relationship.","A UPDREQALL message with transaction id: was received from partner server: for failover relationship.","A CONTACT message with transaction id: was sent to partner server: for failover relationship: .","A CONTACT message with transaction id: was received from partner server: for failover relationship: .","A CONNECT message with transaction id: was sent to partner server: for failover relationship: .","A CONNECT message with transaction id: was received from partner server: for failover relationship: .","A STATE message with transaction id: was sent to partner server : for failover relationship with state: and start time of state: .","A STATE message with transaction id: was received from partner server : for failover relationship with state: and start time of state .","A CONNECTACK message with transaction id was sent to partner server : for failover relationship: .","A CONNECTACK message with transaction id was received from partner server : for failover relationship: .","A BINDING-ACK message with transaction id: was sent for IP address: to partner server: for failover relationship: .","A BINDING-ACK message with transaction id: was received for IP address: from partner server: for failover relationship: .","A CONNECTACK message with transaction id was sent to partner server : for failover relationship: with reject reason: .","A CONNECTACK message with transaction id was received from partner server : for failover relationship: with reject reason: .","The shared secret for failover relationship with server has been changed.","Message authentication for failover relationship with server has been enabled.","Message authentication for failover relationship with server has been disabled.","DNSSuffix of scope policy was set to .","DNSSuffix of server policy was set to .","A BINDING-UPDATE message with transaction id: TransactionId was sent for IP address: IPAddress with binding status: BndStatus to partner server: PartnerServer for failover relationship: RelationName.","A BINDING-UPDATE message with transaction id: TransactionId was received for IP address: IPAddress with binding status: BndStatus from partner server: PartnerServer for failover relationship: RelationName.","A UPDREQ message with transaction id: TransactionId was sent to partner server: PartnerServer for failover relationship: RelationName.","A UPDREQ message with transaction id: TransactionId was received from partner server: PartnerServer for failover relationship: RelationName.","A UPDDONE message with transaction id: TransactionId was sent to partner server: PartnerServer for failover relationship: RelationName.","A UPDDONE message with transaction id: TransactionId was received from partner server: PartnerServer for failover relationship: RelationName.","A UPDREQALL message with transaction id: TransactionId was sent to partner server: PartnerServer for failover relationship: RelationName.","A UPDREQALL message with transaction id: TransactionId was received from partner server: PartnerServer for failover relationship: RelationName.","A CONTACT message with transaction id: TransactionId was sent to partner server: PartnerServer for failover relationship: RelationName.","A CONTACT message with transaction id: TransactionId was received from partner server: PartnerServer for failover relationship: RelationName.","A CONNECT message with transaction id: TransactionId was sent to partner server: PartnerServer for failover relationship: RelationName.","A CONNECT message with transaction id: TransactionId was received from partner server: PartnerServer for failover relationship: RelationName.","A STATE message with transaction id: TransactionId was sent to partner server : PartnerServer for failover relationship RelationName with state: state and start time of state: startTimeOfState.","A STATE message with transaction id: TransactionId was received from partner server : PartnerServer for failover relationship RelationName with state: state and start time of state startTimeOfState.","A CONNECTACK message with transaction id TransactionId was sent to partner server : PartnerServer for failover relationship: RelationName.","A CONNECTACK message with transaction id TransactionId was received from partner server : PartnerServer for failover relationship: RelationName.","A BINDING-ACK message with transaction id: TransactionId was sent for IP address: IPAddress to partner server: PartnerServer for failover relationship: RelationName.","A BINDING-ACK message with transaction id: TransactionId was received for IP address: IPAddress from partner server: PartnerServer for failover relationship: RelationName.","A CONNECTACK message with transaction id TransactionId was sent to partner server : PartnerServer for failover relationship: RelationName with reject reason: state.","A CONNECTACK message with transaction id TransactionId was received from partner server : PartnerServer for failover relationship: RelationName with reject reason: state.","DHCP Services were denied to machine with hardware address MACAddress, hardware type HWType and FQDN/Hostname HostName because it matched entry DenyFilter in the Deny List.","DHCP Services were denied to machine with hardware address MACAddress, hardware type HWType and FQDN/Hostname HostName because it did not match any entry in the Allow List.","DHCP Services were denied to machine with hardware address MACAddress, hardware type HWType and unspecified FQDN/HostnameHostName because it matched entry DenyFilter in the Deny List.","DHCP Services were denied to machine with hardware address MACAddress, hardware type HWType and unspecified FQDN/HostnameHostName because it did not match any entry in the Allow List.","Scope: IP_ScopeName for IPv4 is Configured by ClientName.","Scope: IP_ScopeName for IPv4 is Modified by ClientName.","Scope: IP_ScopeName for IPv4 is Deleted by ClientName.","Scope: IP_ScopeName for IPv4 is Activated by ClientName.","Scope: IP_ScopeName for IPv4 is DeActivated by ClientName.","Scope: IP_ScopeName for IPv4 is Updated with Lease Duration: ModifiedDuration seconds by ClientName. The previous configured Lease Duration was: OriginalDuration seconds.","Scope: IP_ScopeName for IPv4 is Updated with Option Settings: OptionName by ClientName.","Scope: IP_ScopeName for IPv4 is Enabled for DNS Dynamic updates by ClientName.","Scope: IP_ScopeName for IPv4 is Disabled for DNS Dynamic updates by ClientName.","Scope: IP_ScopeName for IPv4 is Updated with DNS Settings by ClientName: to dynamically update DNS A and PTR records on request by the DHCP Clients .","Scope: IP_ScopeName for IPv4 is Updated with DNS Settings by ClientName: to always dynamically update DNS A and PTR records.","Scope: IP_ScopeName for IPv4 is Enabled for DNS Settings by ClientName: to discard DNS A and PTR records when lease is deleted.","Scope: IP_ScopeName for IPv4 is Disabled for DNS Settings by ClientName: to discard DNS A and PTR records when lease is deleted.","Scope: IP_ScopeName for IPv4 is Enabled for DNS Settings by ClientName: to dynamically update DNS A and PTR records for DHCP Clients that do not request updates.","Scope: IP_ScopeName for IPv4 is Disabled for DNS Settings by ClientName: to dynamically update DNS A and PTR records for DHCP Clients that do not request updates.","Policy based assignment has been disabled for scope IP_ScopeName.","Policy based assignment has been enabled for scope IP_ScopeName.","Name Protection setting is Enabled on Scope: IP_Name for IPv4 by ClientName.","Name Protection setting is Disabled on Scope: IP_Name for IPv4 by ClientName.","Scope: IP_Name for IPv4 is Updated with support type: ModifiedSupportType by ClientName. The previous configured state was: OriginalSupportType.","NAP Enforcement is Enabled on Scope: IP_ScopeName for IPv4 by ClientName.","NAP Enforcement is Disabled on Scope: IP_ScopeName for IPv4 by ClientName.","NAP Profile is configured on Scope: IP_ScopeName for IPv4 with the following NAP Profile: NAP_ProfileName by ClientName.","NAP Profile is Updated on Scope: IP_ScopeName for IPv4 with the following NAP Profile: NAP_ModifiedProfileName by ClientName. The previous configured NAP Profile was: NAP_OriginalProfileName.","The following NAP Profile: IP_ScopeName is deleted on Scope: NAP_ProfileName by ClientName.","Scope: IP_MulticastScopeName for Multicast IPv4 is Configured by ClientName.","Scope: IP_MulticastScopeName for Multicast IPv4 is Deleted by ClientName.","SuperScope: IP_MulticastScopeName for IPv4 is Configured by ClientName.","SuperScope: IP_MulticastScopeName for IPv4 is Deleted by ClientName.","Scope: IP_ScopeName within SuperScope: IP_SuperScopeName for IPv4 is Activated by ClientName.","Scope: IP_ScopeName within SuperScope: IP_SuperScopeName for IPv4 is DeActivated by ClientName.","Scope: IP_ScopeName for IPv4 is Removed in Superscope: IP_SuperScopeName by ClientName. However, the Scope exists outside the Superscope.","Scope: IP_ScopeName for IPv4 is Deleted in Superscope: IP_SuperScopeName as well as Deleted permanently by ClientName.","Server level option OptionName for IPv4 has been updated by ClientName.","Reservation: ReservationName for IPv4 is Configured under Scope IP_Name by ClientName.","Reservation: ReservationName for IPv4 is Deleted under Scope IP_Name by ClientName.","Reservation: ReservationName for IPv4 under Scope: IP_Name is Enabled for DNS Dynamic updates by ClientName.","Reservation: ReservationName for IPv4 under Scope: IP_Name is Disabled for DNS Dynamic updates by ClientName.","Reservation: ReservationName for IPv4 under Scope: IP_Name is Updated with DNS Settings by ClientName: to dynamically update DNS A and PTR records on request by the DHCP Clients.","Reservation: ReservationName for IPv4 under Scope: IP_Name is Updated with DNS Settings by ClientName: to always dynamically update DNS A and PTR records.","Reservation: ReservationName for IPv4 under Scope: IP_Name is Enabled for DNS Settings by ClientName: to discard DNS A and PTR records when lease is deleted.","Reservation: ReservationName for IPv4 under Scope: IP_Name is Disabled for DNS Settings by ClientName: to discard DNS A and PTR records when lease is deleted.","Reservation: ReservationName for IPv4 under Scope: IP_Name is Enabled for DNS Settings by ClientName: to dynamically update DNS A and PTR records for DHCP Clients that do not request updates.","Reservation: ReservationName for IPv4 under Scope: IP_Name is Disabled for DNS Settings by ClientName: to dynamically update DNS A and PTR records for DHCP Clients that do not request updates.","Reservation: ReservationName for IPv4 under Scope: IP_Name is Updated with Option Setting: OptionName by ClientName.","Policy based assignment has been disabled at server level.","Policy based assignment has been enabled at server level.","Added exclusion IP Address range ExclusionRange in the Address Pool for IPv4 under Scope: IP_Name by ClientName.","Deleted exclusion IP Address range ExclusionRange in the Address Pool for IPv4 under Scope: IP_Name by ClientName.","Link Layer based filtering is Enabled in the Allow List of the IPv4 by ClientName.","Link Layer based filtering is Disabled in the Allow List of the IPv4 by ClientName.","Filter for physical address: PhysicalAddress, hardware type: HWType added to the IPv4 Allow List by ClientName.","Filter for physical address: PhysicalAddress, hardware type: HWType removed from the IPv4 Allow List by ClientName.","Link Layer based filtering is Enabled in the Deny List of the IPv4 by ClientName.","Link Layer based filtering is Disabled in the Deny List of the IPv4 by ClientName.","Filter for physical address: PhysicalAddress, hardware type: HWType added to the IPv4 Deny List by ClientName.","Filter for physical address: PhysicalAddress, hardware type: HWType removed from the IPv4 Deny List by ClientName.","Scope: IP_ScopeName for IPv6 is Deleted by ClientName.","Scope: IP_ScopeName for IPv6 is Activated by ClientName.","Scope: IP_ScopeName for IPv6 is DeActivated by ClientName.","Scope: IP_ScopeName for IPv6 is Updated with Lease Preferred Lifetime: ModifiedDuration by ClientName. The previous configured Lease Preferred Lifetime was: OriginalDuration.","Scope: IP_ScopeName for IPv6 is Updated with Lease Valid Lifetime: ModifiedDuration by ClientName. The previous configured Lease Valid Lifetime was: OriginalDuration.","Scope: IP_ScopeName for IPv6 is Updated with Option Setting: OptionName by ClientName.","Scope: IP_ScopeName for IPv6 is Enabled for DNS Dynamic updates by ClientName.","Scope: IP_ScopeName for IPv6 is Disabled for DNS Dynamic updates by ClientName.","Scope: IP_ScopeName for IPv6 is Updated with DNS Settings by ClientName: to dynamically update DNS AAAA and PTR records on request by the DHCP Clients.","Scope: IP_ScopeName for IPv6 is Updated with DNS Settings by ClientName: to always dynamically update DNS AAAA and PTR records.","Scope: IP_ScopeName for IPv6 is Enabled for DNS Settings by ClientName: to discard DNS AAAA and PTR records when lease is deleted.","Scope: IP_ScopeName for IPv6 is Disabled for DNS Settings by ClientName: to discard DNS AAAA and PTR records when lease is deleted.","Name Protection setting is Enabled on Scope: IP_Name for IPv6 by ClientName.","Name Protection setting is Disabled on Scope: IP_Name for IPv6 by ClientName.","Reservation: ReservationName for IPv6 is Configured under Scope IP_Name by ClientName.","Reservation: ReservationName for IPv6 is Deleted under Scope IP_Name by ClientName.","Reservation: ReservationName for IPv6 under Scope: IP_Name is Enabled for DNS Dynamic updates by ClientName.","Reservation: ReservationName for IPv6 under Scope: IP_Name is Disabled for DNS Dynamic updates by ClientName.","Reservation: ReservationName for IPv6 under Scope: IP_Name is Updated with DNS Settings by ClientName: to dynamically update DNS AAAA and PTR records on request by the DHCP Clients.","Reservation: ReservationName for IPv6 under Scope: IP_Name is Updated with DNS Settings by ClientName: to always dynamically update DNS AAAA and PTR records.","Reservation: ReservationName for IPv6 under Scope: IP_Name is Enabled for DNS Settings by ClientName: to discard DNS AAAA and PTR records when lease is deleted.","Reservation: ReservationName for IPv6 under Scope: IP_Name is Disabled for DNS Settings by ClientName: to discard DNS AAAA and PTR records when lease is deleted.","Reservation: ReservationName for IPv6 under Scope: IP_Name is Updated with Option Setting: OptionName by ClientName.","Added exclusion IP Address range ExclusionRange in the Address Pool for IPv6 under Scope: IP_Name by ClientName.","Deleted exclusion IP Address range ExclusionRange in the Address Pool for IPv6 under Scope: IP_Name by ClientName.","Scope: IP_ScopeName for IPv6 is Modified by ClientName.","DHCPv6 Stateless client inventory has been enabled for the scope IP_ScopeName.","DHCPv6 Stateless client inventory has been disabled for the scope IP_ScopeName.","DHCPv6 Stateless client inventory has been enabled for the server.","DHCPv6 Stateless client inventory has been disabled for the server.","Purge time interval for DHCPv6 stateless client inventory for scope IP_ScopeName has been set to PurgeInterval hours.","Purge time interval for DHCPv6 stateless client inventory for server has been set to PurgeInterval hours.","Scope: IP_ScopeName for IPv4 is Disabled for DNS Settings by ClientName: to disable dynamic updates for DNS PTR records.","Server level option OptionName for IPv6 has been updated by ClientName.","Policy PolicyName for server is String1.","Policy PolicyName for scope IP_ScopeName is String1.","The conditions for server policy PolicyName have been set to String1. The conditions are grouped by logical operator String2.","The conditions for scope IP_ScopeName policy PolicyName have been set to String1. The conditions are grouped by logical operator String2.","Policy PolicyName was deleted from server.","Policy PolicyName was deleted from scope IP_ScopeName.","The IP address range from String1 was set for the scope IP_ScopeName policy PolicyName.","The IP address range from String1 was removed from the scope IP_ScopeName policy PolicyName.","The value OptionValue was set for the option OptionName for the server policy PolicyName.","The value OptionValue was set for the option OptionName for the scope IP_ScopeName policy PolicyName.","The value OptionValue was removed from the option OptionName for the server policy PolicyName.","The value OptionValue was removed from the option OptionName for the scope IP_ScopeName policy PolicyName.","Server policy PolicyName has been renamed to String1.","Scope IP_ScopeName policy PolicyName has been renamed to String1.","Description of server policy PolicyName was set to String1.","Description of scope IP_ScopeName policy PolicyName was set to String1.","Processing order of server policy PolicyName was changed to Integer1 from Integer2.","Processing order of scope IP_ScopeName policy PolicyName was changed to Integer1 from Integer2.","Failover relationship RelationshipName between Server1Name and Server2Name has been deleted.","Scope ScopeAddress has been added to the failover relationship RelationshipName with server Server2Name.","Scope ScopeAddress has been removed from the failover relationship RelationshipName with server Server2Name.","The failover configuration parameter MCLT for failover relationship RelationshipName with server Server2Name has been changed from OldValue seconds to NewValue seconds.","The failover configuration parameter auto switch over interval for failover relationship RelationshipName with server Server2Name has been changed from OldValue seconds to NewValue seconds.","The failover configuration parameter reserve address percentage for failover relationship RelationshipName with server Server2Name has been changed from OldValue to NewValue.","The failover configuration parameter load balance percentage for failover relationship RelationshipName with server Server2Name has been changed from OldValue to NewValue on this server.","The failover configuration parameter mode for failover relationship RelationshipName with server Server2Name has been changed from hot standby to load balance.","The failover configuration parameter mode for failover relationship RelationshipName with server Server2Name has been changed from load balance to hot standby.","The shared secret for failover relationship Server2Name with server RelationshipName has been changed.","Message authentication for failover relationship Server2Name with server RelationshipName has been enabled.","Message authentication for failover relationship Server2Name with server RelationshipName has been disabled.","DNSSuffix of scope IP_ScopeName policy PolicyName was set to String1.","DNSSuffix of server policy PolicyName was set to String1.","Scavenger started.","Scavenger ended.","Address allocation triggered for the failover relationship RelationshipName.","Scavenger finished purging stateless entries.","The total leases deleted in scavenger are number.","Scope Server which was part of failover relationship RelationName was not found in DHCP server database. Please restore the DHCP server database.","Attempting to send data to remote server using the following proxy configuration: Access Type (AccessType); Proxy Server (Proxy); Proxy Bypass Server (ProxyBypass).","Failed to send data to remote server using the following proxy configuration: Access Type (AccessType); Proxy Server (Proxy); Proxy Bypass Server (ProxyBypass) because of proxy failure (Error).","Failed to connect to the remote server Hostname at the URL path Url due to lack of network access.","Failed to connect to the remote server Hostname at the URL path Url with error Error.","Timed out waiting for a response from the remote server Hostname at the URL path Url.","Parsed valid response from the remote server Hostname at the URL path Url.","Failed to send data to remote server because list of proxy servers was exhausted without receiving a response. The error code returned to caller is Error.","Stop NDF Diagnose.","An error occurred. The Network Diagnostics Framework failed to complete operation. A Windows Error Report was generated. [ResultHR].","This event is not emitted, it remains manifested for AppCompat.","User Entered Credentials.","EAP session is completing during the authentication phase.","The security log is now full.","Event log automatic backup.","Windows failed to apply the ExtensionName settings. ExtensionName settings might have its own log file. Please click on the \"More information\" link.","An uncorrected memory error occurred at physical address PhysicalAddress. The virtual machine that was using the page is no longer valid. No action was taken. (Platform Directed: Flags).","Failed to persist memory with the kernel with error Parameter0 during a fast save operation. (Virtual Machine PartitionId).","Finished creating memory block with Parameter1 pages with status Parameter2. (Partition ID Parameter0).","Failed to invoke command in host for DISPID DISPID on parameter ArgErr. (Result HRESULT).","Failed to navigate due to security problem SecurityProblem. (Result HRESULT).","Failed to Get alternative URL for Wizard ID WizardID. (Result HRESULT).","Security manager handle URL URL action Action as policy Policy. (Result HRESULT).","Security manager allow ActiveX control for CLSID CLSID. (URL URL).","Security manager disallow ActiveX control for CLSID CLSID. (URL URL).","Showing browser window.","Failed to execute [Method] for [String]. Extended error text: Extended String. (Result HRESULT).","Failed to present the notification for this tile.","Failed to change system UI language from Language1 to Language2. Please go to Regional and Language options control panel to change the system UI language.","SNASJob: Job [Prop_UInt32] matches the filter.","Autotrigger: [string], device is attempting to connect to VPN. Please refer to Microsoft-Windows-VPN channel under WFP for cause of connect.","Autotrigger: [string], profile got activated.","Autotrigger: [string], profile got deactivated.","Autotrigger: [string], profile got auto disconnected. Please refer to Microsoft-Windows-VPN channel under WFP for cause of disconnect.","Stop Intranet resolver.","Unable to collect process virtual memory information. Error: Win32Error.","Unable to query the job object Message for its accounting info. Error: Win32 Error.","Unable to query the Message object directory to look for job objects. Error: Win32 Error.","Unable to query the job object Message for its process IDs. Error: Win32 Error.","Unable to allocate memory for Job counters.","The print spooler failed to delete the file Source, error code ErrorCode. See the event user data for context information.",0,"The process 'param1' exited with exit code param2. The creation time for the exiting process was 0xparam3.","The connection update timed out.","The connection update timed out.","Some available resources could not be downloaded.","Some available resources could not be downloaded.","There are currently no resources available in this connection.","There are currently no resources available in this connection.","There is a problem with this connection's security certificate.","There is a problem with this connection's security certificate.","The credentials that were used to connect to Connection_name did not work.","The credentials that were used to connect to Connection_name did not work.","Windows is shutting down.","The IPsec Policy Agent service was disabled.","IPsec Policy Agent encountered a potentially serious failure.","Certificate Services received a request to shut down.","The Windows Firewall service was stopped.","The Windows Firewall Driver was stopped.","An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.","IPsec Policy Agent polled for changes to the active IPsec policy and detected no changes.","IPsec Policy Agent polled for changes to the active IPsec policy, detected changes, and applied them.","IPsec Policy Agent received a control for forced reloading of IPsec policy and processed the control successfully.","The IPsec Policy Agent service was started.","The IPsec Policy Agent service was stopped. Stopping this service can put the computer at greater risk of network attack or expose the computer to potential security risks.","ProductName registered to Windows Firewall to control filtering for the following.","Process 'ProcessPath' (PID ProcessId) has encountered a shadow stack return address mismatch. The process will be allowed to continue execution.","Process 'ProcessPath' (PID ProcessId) would have been blocked from setting context due to instruction pointer validation failure when user-mode shadow stack is enabled.","Process 'ProcessPath' (PID ProcessId) was blocked from setting context due to instruction pointer validation failure when user-mode shadow stack is enabled.","Process 'ProcessPath' (PID ProcessId) would have been blocked from loading an image binary due to the binary not being compatible with shadow stacks and/or missing exception handling continuation data.","Process 'ProcessPath' (PID ProcessId) was blocked from accessing the Export Address Table for module 'MemModuleFullPath'.","Process 'ProcessPath' (PID ProcessId) would have been blocked from calling the API 'HookedAPI' due to return-oriented programming (ROP) exploit indications.","Process 'ProcessPath' (PID ProcessId) was blocked from calling the API 'HookedAPI' due to return-oriented programming (ROP) exploit indications.","Process 'ProcessPath' (PID ProcessId) would have been blocked from calling the API 'HookedAPI' due to return-oriented programming (ROP) exploit indications.","Process 'ProcessPath' (PID ProcessId) would have been blocked from calling the API 'HookedAPI' due to return-oriented programming (ROP) exploit indications.","Process 'ProcessPath' (PID ProcessId) was blocked from calling the API 'HookedAPI' due to return-oriented programming (ROP) exploit indications.","Occurs when the device is shut down or offboarded. Normal operating notification; no action required.","Windows Defender Advanced Threat Protection service failed to start. Failure code: HRESULT.","The device didn't onboard correctly and isn't reporting to the portal. Onboarding must be run before starting the service. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. See Onboard client devices.","Windows Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure: parameter.","During onboarding: The service failed to clean its configuration during the onboarding. The onboarding process continues. During offboarding: The service failed to clean its configuration during the offboarding. The offboarding process finished but the service keeps running. Onboarding: No action required. Offboarding: Reboot the system. See Onboard client devices.","Windows Defender Advanced Threat Protection service failed to change its start type. Failure code: HRESULT.","Windows Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: HRESULT.","New cloud configuration failed to apply, version: parameter1. Also failed to apply last known good configuration, version parameter2. Also failed to apply the default configuration.","Windows Defender Advanced Threat Protection cannot start command channel with URL: parameter.","Windows Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: HRESULT.","Service will only start after any Windows updates have finished installing. Normal operating notification; no action required.","Service will only start after any Windows updates finish installing. Normal operating notification; no action required. If this error persists after a system restart, ensure all Windows updates have full installed.","Cannot wait for OOBE (Windows Welcome) to complete. Failure code: HRESULT.","Service failed to reset health status in the registry. Failure code: HRESULT.","Windows Defender Advanced Threat Protection service failed to set the onboarding status in the registry. Failure code: HRESULT.","Failed to enable Windows Defender Advanced Threat Protection mode in Windows Defender. Onboarding process failed. Failure code: HRESULT.","Connected User Experiences and Telemetry service registration failed with failure code: HRESULT. Requested disk quota in MB: diskSizeQuotaValue, Requested daily upload quota in MB: dailyUploadQuotaValue.","Failed to read the offboarding parameters. Error type: errorType, Error code: HRESULT, Description: description.","Failed to disable Windows Defender Advanced Threat Protection mode in Windows Defender. Failure code: HRESULT.","Windows Defender Advanced Threat Protection Connected User Experiences and Telemetry service unregistration failed. Failure code: HRESULT.","Windows Defender Advanced Threat Protection service failed to request to stop itself after offboarding process. Failure code: HRESULT.","Windows Defender Advanced Threat Protection service failed to persist SENSE GUID. Failure code: HRESULT.","An error occurred with the Windows telemetry service. Ensure the diagnostic data service is enabled. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. See Onboard client devices running Windows or macOS.","Module: Module, Quota: {module} {quotaValue}, Percentage of quota utilization: quotaValueUnit.","Internal error. The service failed to start. If this error persists, contact Support.","Internal error. The service failed to start. If this error persists, contact Support.","The service was offboarded. Normal operating notification; no action required.","Failed to register and to start the event trace session [TraceSessionName]. Error code: HRESULT.","An error occurred on service startup while creating ETW session due to lack of resources. The service is running, but doesn't report sensor events until the ETW session starts. Normal operating notification; no action required. The service tries to start the session every minute.","This event follows the previous event after successfully starting of the ETW session. Normal operating notification; no action required.","Failed to add a provider [ProviderId] to event trace session [TraceSessionName]. Error code: ErrorCode. This means that events from this provider will not be reported.","Invalid cloud configuration command received and ignored. Version: Version, status: Status, error code: HRESULT, message: ErrorMessage.","New cloud configuration failed to apply, version: parameter1. Successfully applied the last known good configuration, version parameter2.","New cloud configuration failed to apply, version: parameter1. Also failed to apply last known good configuration, version parameter2. Successfully applied the default configuration.","Failed to create the Secure ETW autologger. Failure code: HRESULT.","Failed to remove the Secure ETW autologger. Failure code: HRESULT.","An investigation package, also known as forensics package, is being collected. Normal operating notification; no action required.","Data collection command parameters are invalid: SasUri: SasUri, compressionLevel: CompressionLevel.","Failed to start Connected User Experiences and Telemetry service. Failure code: HRESULT.","Failed to load Microsoft Security Events Component Minifilter driver. Failure code: HRESULT.","Policy update: Allow sample collection - UInt1.","Device tag in registry exceeds length limit. Tag name: Message1. Length limit: UInt1.","Failed to create Windows Defender Advanced Threat Protection ETW autologger. Failure code: HRESULT.","Failed to remove Windows Defender Advanced Threat Protection ETW autologger. Failure code: HRESULT.","Failed to trigger Windows Defender Advanced Threat Protection Incident Response executable. Failure code: HRESULT.","Starting again stopped external service that should be up. Name: ServiceName, exit code: ErrorCode.","Cannot start the external service. Name: ServiceName.","Updating the start type of external service again. Name: ServiceName, actual start type: ActualStartType, expected start type: ExpectedStartType, exit code: ErrorCode.","Cannot update the start type of external service. Name: ServiceName, actual start type: ActualStartType, expected start type: ExpectedStartType.","Failed to configure System Guard Runtime Monitor to connect to cloud service in geo-region Message1. Failure code: HRESULT.","Failed to remove System Guard Runtime Monitor geo-region information. Failure code: HRESULT.","Stopping sending sensor cyber data quota because data quota is exceed. Will resume sending once quota period passes. State Mask: UInt2.","Resuming sending sensor cyber data. State Mask: UInt2.","Windows Defender Advanced Threat Protection Classification Engine Init has called. Result code: HRESULT.","There are network connectivity issues that affect the DLP classification flow. Check the network connectivity.","The connectivity to the network was restored and the DLP classification flow can continue. Normal operating notification; no action required.","Sense has encoutered the following error while communicating with server: (Message1). Result: (HRESULT).","Windows Defender Advanced Threat Protection Classification Engine executable failed to start. Failure code: HRESULT.","Failed to queue asynchronous driver unload. Failure code: HRESULT.","Occurs during offboarding. Normal operating notification; no action required.","Windows Defender Advanced Threat Protection service failed to start. Failure code HRESULT ; Failed to load MsSense DLL Module.","Windows Defender Advanced Threat Protection service failed to start. Failure code UInt2 ; Issue with MsSense DLL Module.","Update phase:Update_phase, new platform version: new_platform_version, message: message.","Update phase:Update_phase new platform version: new_platform_version, failure message: failure_message, error: error.","Occurs during offboarding. Contact support.","Failed to update driver permissions Failure code: HRESULT.","Failed to ACL on Folder Message1 Failure code: HRESULT.","Windows Defender Advanced Threat Protection service failed to generate key. Failure code: HRESULT.","Windows Defender Advanced Threat Protection service failed to persist authentication state. State: Message1, Failure code: HRESULT.","Windows Defender Advanced Threat Protection service failed to sign message (authentication). Failure code: HRESULT.","Windows Defender Advanced Threat Protection service failed to remove persist authentication state. State: Message1, Failure code: HRESULT.","Windows Defender Advanced Threat Protection service failed to open key. Failure code: HRESULT.","Occurs during reonboarding. Normal operating notification; no action required.","CSP: Get Node's Value. NodeId: (UInt1), TokenName: (Message1).","CSP: Failed to Get Node's Value. NodeId: (UInt1), TokenName: (Message1), Result: (HRESULT).","CSP: Get Node's Value complete. NodeId: (UInt1), TokenName: (Message1), Result: (HRESULT).","CSP: Get Last Connected value complete. Result (Message1), IsDefault: (Boolean1).","CSP: Get Org ID value complete. Result: (Message1), IsDefault: (Boolean1).","CSP: Get Sense Is Running value complete. Result: (UInt1).","CSP: Get Onboarding State value complete. Result: (UInt1), IsDefault: (Boolean1).","CSP: Get Onboarding value complete. Onboarding Blob Hash: (onboardingBlobHash), IsDefault: (isDefaultOnboardingBlob), Onboarding State: (onboardingState), Onboarding State IsDefault: (isDefaultOnboardingState).","CSP: Get Offboarding value complete. Offboarding Blob Hash: (offboardingBlobHash), IsDefault: (isDefaultOffboardingBlob).","CSP: Get Sample Sharing value complete. Result: (UInt1), IsDefault: (Boolean1).","Started onboarding flow. Normal operating notification; no action required.","CSP: Onboarding process. Delete Offboarding blob complete. Result: (HRESULT).","CSP: Onboarding process. Write Onboarding blob complete. Result: (HRESULT).","Started Sense service as part of onboarding flow. Normal operating notification; no action required.","CSP: Onboarding process. Pending service running state complete. Result: (HRESULT).","CSP: Set Sample Sharing value complete. Previous Value: (previousSampleCollectionValue), IsDefault: (IsDefault), New Value: (newSampleSharing), Result: (HRESULT).","CSP: Offboarding process. Delete Onboarding blob complete. Result (HRESULT).","CSP: Offboarding process. Write Offboarding blob complete. Result (HRESULT).","CSP: Set Node's Value started. NodeId: (UInt1), TokenName: (Message1).","CSP: Failed to Set Node's Value. NodeId: (UInt1), TokenName: (Message1), Result: (HRESULT).","CSP: Set Node's Value complete. NodeId: (UInt1), TokenName: (Message1), Result: (HRESULT).","CSP: Set Telemetry Reporting Frequency started. New value: (UInt1).","CSP: Set Telemetry Reporting Frequency complete. Previous value: (previousLatencyMode), IsDefault: (IsDefault), New value: (newLatencyMode), Result: (HRESULT).","CSP: Get Telemetry Reporting Frequency complete. Value: (UInt1), Registry Value: (Message1), IsDefault: (Boolean1).","CSP: Get Group Ids complete. Value: (Message1), IsDefault: (Boolean1).","CSP: Set Group Ids exceeded allowed limit. Allowed: (UInt1), Actual: (UInt2).","CSP: Set Group Ids complete. Value: (Message1), Result: (HRESULT).","Trace values as part of onboarding. Normal operating notification; no action required.","Trace values as part of offboarding. Normal operating notification; no action required.","CSP: Failed to Set Sample Sharing Value. Requested Value: (requestedValue), Allowed Values between (minimumAllowedValue) and (maximumAllowedValue).","CSP: Failed to Set Telemetry Reporting Frequency Value. Requested Value: (UInt1).","Get SenseIsRunning result. Normal operating notification; no action required.","CSP: Get Device Tagging Group complete. Value: (Message1), IsDefault: (Boolean1).","CSP: Get Device Tagging Criticality value complete. In Registry: (registryValue), IsDefault: (IsDefault), Conversion Succeeded: (conversionSucceeded), Result: (Result).","CSP: Get Device Tagging Identification Method value complete. In Registry: (registryValue), IsDefault: (IsDefault), Conversion Succeeded: (conversionSucceeded), Result: (Result).","CSP: Set Device Tagging Group complete. Value: (Message1), Result: (HRESULT).","CSP: Set Device Tagging Group exceeded allowed limit. Allowed: (UInt1), Actual: (UInt2).","CSP: Set Device Tagging Criticality value complete. Previous Value: (previousCriticalityValue), IsDefault: (IsDefault), New Value: (newCriticalityValue), Result: (HRESULT).","CSP: Failed to Set Device Tagging Criticality Value. Requested Value: (requestedValue), Allowed Values between (minimumAllowedValue) and (maximumAllowedValue).","CSP: Set Device Tagging Identification Method value complete. Previous Value: (previousIdMethodValue), IsDefault: (IsDefault), New Value: (newIdMethodValue), Result: (HRESULT).","CSP: Failed to Set Device Tagging Identification Method Value. Requested Value: (requestedValue), Allowed Values between (minimumAllowedValue) and (maximumAllowedValue).","ProductName scan has been paused.","ProductName scan has resumed.","ProductName scan has encountered an error and terminated.","ProductName has taken action to protect this machine from malware or other potentially unwanted software.","ProductName has encountered an error when taking action on malware or other potentially unwanted software.","ProductName has encountered an error trying to restore an item from quarantine.","ProductName has deleted an item from quarantine.","ProductName has encountered an error trying to delete an item from quarantine.","ProductName has encountered an error trying to remove history of malware and other potentially unwanted software.","ProductName has encountered a non-critical error when taking action on malware or other potentially unwanted software.","ProductName has encountered a critical error when taking action on malware or other potentially unwanted software.","ProductName has deduced the hashes for a threat resource.","ProcessName has been blocked from modifying Path by Controlled Folder Access.","ProcessName would have been blocked from modifying Path by Controlled Folder Access.","Controlled Folder Access blocked ProcessName from making changes to memory.","Controlled Folder Access would have blocked ProcessName from making changes to memory.","{Product Name} blocked a behavior by {Source app}.","ProductName has detected potentially unwanted application(PUA).","ProductName has encountered an error trying to update the engine.","ProductName has encountered an error trying to update security intelligence and will attempt to revert to a previous version.","ProductName could not load antimalware engine because current platform version is not supported. ProductName will revert back to the last known-good engine and a platform update will be attempted.","ProductName has encountered an error trying to update the platform.","ProductName will soon require a newer platform version to support future versions of the antimalware engine. Download the latest ProductName platform to maintain the best level of protection available.","ProductName platform update update to NewPlatformVersion is paused due to system activity. For more details see the latest MpLog*.log entry under ProgramData.","ProductName platform update to NewPlatformVersion has resumed.","ProductName used cloud protection to discard obsolete security intelligence updates.","ProductName has encountered an error trying to use cloud protection.","ProductName discarded all cloud protection intelligence.","{Product Name} downloaded a clean file. Filename: {Filename} Current Signature Version: {Current Signature Version} Current Engine Version: {Current Engine Version}.","ProductName downloaded and configured Microsoft Defender Antivirus (offline scan) to run on the next reboot.","ProductName has encountered an error trying to download and configure Microsoft Defender Antivirus (offline scan).","The support for your operating system will expire shortly. Running ProductName on an out of support operating system is not an adequate solution to protect against threats.","The support for your operating system has expired. Running ProductName on an out of support operating system is not an adequate solution to protect against threats.","The support for your operating system has expired. ProductName is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats.","ProductName has encountered an error trying to upload a suspicious file for further analysis.","{Product Name} Real-Time Protection agents have started. User: {Domain}\\{User}.","{Product Name}Real-Time Protection agents have stopped. User: {Domain}\\{User}.","ProductName Real-time Protection scanning for malware and other potentially unwanted software was enabled.","{param1} OnAccess scanning for viruses was enabled.","{param1} OnAccess scanning for viruses was disabled.","{Product Name} Real-time Protection checkpoint configuration has changed. Checkpoint: {Checkpoint} Configuration: {Configuration}.","{param1} OnAccess filter seems to be a unloaded - OnAccess scanning is disabled - Please restart the service.","ProductName engine has been terminated due to an unexpected error.","ProductName scanning for spyware and other potentially unwanted software has been enabled.","ProductName scanning for viruses has been enabled.","ProductName Resource Monitor: Memory consumption exceeded its limit.","ProductName Resource Monitor: CPU utilization exceeded its limit.","ProductName service seemed to be hung during shutdown.","Microsoft Defender Antivirus state updated to hc_stateid.","WMI Events were bound. ConsumerType = ConsumerType; Possiblecause = PossibleCause.","Cloud account administrator connected.","Cloud account administrator disconnected.","SNTP Warning: message [param1], status: status. @source_filename, line source_line.","SNTP Info: message param1 ; param2. @source_filename, line source_line.","SNTP filtering_type: Network traffic filtering has been enabled.","SNTP filtering_type: Network traffic filtering has been disabled.","SNTP Warning: Failed to add exclusion (invalid format): message @ source_filename, line source_line.","SophosNTPLWF Warning: message [param1], status: status. @source_filename, line source_line.","SophosNTPLWF Info: message param1 ; param2. @source_filename, line source_line.","The Sophos Network Threat Protection driver has been successfully loaded.","The Sophos Network Threat Protection driver has been unloaded.","The SNTP driver could not be initialized. Please check the Sophos Network Threat Protection driver debug log for further information. STATUS status LINE line_number.","The driver's network event buffer is full. Network events may be ignored. LINE line_number.",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,"FailReason. WDFDEVICE WDFDEVICE.","FailReason. WDFDEVICE WDFDEVICE.","PrepareController ERROR: Too many MBAR resources IDX:MBAR PA:PA LEN:LEN - STATUS:Status.","Created WDFDEVICE WDFDEVICE.","WDFDEVICE FxDevice IO Addr IOAddr.","Resource for WDFDEVICE Released.","StartController Start.","StartController End.","StopController Start.","StopController End.","DriverEntry Start.","DriverEntry End.","DeviceAdd Start.","DeviceAdd End.","OnPrepareHardware Start.","OnPrepareHardware End.","DriverUnloaded.","Query Stop WDFDEVICE.","Surprise Removal WDFDEVICE.","QueryBasicInformation.","ConnectIO BankId = BankId, PinCount = PinCount, ConnectMode = ConnectMode, PullConfiguration = PullConfig.","DisconnectIO BankId = BankId, PinCount = PinCount, DisconnectMode = DisconnectMode.","ReadIoPins BankID:ReadIoPins_BankID PinValues:PinValues.","WriteIoPins BankID:WriteIoPins_BankID SetValue:SetValue ClearValue:ClearValue.","Created WDFDEVICE FxDevice.","WDFDEVICE FxDevice mapped to vAddr VAddr (MMIO Addr PAddr).","Resource for FxDevice Released.","D0 Entrty Start for WDFDEVICE FxDevice (MMIO PAddr).","D0 Entry End for WDFDEVICE FxDevice (MMIO PAddr).","D0 Exit Start for WDFDEVICE FxDevice (MMIO PAddr).","D0 Exit End for WDFDEVICE FxDevice (MMIO PAddr).","SpbRequest pRequest (Type IOCTL) received. WDFDEVICE pDevice (MMIO MMIO). Target pTarget (Address Target I2C Address).","SpbRequest Request Completed Status Status .","ISR For WDFDEVICE WDFDEVICE (MMIO MMIO) Begin.","ISR For WDFDEVICE WDFDEVICE (MMIO MMIO) End Interrupt Status Stat.","DPC for WDFDEVICE WDFDEVICE (MMIO MMIO) Start.","DPC for WDFDEVICE WDFDEVICE (MMIO MMIO) End.","DriverEntry Start.","DriverEntry End.","DeviceAdd Start.","DeviceAdd End.","OnPrepareHardware Start.","OnPrepareHardware End.","DMA Configurations Status for WDFDEVICE WDFDevice (MMIO MMIO).","Monitor State MonitorState. Idle Timeout IdleTimeout. WDFDEVICE WDFDevice (MMIO MMIO).","Cancel SpbRequest pRequest received. WDFDEVICE pDevice (MMIO MMIO). Target pTarget pTarget (Address Target I2C Address).","Cancel Start.","Cancel End.","DMA Txn Start. Direction Direction # of MDL NumMdls #bytes NumBytes WDFDEVICE WDFDEVICE (MMIO MMIO).","DMA Txn End. Direction Direction DmaStatus DMA Status #bytes NumBytes WDFDEVICE WDFDEVICE (MMIO MMIO).","Cancel Timer Expired WDFDEVICE WDFDEVICE (MMIO MMIO).","DriverUnloaded.","ERROR: ERROR - STATUS: STATUS.","[Message] -&lt;--.","[Message] -&lt;-- Status = Status.","Driver ERROR: WdfDriverCreate() returned status:Status.","Driver ERROR: GPIO_CLX_RegisterClient() returned status:Status.","Driver ERROR: GPIO_CLX_UnregisterClient() returned status:Status.","Driver ERROR: CheckSupportedOs() returned status:Status.","Device ERROR: GPIO_CLX_ProcessAddDevicePreDeviceCreate() returned status:Status.","Device ERROR: GPIO_CLX_ProcessAddDevicePostDeviceCreate() returned status:Status.","Device ERROR: WdfDeviceCreate() returned status:Status.","GpioCx DDI: GpioCx_DDI.","GpioCx DDI ERROR: Controller Context invalid.","GpioCx DDI ERROR: Controller Object invalid.","GpioCx DDI ERROR: Controller Object allocate error.","BankName: ERROR: Invalid pin number: PinNo.","BankName_PinNo: ERROR: Invalid pin ownership: PinOwnership.","BankName_PinNo: ERROR: Invalid pin mode: PinMode.","PrepareController ERROR: Can't allocate pin table.","PrepareController ERROR: Can't initialize GPIO layout - STATUS:Status.","PrepareController INTERRUPT VEC:PrepareController_INTERRUPT_VEC.","PrepareController ERROR: Incorrect resource count. MMIO:MBAR_current (exp. MBAR_expected) INT:INT_current (exp. INT_expected) - STATUS:Status.","Controller queried for properties.","Controller started.","Controller stopped.","BankName_PinNo: ERROR: Interrupt configuration not supported: IntMode IntPolartity.","BankName_PinNo: Interrupt configured to: IntMode IntPolartity.","BankName_PinNo: WARNING: Pull configuration not supported: PullMode - using default.","BankName_PinNo: Pull configured to: PullMode.","BankName_PinNo: Interrupt enabled.","BankName_PinNo: Interrupt disabled.","BankName_PinNo: Interrupt unmasked.","BankName: Interrupts queried enabled:Enabled.","BankName_PinNo: ERROR: Pin already connected in mode PinIoMode.","BankName_PinNo: ERROR: Pin not connected.","BankName_PinNo: Pin output set PinState.","BankName_PinNo: Pin output pre-set PinState.","BankName_PinNo: Pin input get PinState.","BankName_PinNo: WARNING: Pin mode 'PinIoMode' not supported. Buffer enable state not changed.","BankName_PinNo: Pin connected in mode PinIoMode.","BankName_PinNo: ERROR: Pin connected in mode PinIoModeCurrent while disconnect request for mode PinIoModeRequested.","BankName_PinNo: Pin disconnected - output buffer disabled.","BankName_PinNo: Pin disconnected - output buffer left enabled.","BankName_PinNo: Pin disconnected - input buffer disabled.","BankName_PinNo: Pin disconnected - input buffer left enabled.","BankName_PinNo: WARNING: Pin mode 'PinIoMode' not supported. Disconnecting input and output.","BankName_PinNo: Pin context restored.","BankName: Bank context restored.","BankName_PinNo: Pin context saved.","BankName: Bank context saved.","ERROR: Invalid special function number.","BankName_PinNo: Mask APIC interrupt.","BankName_PinNo: Unmask APIC interrupt.","BankName_PinNo: WriteGpioIo.","BankName_PinNo: ReadGpioIo.","DriverEntry Start.","DriverEntry End.","DriverUnload Start.","DriverUnload End.","DeviceAdd Start.","DeviceAdd End.","PrepareController Start.","PrepareController End.","ReleaseController Start.","ReleaseController End.","ERROR: ERROR - Status:Status.","[Function] -&lt;--.","[Function] -&lt;-- Status:Status.","Driver ERROR: WdfDriverCreate() returned status:Status.","Driver ERROR: CheckSupportedOs() returned status:Status.","Device ERROR: SpbDeviceInitConfig() returned status:Status.","Device ERROR: WdfDeviceInitAssignSDDLString() returned status:Status.","Device ERROR: WdfDeviceCreate() returned status:Status.","Device ERROR: SpbDeviceInitialize() returned status:Status.","Device ERROR: WdfSpinLockCreate() returned status:Status.","Device ERROR: WdfInterruptCreate() returned status:Status.","Device ERROR: WdfTimerCreate() returned status:Status.","Device ERROR: WdfDeviceAssignS0IdleSettings() returned status:Status.","PrepareHardware WARNING: Too many MBAR resources IDX:MBAR PA:PA LEN:LEN - MBAR disabled.","PrepareHardware INTERRUPT VEC:PrepareHardware_INTERRUPT_VEC.","PrepareHardware ERROR: Incorrect resource count. MMIO:MBAR_count (exp. 1 or 2) INT:INT_count (exp. 1) - STATUS:Status.","PrepareHardware ERROR: DMA SW initialization failed.","PrepareHardware DMA SW initialized.","PrepareHardware DMA disabled or not needed.","Power ERROR: PoRegisterPowerSettingCallback() returned status:Status.","Power ERROR: Invalid power callback context.","Power INFO: Monitor is MonitorState. Setting idle timeout to Timeout ms.","Power ERROR: WdfDeviceAssignS0IdleSettings() returned status:Status.","SpbCx DDI: SpbCx_DDI.","Controller INFO: Connected to target: Addr:SlaveAddress Mode:AddressMode ClkFreq:ClkFreq.","Controller ERROR: Incorrect target settings - STATUS:Status.","Controller INFO: Disconnected from target: Addr:SlaveAddress.","Controller INFO: Controller locked to target: Addr:SlaveAddress.","Controller ERROR: Controller lock failed - STATUS:Status.","Controller INFO: Connected unlocked from target: Addr:SlaveAddress.","Interrupt DPC: Reenable HW interrupts with mask:HwMask.","Target ERROR: Invalid connection properties length (current:Current, supported:Expected).","Target ERROR: Invalid clock frequency (requested:Frequency).","Request WARNING: Cancel Timer Callback without valid Target - this happen when request was already cancelled.","Request WARNING: Cancel Timer Callback without valid Request - this happen when request was already cancelled.","Request INFO: Cancel Timer Callback with outstanding Request: SpbController:SpbController SpbTarget:SpbTarget SpbRequest:SpbRequest.","Request WARNING: Timer Callback without valid Target - this happen when request was already cancelled.","Request WARNING: Timer Callback without valid Request - this happen when request was already cancelled.","Request WARNING: DPC Callback without valid Target - this happen when request was already cancelled.","Request WARNING: DPC Callback without valid Request - this happen when request was already cancelled.","Request WARNING: Cancel Callback without valid Target - this happen when request was already cancelled.","Request WARNING: Cancel Callback without valid Request - this happen when request was already cancelled.","Request INFO: Cancel Callback with outstanding Request: SpbController:SpbController SpbTarget:SpbTarget SpbRequest:SpbRequest.","Request ERROR: Failed to configure controller for transfer - Status:Status.","Request ERROR: Other transfer requires 0us delays - Status:Status.","Request ERROR: Other transfer requires write then read sequence items - Status:Status.","Request ERROR: Other transfer requires 2 sequence items - Status:Status.","Request ERROR: Failed to enqueue Other request - Status:Status.","Request ERROR: Unsupported Other RequestType - Status:Status.","Request ERROR: Unsupported Other IoControlCode - Status:Status.","Request ERROR: Failed to capture Other TransferList - Status:Status.","Request ERROR: Request failed to mark cancelable - Status:Status.","Request ERROR: Request for SpbController:SpbController SpbRequest:SpbRequest Type:Type failed and is finished synchronously - Status:Status.","Request INFO: Request for SpbController:SpbController SpbRequest:SpbRequest complete with Length:TotalInformation - Status:Status.","Request ERROR: Request for SpbController:SpbController SpbRequest:SpbRequest complete with Length:TotalInformation - Status:Status.","Controller ERROR: Failing device !!!","Controller INFO: Configured for LOCKed operation.","Controller INFO: Interrupt processing started: HW_Status:HwStatus SW_Status:SwStatus.","DriverEntry Start.","DriverEntry End.","DriverCleanup Info.","DeviceAdd Start.","DeviceAdd End.","PrepareHardware Start.","PrepareHardware End.","ReleaseHardware Start.","ReleaseHardware End.","D0Entry Start.","D0Entry End.","D0Exit Start.","D0Exit End.","Blocked unauthorised process (processName) from deleting file (fileName).","Blocked unauthorised process (processName) from renaming file (fileName).","Blocked unauthorised process (processName) accessing file (fileName). The thread starting address could not be verified.","MIG protection enabled.","MIG protection disabled.","MIG protection disabled until the next reboot.","Driver Loaded version.","Driver Unloaded.","Blocked unauthorised process (processName) accessing file (fileName).","User has enabled Image Guardian on volume (volumePath).","User has disabled Image Guardian on volume (volumePath).","Error protecting volume (volumePath). Error code = errorCode.","Error unprotecting volume (volumePath). Error code = errorCode.","Attribute error sourceFile sourceLine.","A cryptographic function failed with status status.","Blocked Operation Stack Trace:stackBackTrace.","GenerationSize0=GenerationSize0.","ClrInstanceID=Index.","HandleID=MethodIdentifier.","ClrInstanceID=MethodIdentifier.","ClrInstanceID=MethodIdentifier.","ClrInstanceID=MethodIdentifier.","WorkerThreadCount=MethodIdentifier.","Driver Loaded version.","Driver Unloaded.","The $LogFile restart count has changed on device DeviceName.","Successfully attached to device DeviceName.","Device DeviceName has been stopped (IRP_MN_STOP_DEVICE).","Device DeviceName has been removed (IRP_MN_REMOVE_DEVICE).","Device DeviceName has been surprise removed (IRP_MN_SURPRISE_REMOVAL).","Tracking has been enabled on device DeviceName.","Tracking has been disabled on device DeviceName.","Failed to enable tracking on device DeviceName.","IRP_MJ_SHUTDOWN received on device DeviceName.","IOCTL_MRCBT_QUERY_VOLUME_TRACKING_INFORMATION failed on device DeviceName with status Status.","Invalidating boot sector on device DeviceName.","The NTFS $LogFile has been reset. This is normally caused by the Linux NTFS-3G driver.","Failed to allocate file buffer with size ReferenceCount for device DeviceName.","Reading boot sector on device DeviceName.","The file-system on device DeviceName is not supported.","The volume DeviceName is offline.","The file-system on device DeviceName is locked.","Failed to create log file with status ErrorCode.","Received GUID_TARGET_DEVICE_REMOVE_COMPLETE for device DeviceName with ReferenceCount ReferenceCount.","Received GUID_IO_VOLUME_MOUNT for device DeviceName.","Received GUID_IO_VOLUME_DISMOUNT for device DeviceName.","Received GUID_IO_VOLUME_PHYSICAL_CONFIGURATION_CHANGE for device DeviceName.","Failed to initialize the tracking file on device DeviceName.","PlugPlay notification has been registered for device DeviceName with ReferenceCount ReferenceCount.","PlugPlay notification has been unregistered for device DeviceName with ReferenceCount ReferenceCount.","Received GUID_IO_VOLUME_LOCK_FAILED for device DeviceName.","Received GUID_IO_VOLUME_UNLOCK for device DeviceName.","Received GUID_TARGET_DEVICE_REMOVE_CANCELLED for device DeviceName.","Received GUID_TARGET_DEVICE_QUERY_REMOVE for device DeviceName.","Received GUID_IO_VOLUME_LOCK for device DeviceName.","Received GUID_IO_VOLUME_FVE_STATUS_CHANGE for device DeviceName.","IRP_MJ_READ failed on device DeviceName with status ReferenceCount.","IRP_MJ_WRITE failed on device DeviceName with status ReferenceCount.","Received GUID_IO_VOLUME_SIZE_CHANGE for device DeviceName.","Received GUID_IO_VOLUME_DISMOUNT_FAILED for device DeviceName.","Received GUID_IO_VOLUME_NEED_CHKDSK for device DeviceName.","Failed to open an existing tracking file on device DeviceName with status ReferenceCount.","Failed to protect the tracking file on device DeviceName with status ReferenceCount.","Failed to get retrieval pointers for the tracking file on device DeviceName with status ReferenceCount.","The tracking file on device DeviceName is corrupt.","Failed to create the tracking file on device DeviceName with status Status.","Failed to write to the tracking file on device DeviceName with status Status.","The checksum for the tracking file on device DeviceName is incorrect. The tracking file has been reset.","The previous session did not finalize the tracking file on device DeviceName. The tracking file has been reset.","Failed to reopen an existing tracking file on device DeviceName with status ReferenceCount.","Received IRP_MN_SET_POWER with type of SystemPowerState and SystemState ReferenceCount for device DeviceName.","Received IRP_MN_SET_POWER with type of DevicePowerState and DeviceState ReferenceCount for device DeviceName.","Received IRP_MN_QUERY_POWER with type of SystemPowerState and SystemState ReferenceCount for device DeviceName.","Received IRP_MN_QUERY_POWER with type of DevicePowerState and DeviceState ReferenceCount for device DeviceName.","An error was encountered while processing the Ntfs system metadata on line SourceLine. Status Status.","The size of the $LogFile on device DeviceName is Size bytes with Fragments fragments.","Failed to read the $LogFile metadata for device DeviceName.","Failed to read Length bytes from device DeviceName with status Status.","MappingPairsLength=Length.","CurrentLcn=CurrentLcn, CurrentVcn=CurrentVcn, LcnBytes=LcnBytes, VcnBytes=VcnBytes.","Detected Windows Sandbox Virtual Disk (DeviceName). Tracking will not be available on this device.","Detected Windows Xvdd Virtual Disk (DeviceName). Tracking will not be available on this device.","Detected ReFS version MajorVersion.MinorVersion boot sector sector on device DeviceName.","Found ReFS SuperBlock on device DeviceName.","Blocked PacketDirection connection. Rule Id: RuleId Rule Name: RuleName PID: ProcessId Remote Address: RemoteAddress:Port, FQDN: Fqdn.","Windows Agent is starting in AgentMode mode. Agent version ProductVersion, running on Windows WindowsVersion.","Policy was changed in the Console.","Policy was changed with override commands.","Failed to register with management because it no longer exists. Not retrying.","Failed to register with management: Reason (ErrorCode). Retrying in RetrySeconds seconds.","Threat remediation: Failed to delete file FilePath because it was already deleted.","Threat remediation: Failed to delete file FilePath.","Threat remediation: Failed to rename file SourceFilePath to DestinationFilePath because the file was deleted.","Threat remediation: Failed to rename file SourceFilePath to DestinationFilePath because the file's parent directory does not exist.","Threat remediation: Failed to rename file SourceFilePath to DestinationFilePath because the destination path already exists.","Threat remediation: Failed to rename file SourceFilePath to DestinationFilePath.","Threat remediation: Failed to restore file FilePath to timestamp DesiredTimestamp because no snapshots were found up to the desired period.","Threat remediation: Failed to restore file FilePath to timestamp DesiredTimestamp because it is being used by another process.","Threat remediation: Failed to restore file FilePath to timestamp DesiredTimestamp because access was denied.","Threat remediation: Failed to restore registry value (key: RegistryKeyPath, value: Value) because it does not exist.","Threat mitigation: Failed to kill malicious processes because the true context does not exist.","Threat mitigation completion after reboot requested another reboot.","Threat mitigation: Not killing process ProcessName (Path: ProcessPath, Process ID: ProcessID) due to relation Relation.","Threat mitigation: Cannot kill process ProcessName (Path: ProcessPath, Process ID: ProcessID) because it is a core OS process.","Threat mitigation: Cannot kill process ProcessName (Path: ProcessPath, Process ID: ProcessID) because it is signed by SentinelOne.","Threat mitigation: Cannot kill process ProcessName (Path: ProcessPath, Process ID: ProcessID) due to an unknown error.","Threat mitigation: Cannot kill threads of process ProcessName (Path: ProcessPath, Process ID: ProcessID) due to an unknown error.","Threat mitigation: Failed to quarantine file FilePath because the file is remote.","Threat mitigation: Failed to quarantine file FilePath because the file belongs to a core OS process.","Threat mitigation: Failed to scramble file FilePath.","Threat mitigation: skipping quarantine of file FilePath because the file was already quarantined by another threat mitigation.","Threat mitigation: Failed to quarantine file FilePath because the file does not exist.","Threat mitigation: A reboot is required to complete the quarantine of file FilePath.","Threat mitigation: Failed to quarantine a file.","Network quarantine failed.","Malware detected!","Mitigation report.","Failed to unquarantine file FilePath because the file cannot be found.","Unquarantine: Failed to restore file times for FilePath.","Failed to unquarantine files affected by threat of True Context ID TrueContextID.","Network unquarantine failed.","Policy not changed. Verification key not provided. Get the Agent passphrase and enter it with the -k flag.","Policy not changed. The provided verification key is incorrect.","Policy not changed. A parameter cannot be both set and undefined.","Policy not changed. Parameter was not provided.","Policy not changed. The value Value is not valid for Parameter: invalid URL.","Policy not changed. The value Value is not valid. Remove the slash from the end of the URL.","Policy not changed. The provided proxy credentials are invalid.","Policy not changed. Failed to write value Parameter for UI Language due to error: Value.","Policy not changed. Invalid UI configuration property Parameter.","Policy not changed. Invalid engine status Value.","Policy not changed. Invalid parameter Parameter: Error.","Policy not changed.","Policy not changed. Cannot undefine parameter Parameter.","Cannot scan Path because the path does not exist.","Cannot scan Path because it is not a folder.","Scan not started because a previous scan is still in progress.","Cannot scan because Sentinel Agent is not running. Load the Agent and try again.","Scan aborted.","Full Disk Scan started.","Scan of Path started.","Scan completed successfully.","Failed to execute command Command.","Remote Shell: Error.","Agent Upgrade: BITS job created for downloading the new Agent.","Agent Upgrade: BITS download job complete. Executing installation.","Agent Upgrade: BITS download job failed.","Agent Upgrade: BITS download job failed. Falling back to the classic downloader.","Agent Upgrade: BITS is unavailable. Falling back to the classic downloader.","Agent handled the creation of process Name (PID: PID).","DB pruning Result.","Customer ID: customerID.","Mark as Status on True Context ID TrueContextID received from Deep Visibility.","Failed to Mark True Context ID TrueContextID as Status.","Failed to Mark as Status: True Context ID TrueContextID.","True Context ID TrueContextID was changed from suspicious to threat.","Failed to Mark as Status: True Context ID TrueContextID.","Failed to Mark as Suspicious True Context ID TrueContextID.","Failed to Mark as Status True Context ID TrueContextID.","Agent handled the termination of process Name (PID: PID).","Agent encountered invalid pattern: Pattern.","USB device DeviceName was Action based on SentinelOne Device Control policy.","Bluetooth device DeviceName was Action based on SentinelOne Device Control policy.","Interface device DeviceName was Action based on SentinelOne Device Control policy.","The agent encountered an error that is usually ignored, but shouldn't be ignored in automation: Message.","Scan ended.","BlueKeep exploitation attempt detected from: IP.","Resizing the VSS diff area on VolumeName was blocked.","Unable to handle configuration change, dropping the configuration.","UI storage reached maximum allowed file size.","UI storage read error ErrorCode \"ErrorMessage\".","UI storage write error ErrorCode \"ErrorMessage\".","UI storage is corrupted and will be deleted.","Error deleting corrupted UI storage.","Remote script orchestrator: script ScriptName execution completed. Start time: StartTime, duration: Duration milliseconds, exit status: ExitCode.","File FilePath was detected as a malicious driver when attempting to load it (Malicious Driver Type: MaliciousDriverType).","SentinelCTL command of type \"CommandType\" was executed - result was: Result.","Anti-tampering was activated.","Anti-tampering was deactivated.","Agent upgrade was initiated. (OldVersion -> NewVersion).","Windows Agent is shutting down.","Sentinel process has crashed. Dump file path: \"DumpPath\".","Dump file was deleted, as dump limit of DumpFileLimit was reached. Dump file path: \"DumpPath\".","The agent has successfully connected to the SentinelOne console (ConsoleURL).","The agent received a \"CommandType\" command from console.","Entering disable mode by command.","Exiting disable mode.",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"f":[[[0,0],[1,1],[2,2],[3,3],[4,4],[5,5],[6,6],[7,7],[8,8],[9,9],[10,10],[11,11],[12,12],[13,13],[14,14],[15,15],[16,16],[17,17],[18,18],[19,19],[20,20],[21,21],[22,22],[23,23],[24,24],[25,25],[26,26],[27,27]],[[28,0],[29,1],[30,2],[31,3],[28,28],[29,29],[30,30],[32,31],[33,32],[34,33],[35,34],[36,9],[37,10],[38,11],[39,13],[40,14],[41,15],[42,35],[43,36],[44,18],[45,19]],[[28,37],[29,38],[30,39],[31,40],[46,41],[47,42],[48,43],[49,44],[50,45],[51,46],[52,47],[53,48],[54,49],[55,50]],[[28,37],[29,38],[30,39],[31,40],[56,51],[57,52]],[[28,37],[29,38],[30,39],[31,40],[56,51],[58,53]],[[0,37],[1,38],[2,39],[3,40],[59,54],[60,55],[61,56],[62,57],63,64],[[65,58],[66,59],[5,60],[6,61],[67,62],[0,37],[1,38],[2,39],[3,40],[68,63]],[69,[5,64],[6,65],[67,66],[0,37],[1,38],[2,39],[3,40],[68,63],[70,67],[71,68],[72,69],[73,70],[74,71],[75,72],[76,73],[77,74],[78,75],[79,76],[80,77],[81,78],[82,79],[83,80],[84,81],[85,82],[86,83],[87,84]],[[88,85],[89,86],[6,65],[67,66],[0,37],[1,38],[2,39],[3,40],[68,63]],[[90,87],[91,88],[0,89],[1,90],[2,91],[3,92],[92,93],[93,94],[94,95],[95,96],[96,97],[97,98],[98,99],[99,100],[100,101]],[[90,87],[91,88],[0,89],[1,90],[2,91],[3,92],[92,93],[93,94],[94,95],[95,96],[96,97]],[[101,102],[102,103],[103,104],[16,105],[104,106],[105,107],[106,108],[107,109],[108,110],[109,111],[110,112],[111,113],[112,114],[113,115],[114,116],[115,117]],[[101,102],[102,103],[116,118],[117,119],[118,120],[119,121],[120,122],[121,123],[122,124],[123,125],[124,126],[125,127],[126,128],[127,129]],[[128,37],[129,38],[130,130],[131,40],132,133],[[134,131],[135,132],[136,133],[137,134],[138,135]],[[0,136],[1,137],[2,138],[3,139],[139,140],[140,141],[141,142],[16,143],[142,144],[4,145],[5,146],[6,147],[7,148],[143,149],[144,150]],[[28,37],[29,38],[30,39],[31,40],[56,51],[57,52]],[[65,58],[66,59],[5,60],[6,61],[67,62],[0,37],[1,38],[2,39],[3,40],[68,63]],[29,[30,151],[28,152],[28,153],[29,37],[30,38],[31,39],[145,40],[146,63],[147,67],[148,68],[149,69],[150,70],[151,71],[152,72],[153,73],[154,74],[155,75],[156,76],[81,77],[157,78],[158,79],[159,80],[160,81],[161,82],[162,83],[163,84],[164,154]],[[0,89],[1,90],[2,91],[3,92],[165,155],[18,156],[19,157],[166,158],[167,159],[168,160],[169,161],[170,162],171],[[101,102],[102,103],[103,163],[16,164],[104,165],[106,166],[107,167],[108,168],[109,169],[110,170],[142,171],[172,172],[115,173],[12,174],[173,175],[174,176],[175,177],[111,178],[176,179],[177,180],[178,181],[179,182],[180,183]],[[101,102],[102,103],181,[117,184],[182,185],[118,186],183,[120,122],[121,123],[184,187],[185,188],[126,189],[127,129]],[[101,102],[186,190],[102,103],[103,191],[16,192],[187,193],[104,194],[115,195]],[[0,37],[1,38],[2,39],[3,40],[12,196],[5,197],[6,198],[188,199],[189,200],[190,201],[16,16],[17,17],[18,202],[19,203]],[[28,37],[29,38],[30,39],[31,40],[46,41],[47,42],[48,43],[50,45],[191,204],[51,205],[52,206],192,[193,207],[194,208],[195,16]],[[0,37],[1,38],[2,39],[3,40],[196,41],[165,42],[197,43],[198,45],[170,205],[169,209],[16,16],[17,17],[199,210]],[[29,211],[30,212],[28,213],[28,37],[29,38],[30,39],[31,40],146,[147,214],[148,215],[149,216],[150,217],[151,218],[152,219],[153,220],[154,221],[155,222],[156,223],[81,224],[157,225],[158,226],[159,227],[160,228],[161,229],[162,230],[163,231],[164,232]],[[29,233],[200,234],[201,235],[202,236],[203,237],[204,238],[205,239],[206,240],[207,241],[208,242],[209,243],[210,244],[211,245],[212,246]],[[29,233],[30,247],[202,248],[203,237],[204,238],[206,240],[208,242],[209,243],[213,249],[214,250],[39,251]],[[29,233],[28,252],[202,236],[204,253],[213,249],[207,241],[208,242],[209,243],[210,244],[211,245],[212,246]],[[215,254],[5,255],[216,256],[32,257]],[[0,89],[1,90],[2,91],[3,92],[165,155],[18,156],[19,157],[166,158],[167,159],[169,161],[170,162]],[[101,102],[186,258],[102,103],[217,259],[115,260],[218,261],[219,262]],[[220,263],[221,264],222,223,224],[[0,37],[1,38],[2,39],[3,40],[68,265]],[[0,37],[1,38],[2,39],[3,40],[196,41],[165,42],[197,43],[198,266],[169,267],[68,268],[16,16],[17,17]],[[0,37],[1,38],[2,39],[3,40],[67,64],[68,269]],[[29,58],[28,59],[29,270],[30,271],[28,62],[28,37],[29,38],[30,39],[31,40],[145,63]],[[101,102],[102,103],[103,272],[16,273],[104,274],[225,275],[115,276]],[[101,102],[102,103],[103,277],[16,278],[104,279],[226,280],[227,281],[228,113],[229,282],115],[230,231,[138,283],232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252],[129,130,253,254,132,133],[[0,37],[1,38],[2,39],[3,40],[220,236],[255,284],[222,285],[256,286],[257,287],64,63,177],[[0,37],[1,38],[2,39],[3,40],[4,66],[5,64],[6,65],[7,288],[17,17],[16,16],[258,289],[259,290]],[[5,291],[6,292],[67,293],[0,37],[1,38],[2,39],[3,40],[68,294],[70,214],[71,215],[72,216],[73,217],[74,218],[75,219],[76,220],[77,221],[78,222],[79,223],[80,224],[81,295],[82,226],[83,227],[84,228],[85,229],[86,230],[87,231]],[[5,296],[6,297],[67,298],[0,89],[1,90],[2,91],[3,92],[68,294],[260,299],[261,300],[28,301],[29,38],[30,39],[31,40],[145,63]],[[29,302],[30,303],[28,304],[28,37],[29,38],[30,39],[31,40],[145,63]],[[262,305],[263,306],[264,307],[265,156],[266,157],[267,308],[268,309],[269,310],[270,311],[271,312],[272,313],[273,314],[274,315],[275,316],[276,317],[277,318],[278,319],[279,320],[280,321]],[[101,102],[102,103],[103,322],[16,323],[104,324],[115,325],[269,326],[281,327],[282,328],[283,329],[284,330],[266,331],[285,332],[286,333],[287,334],[288,335],[289,336],[290,337]],[[101,102],[102,103],[103,338],[16,339],[104,340],[226,280],[227,341],[115,342]],[[101,102],[186,343],[102,103],[103,344],[16,345],[104,346],[291,347],[115,348]],[[101,102],[186,349],[102,103],[103,350],[16,351],[104,352],[291,347],[292,353],[115,354]],[[101,102],[186,355],[102,103],[103,356],[16,357],[187,358],[104,359],[115,360]],[[101,102],[186,258],[102,103],[217,361],[115,362],[293,363],[294,364],[295,365]],[[101,102],[102,103],[103,366],[16,367],[296,368],[297,369],[298,370],[104,371],[115,372]],[[101,102],[102,103],[103,373],[16,374],[115,375],[104,376],[226,377],[111,378],[299,379],[300,380]],[[101,102],[102,103],[103,373],[16,374],[115,375],[104,376],[226,377],[111,378],[299,379]],[[138,381]],[[0,37],[1,38],[2,39],[3,40],[9,382]],[[0,37],[1,38],[2,39],[3,40],[197,43],[301,383],[198,45],[100,384],[302,385],[303,386],[304,387],[305,388],[16,16],[17,17]],[[28,37],[29,38],[30,39],[31,40],[46,41],[47,42],[48,43],[50,45],[191,204],[51,205],[52,206],192,[53,207],[193,389],[194,208],[195,16]],[[5,64],[6,65],[67,66],[0,37],[1,38],[2,39],[3,40]],[[29,58],[28,59],[260,60],[261,61],[28,62],[28,37],[29,38],[30,39],[31,40],[145,63]],[[29,390],[28,391],[29,64],[30,65],[28,66],[28,37],[29,38],[30,39],[31,40],[145,63],[306,392]],[[28,37],[29,38],[30,39],[31,40],[307,393],[308,394]],[[262,305],[263,306],[264,307],[265,156],[266,157],[267,308],[268,309],[269,310],[272,313],[273,314],[274,315],[275,316],[276,317]],[[101,102],[102,103],[103,395],[16,396],[104,397],[226,398],[227,399],[309,400],[115,401]],[[101,102],[102,103],[105,402],[111,178],[112,403],[113,115],[114,116]],[[102,103],[310,404],[311,405]],[[0,0],[1,1],[2,2],[3,3],[4,4],[5,5],[6,6],[7,7],[8,34],[312,406],[313,407],[314,408]],[[0,37],[1,38],[2,39],[3,40],[196,41],[165,42],[197,43],[198,45],[315,409],[316,410],[16,411],[17,412]],[[0,37],[1,38],[2,39],[3,40],[196,413],[317,414],[68,415],[16,411],[17,412]],[[0,89],[1,90],[2,91],[3,92],[318,416],[319,417],[320,418],[321,419],[28,37],[29,38],[30,39],[31,40],[322,420],[323,421],[324,422],[308,423]],[[16,305],[263,306],[264,307],[265,156],[266,157],[267,308],[268,309],[269,310],[271,312],[272,313],[273,314],[274,315]],[[0,89],[1,90],[2,91],[3,92],325,294,326,[327,424],328,329,63],[230,231,[138,283],330,232,233,234,235,236,237,238,239,240,241,242,243,244,331,332,333,334,335,245,246,247,248,249,250,251,252],[[4,37],[5,38],[6,39],[7,40],[8,425]],[[4,37],[5,38],[6,39],[7,40]],[[28,37],[29,38],[30,39],[31,40],[46,41],[50,45],[194,16],[195,17]],[[0,89],[1,90],[2,91],[3,92],[336,426],[337,427],[64,428],[63,429],[177,430],[338,431],339,[28,37],[29,38],[30,39],[31,40],[56,51],[57,52]],[340,[341,432],[342,433],343,344,[345,434],[346,435],[347,436],348,349,350],[[0,37],[1,38],[2,39],[3,40],[351,437],[352,438],[16,411],[17,412]],[28,29,30,31,[353,437],[354,438],[194,411],[195,412]],[[355,439],[356,440],[101,441]],[[357,442],[358,443],[359,444],[360,445],[361,446],[362,447],[363,448],[273,449],[364,450],[365,451],[366,452],[367,453],[368,454],[369,455]],[[16,456],[370,89],[371,90],[357,442],[358,443],[372,457],[359,444],[360,445],[361,446],[362,447],[363,448],[273,449],[364,450],[365,458],[366,452],[367,453],[368,459],[369,460]],[[16,456],[370,89],[371,90],[357,461],[358,462],[372,457],[373,463],[374,464],[375,465]],[[102,103],[376,466],[377,467],[378,468]],[[101,102],[186,258],[102,103],[217,469],[115,470],[379,471],[293,472],[380,473]],[[356,474],[101,475],381,[382,476],[220,477],[264,478],269,383,384,[367,479],[385,480],386,387,388,389,390,391,[392,481],393,394,[395,482],[396,483],[397,484],378,398,399],[[356,485],[101,475],[396,486],[397,487]],[[356,485],[101,475],[396,486],[397,487],330],[[356,474],[101,475],381,[382,476],[220,477],[264,478],269,383,384,[367,479],[385,480],386,387,388,389,390,391,[392,481],393,394,[395,482],[396,483],[397,484],378,398,399,330],[[400,488],401],[[4,489],[5,490],[6,491],[7,492],[188,493],[402,494],313,[403,495]],[[404,496],405,[406,497],407,408,64],[[409,498],410,411],[[0,37],[1,38],[2,39],[3,40],[412,499],[413,500],[16,16],[17,501]],[[0,89],[1,90],[2,91],[3,92],[336,426],[337,427],[64,428],[63,429],[177,430],[338,431],339,[28,37],[29,38],[30,39],[31,40],[56,51],[57,52]],[[414,502],[415,503],[28,37],[29,38],[30,39],[31,40],[416,504],[417,505],[418,506],[419,507]],[[5,64],[6,65],[67,66],[0,37],[1,38],[2,39],[3,40]],[[29,64],[30,65],[28,66],[28,37],[29,38],[30,39],[31,40]],[[5,64],[6,65],[67,66],[0,37],[1,38],[2,39],[3,40]],[[29,64],[30,65],[28,66],[28,37],[29,38],[30,39],[31,40]],[[5,508],[6,509],[67,510],[0,37],[1,38],[2,39],[3,40],[68,63],[70,214],[86,230]],[[5,508],[6,509],[67,510],[0,37],[1,38],[2,39],[3,40],[68,63],[70,214],[86,230]],[[29,58],[28,59],[260,60],[261,61],[28,62],[28,37],[29,38],[30,39],[31,40],[145,63]],[[5,511],[6,512],[67,513],[0,89],[1,90],[2,91],[3,92],[68,294],[260,60],[261,61],[28,62],[29,38],[30,39],[31,40],[145,63]],[[5,60],[6,61],[67,62],[0,37],[1,38],[2,39],[3,40],[68,63],[70,67],[86,83]],[[5,60],[6,61],[67,62],[0,37],[1,38],[2,39],[3,40],[68,63],[70,67],[86,83]],[[5,511],[6,512],[67,513],[0,89],[1,90],[2,91],[3,92],[68,294],[70,514],[86,515],[260,60],[261,61],[28,62],[29,38],[30,39],[31,40],[145,63],[146,214],[161,230]],[[5,511],[6,512],[67,513],[0,89],[1,90],[2,91],[3,92],[68,294],[70,514],[86,515],[260,60],[261,61],[28,62],[29,38],[30,39],[31,40],[145,63],[146,214],[161,230]],[[420,516],[5,511],[6,512],[67,513],[0,89],[1,90],[2,91],[3,92],[68,294],[421,517],[260,60],[261,61],[28,62],[29,38],[30,39],[31,40],[145,63]],[[5,518],[6,519],[67,520],[0,89],[1,90],[2,91],[3,92],[68,294],[29,64],[30,65],[28,66],[31,40],[145,63]],[[5,521],[6,522],[67,523],[0,37],[1,38],[2,39],[3,40],[422,16],[423,17]],[[4,89],[5,90],[6,91],[7,92],[424,524],[28,37],[29,38],[30,39],[31,40],[425,525]],[[426,526],[427,527],[31,40],[208,528]],[[428,529],[429,530],[430,531],431,432,433,434,435,436,437,438,439,440],[[428,529],[429,530],[430,531],[441,532],[442,533],[432,534],431,443,433,434,444,438,439,440],[[90,87],[91,88],[0,89],[1,90],[2,91],[3,92],[92,93],[93,94],[94,95],[95,96],[96,97],[445,535]],[[0,89],[1,90],[2,91],[3,92],446,447,448,449,450,391,328,329,63],[[0,89],[1,90],[2,91],[3,92],[451,536],[452,537],[453,538],[454,539],[455,540],[456,541],[457,542]],[[101,102],[102,103],[103,543],[16,544],[104,545],[115,546]],[[458,547]],[[28,37],[29,38],[30,39],[31,40],[46,41],[50,45],[194,16],[195,17],[191,548]],[[5,549],[6,550],[67,551],[0,89],[1,90],[2,91],[3,92],[29,552],[459,553],[28,554],[30,39],[31,40]],[[355,439],[356,555],[101,556]],[[355,439],[356,557],[101,558]],[[0,89],[1,90],[2,91],[3,92],[12,559],[4,560],[5,561],[6,562],[7,563],[188,564],[403,565]],[[16,305],[263,306],[265,156],[266,157],[269,310],[272,313],[273,314],[274,315]],[[16,305],[263,306],[265,156],[266,157],[269,310],[272,313],[273,314],[274,315]],[[186,566],[102,103],[103,567],[16,568],[104,569],[291,347],[460,570],101,115],[461,462,463,464],[465],[[466,571]],[[28,37],[29,38],[30,39],[31,40],[29,572],[30,573],[467,574],[36,575],[37,576],[38,577],[39,578],[194,16],[195,17],[0,89],[1,90],[2,91],[3,92],[5,579],[6,580],[468,581],[9,582],[469,583],[11,584],[13,585],[16,456],[17,586]],[[0,37],[1,38],[2,39],[3,40],[470,587],[318,588],[471,589],[472,590],[321,423]],[[0,37],[1,38],[2,39],[3,40],[470,587],[318,588],[471,589],[472,590],[321,423]],[[473,591],[474,592],[475,593],[0,37],[1,38],[2,39],[3,40],[68,63],[476,594],[477,595],[478,596],[479,597],[480,598],[481,599],[482,600],[483,601],[484,602],[485,603],[486,604],[487,605],[488,606]],[[29,64],[29,64],[30,65],[28,66],[29,607],[30,608],[31,609],[145,63],[489,518],[5,518],[6,519],[67,520],[1,610],[2,611],[3,612],[68,294]],[[29,38],[30,39],[31,40],[490,613],[491,614],[208,528]],[[0,37],[1,38],[2,39],[3,40],[196,41],[165,42],[197,43],[198,45],[315,615],[316,616],[16,16],[17,17]],[[355,617],[492,618],[493,619]],[494],[[0,89],[1,90],[2,91],[3,92],[166,158],[167,159]],[[0,89],[1,90],[2,91],[3,92],[495,620],329,63],[[0,89],[1,90],[2,91],[3,92],[451,536],[452,537],[453,538],[454,539],[496,621],[456,541],[457,542]],[101,102,103,16,115,104,226,111],[497,498,499],[500,501,502,503,504,505,506],[507,508,509,510],[511,512,513],[[0,37],[1,38],[2,39],[3,40],[32,622],[16,16],[17,17]],[[5,518],[6,519],[67,520],[0,89],[1,90],[2,91],[3,92],[29,64],[30,65],[28,66],[31,40]],[[5,623],[6,624],[220,625],[514,626],[515,627],[516,628],[18,629],[19,630],[29,233],[30,247],[202,236],[203,237],[204,238],[206,240],[208,242],[209,243],517,518],[[5,60],[6,61],[67,62],[0,37],[1,38],[2,39],[3,40],[422,16],[423,17]],[[519,631],[520,632]],[101,102,103,16,104,294,115],[[521,633],[522,634],[523,635]],[[524,636]],[[524,637]],[[294,638],[525,639]],[215,[526,640],294,527,528],[[215,641],[526,640],527,528],[[215,642],[526,643],527,528],[[524,644]],[[215,645],527],[[215,645],527],[[215,646],527,294],[529,[525,647]],[530,[531,648]],[[524,649]],[532,533,534,535,536,[537,650]],[532,533,534,535,536,[537,650]],[538,539,540,541,542,543,544,545,[546,651]],[115,217,547,[531,652],548],[[549,653],531],[115,550,[551,654]],[115,550,[551,654]],[547,[531,655]],[[548,656],552,553,554,555],[[220,657],[330,658]],[[370,659],556],[[557,660],558],[[330,661]],[215,[559,662],330],[330,[560,663],561],[330,[560,664],561],[330,[560,663],561],[[562,665],231,330,232,233,244,250],[563,564,[330,666]],[230,231,[138,283],232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252],[565,[566,667]],[231,[391,668],567,244],[[567,669],568,244],[[567,670]],[231,[569,671],570],[215,[330,672]],[[571,673],[330,674]],[[370,659]],[[557,660],572],[370,573,[330,675]],[[548,676],458],[230,231,[138,283],330,232,233,234,235,236,237,238,239,240,241,242,243,244,331,332,333,334,335,245,246,247,248,249,250,251,252],[[574,677],575,576,577,578,579,580,581,582,583,584],[[585,678],[330,679]],[[586,680]],[115,[404,496],405,[406,497],587,588,589],[[115,681],404,405,406,587,408,64],[405,406,[590,682],[591,683]],[[330,684]],[115,404,405,406,587,592,593,408,64],[[524,685]],[[524,686]],[[524,687]],[594,595,596,597,598,599,32],[321,[32,257]],[[600,688],[601,689]],[[600,688],602,603],[[604,690],371,370],[[358,691],32,[17,692]],[[358,691],[605,693],[32,692],17],[[358,691],[605,693],[606,694],[391,695],[32,692],17],[358,[607,696],391,605,608,17,16,[609,697],526,610,[32,698]],[358,391,611,605,608,17,16,[609,697],526,610,[32,698]],[[612,699],[613,700],614,[615,701],[616,702],617,618,[619,703]],[[293,704],620],[511,512],0,[[621,705],[622,706],623,624,625,626,627,628],[[621,705],[622,707],623,624,625,626,627,628],[[621,705],[622,706],623,624,625,626,627,628],[[621,705],[622,707],623,624,625,626,627,628],[[621,705],622,623,624,625,626,627,628],[[629,708],[630,709]],[[631,710],[632,711]],[[633,712],[634,713],[629,714],[635,715]],[[636,716],[637,717]],[[636,718],637],[638,[639,719]],[[640,720],330],[641,642,643,644,629,[645,721]],[641,642,643,644,629,[645,721]],[[646,722]],[647,[648,723],649,531],[650,[330,724],651],[652,653,[654,725]],[[32,726]],[[655,720],32],[[656,727],657,658,659,660],[[657,728],661],[662,[32,729]],[32,663,[664,730]],[[32,731],663,[664,730]],[[665,732]],[[666,733],[667,734],[668,735],[669,736],[670,737],[671,738],[672,739],[673,740],[674,741],[675,742],[676,743],[677,744],[678,745],[679,746],[680,747],[681,748],[682,749],[683,750]],[[665,751],[666,752],[672,753],[684,754],[685,755],[686,756],[687,757],[688,758],[689,759],[690,760],[691,761],[692,762],[693,763],[694,764],[695,765],[696,766],[697,767],[698,768],[699,769],[700,770],[701,771],[702,772],[703,773],[704,774],[705,775],[706,776],[707,777],[708,778],[709,779],[710,780],[711,781],[712,782],[713,783],[714,784],[715,785],[716,786],[717,787]],[[665,788],[666,789],718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789],[[665,790],[666,791],790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837],[[838,792]],[839,494,[330,793],840],[413,841,[842,794],[843,795],17,262,[844,796],[845,797],[846,798],[847,799]],[[848,800],[849,801],[850,802],[851,803]],[852,853,854,[548,804]],[855,856,857,858,859,860,861,862,863,864,865,866,32,[867,805]],[855,856,857,858,859,860,861,862,863,864,865,866,32,[867,805]],[855,856,857,[220,806],868,869,870,32],[855,856,857,[220,806],868,869,870,[32,807]],[855,871,[872,808]],[855,[873,809]],[609,855,[856,810],874],[609,855,[856,810],[874,811]],[[875,812],[876,813],[877,800]],[[376,814],843],[878,879,880,[881,815],[882,816],[883,817],[884,818],[885,819],[886,820]],[856,[887,821],888,[889,822]],[890,891,[892,823],391],[893,[330,824]],[468,894,[330,825],895],[[466,826]],[[896,827]],[897,898,[899,828],900,[901,829],902],[897,[903,830]],[897,[903,831]],[897,[903,831]],[293,[107,832],904,294,376,905],[293,[107,832],904,294,376,905],[293,[107,832],904,294,376,905],[906,897,[905,833],[907,834],[908,835],909],[910,911,[912,836],913,914,915,890,916,917,[918,837],919,[920,838],921,[922,839],923,924,925,926,927,928,929,[930,840],931,932,933,934,935,936,[937,841],938,939,940,941,942,943,944,945,946,947,948],[910,911,[912,836],913,914,915,890,916,917,[918,837],919,[920,838],921,[922,839],923,924,925,926,927,[949,842],950,843,391],[910,[912,836],914,890,916,[918,837],[920,838],[922,839],924,925,927,[951,843],[952,844],[953,845],954,[955,846],956,957,[958,847],959,[960,848],961,962,963,964,965,966,967],[[852,849],853,[854,850],[938,851],[968,852],969,970,[971,853],[972,854],973,974,975,[976,855],977,[978,856],979,980,[981,857],982,[983,858],[984,859],985,[986,860],[987,861]],[[910,862],853,854,938,988,16,17,594,494,989,990,991,[992,863],[993,864],[994,865],995,[996,837],997,[916,838],917,[918,839],919,[920,866],[921,867],922,[923,868],924,925,926,927],[[910,862],853,854,938,916,917,[918,837],919,[920,838],921,[922,839],923,924,925,926,927,998,[999,869],[1000,870],[1001,871],[1002,872],1003,1004,1005,1006,1007,1008,1009],[[910,873],853,[854,874],[938,875],[916,876],917,[918,877],919,[920,878],921,[922,879],923,[924,880],[925,881],926,[927,882],1010,[1011,883],[1012,884],[1013,885],[1014,886],[1015,887],[1016,888],[1017,889],[1018,890]],[[910,891],853,[854,892],[1019,893],[1020,894],[1021,895],[1022,896],[1023,897],[1024,898],[1025,899],[1026,900],[1027,901],[1028,902],[1029,903],[1030,904],[1031,905],[1032,906],[1033,907],[1034,908],[1035,909],[1036,910],[1037,911],[1038,912],[1039,913],[1040,914],[1041,915],[1042,916],[1043,917],[1044,918],[1045,919],[1046,920],[1047,921],[1048,922],[1049,923],[1050,924],[1051,925],[1052,926],[1053,927],[1054,928],[1055,929],[1056,930],[1057,931],[1058,932],[1059,933],[1060,934],[1061,935],[1062,936],[1063,937],[1064,938],[1065,939],[1066,940],[1067,941],[1068,942],[1069,943],[1070,944],[1071,945],[1072,946],[1073,947],1074,[1075,948],[1076,949],[1077,950],[1078,951],[1079,952],[1080,953],[1081,954],[1082,955],[1083,956],[1084,957],[1085,958],[1086,959],[1087,960],[1088,961]],[[910,862],853,854,1089,1090,916,917,[918,837],919,[920,838],921,[922,839],923,924,925,926,927,[1091,962],[1092,963],1093,[1094,964],[1095,965],[1096,966]],[[910,967],853,[854,968],[938,969],[916,970],917,[918,971],919,[920,972],921,[922,973],923,[924,974],[925,975],926,[927,976],1010,[1011,977],1097,991,[992,978],1098,[1099,979],[1100,980],[1101,981],1102,[1103,982],1104,[1105,983],1106,[1107,984],1108,1109,1110,1111,1112,1113,1114,1115,1116,1117,1118,1119,1120,1121,1122,1123,1124,1125,1126,1127,1128,1129,1130,1131,1132,1133,1134,1135,1136,1137,1138,1139,1140],[[910,985],853,[854,986],[938,987],[1141,988],[1142,989],[1143,990],[1144,991],[1145,992],[1146,993],1147,[1148,994],[1149,995],[1150,996],[1151,997],[1152,998],1153,1154,1155,1156,1157,1158,1159,1160,1161,1162,1163,1164,1165,1166,1167,1168,1169,1170,1171,1172,1173,1174,1175,1176,1177,1178,1179,1180,1181,1182,1183,1184,1185,1186,1187,1188,1189,1190,1191,1192,1193,1194,1195,1196,1197,1198,1199,1200,1201,1202,1203,1204,1205,1206,1207,1208,1209,1210,1211,1212,1213,1214,1215,1216,1217,1218,1219,[1220,999],1221,1222,1223,1224,1225,1226,1227,1228,1229],[910,911,[912,836],913,914,915,890,916,917,[918,837],919,[920,838],921,[922,839],923,924,925,926,927,928,16,17,[1230,800]],[910,911,[912,836],913,914,915,890,916,917,[918,837],919,[920,838],921,[922,839],923,924,925,926,927,928,16,17,[1230,800]],[[17,1000],[910,862],853,854,1231,1232,1233],[[17,1000],[910,862],853,854,1231,1234],[[137,1001],1235],[[137,1002],1235],[[511,1003],[512,1004]],[1236,17,1237,1238,1239,4,567,1240,1241,1242,1243,[1244,1005],1245],[1236,17,1237,1238,1239,4,567,1240,1241,1242,1243,[1244,1005],1245],[1246,[1247,1006]],[1246,[1247,1007]],[652,653,[654,725]],[[494,1008],893,1248,330],[[1249,1009]],[[1250,1010],1251],[[1252,1011],1253],[[548,1012]],[[1254,1013],1255,1256,1257,1258,[411,1014],1259],[[1254,1015],1255,1256,1257,1258,[411,1014],1259],[[1260,1016],[1261,1017],[1262,1018]],[[1254,1013],1255,1256,1257,1258,[411,1019],1259],[[1254,1015],1255,1256,1257,1258,[411,1019],1259],[[1263,1020],1264,330],[[231,1021],1264,1265,1266,330],[[1264,1022],330],[[1267,1023],[1268,1024],[1269,1025],[1270,1026],[1271,1027],[1272,1028],[1273,1029],[1274,1030],[1275,1031],[1276,1032],[1277,1033],[1278,1034],[1279,1035]],[1280,[330,1036],1281,843],[1282,[330,1036],1281],[[1283,1037],[1284,1038],[1285,1039],[1286,1040],[1287,1041],1288],[330,1289,[1283,1042]],[[1290,1043]],[[1291,1044]],[[1292,1045]],[[1293,1046],1294,1295],[[1296,1047]],[[10,1048]],[[1297,1049]],[[1298,1050]],[[1299,1051],[1300,1052],[1301,1053],[1302,1054],[1303,1055],[1304,1056],[1305,1057],[1306,1058],[321,1059],[1307,1060],[376,1061],[1308,1062],[1309,1063],[1310,1064],[1311,1065],[1312,1066],[1313,1067],[1314,1068],[1315,1069],[1316,1070],[1317,1071],[1318,1072],[33,32],[1319,1073],[1320,1074],[1321,1075],[1322,1076],[1323,1077]],[[0,38],[1,38],[2,39],[3,40],[494,1078],[1324,1079],[1325,1080]],[[28,37],[29,38],[30,39],[31,40],[1326,1081],[1327,1082],[1328,1083],[1329,1084]],[[0,37],[1,38],[2,39],[3,40],[4,1085],[5,1086],[6,1087],[7,1088],[120,1089],[1330,1090],[16,16],[17,17]],[[28,37],[29,38],[30,39],[31,40],[29,64],[1331,1091]],[[0,89],[1,90],[2,91],[3,92],1332,[28,37],[29,38],[30,39],[31,40]],[[0,37],[1,38],[2,39],[3,40],[67,1092],[1333,1093]],[[0,37],[1,38],[2,39],[3,40],[67,1092],[1334,1094]],[[5,511],[6,512],[67,513],[0,89],[1,90],[2,91],[3,92],[68,294],[70,1095],[86,1096],[260,60],[261,61],[28,62],[29,38],[30,39],[31,40],[145,63],[146,67],[161,83]],[[65,1097],[66,1098],[5,511],[6,512],[67,513],[0,89],[1,90],[2,91],[3,92],[68,294],[29,58],[28,59],[260,60],[261,61],[30,39],[31,40],[145,63],[1335,1099]],[[65,1097],[66,1098],[5,511],[6,512],[67,513],[0,89],[1,90],[2,91],[3,92],[68,294],[29,58],[28,59],[260,60],[261,61],[30,39],[31,40],[145,63]],[[5,511],[6,512],[67,513],[0,89],[1,90],[2,91],[3,92],[68,294],[260,60],[261,61],[28,62],[29,38],[30,39],[31,40],[145,63]],[[5,511],[6,512],[67,513],[0,89],[1,90],[2,91],[3,92],[68,294],[70,1095],[86,1096],[260,60],[261,61],[28,62],[29,38],[30,39],[31,40],[145,63],[146,67],[161,83]],[[5,511],[6,512],[67,513],[0,89],[1,90],[2,91],[3,92],[68,294],[260,60],[261,61],[28,62],[29,38],[30,39],[31,40],[145,63]],[[29,38],[30,39],[31,40],[490,613],[491,614],[208,528]],[[0,37],[1,38],[2,39],[3,40],[216,393],[5,1100],[6,1101]],[[4,89],[5,90],[6,91],[7,92],[424,524],[28,37],[29,38],[30,39],[31,40],[425,525]],[[0,37],[1,38],[2,39],[3,40],[1336,1102],[1337,1103],[1338,1104],[1339,1105],[1340,1106],[1341,1107],[1342,1108],[1343,1109],[1344,1110],[1345,1111],[1346,1112],[1347,1113]],[[1348,1114],[1349,1115],[1350,1116],[1351,1117],[391,1118],[1352,1119],[1353,1120],[1354,1121],[1355,1122],[28,37],[29,38],[30,39],[31,40]],[[428,529],0,1,2,3,431],[[428,529],0,1,2,3,431],[[1356,1123],[1357,1124],0,1,2,3,1358,843],[[1359,1125],[1360,1126],[1361,1127],0,1,2,3,1362,1363,1364],[[1365,1128],[1366,1129],[1367,1130],[1368,1131],[1369,1132],1370,1371,1372,1373,1374],[[428,529],[1375,1133],[1376,1134],[1377,1135],[1378,1136],0,1,2,3,431,293,294,391,524],[[428,529],[430,531],0,1,2,3,431],[[1379,1137],[1380,1138],[1381,1139],[1382,1140],1383,1384,1385,1386],[[1379,1137],[1380,1138],[1381,1139],[1382,1140],1383,1384,1385,1386],[[428,529],[429,530],[430,531],[441,532],[442,533],[432,534],431,443,438,439,440],[[428,529],[429,530],[430,531],[441,532],[442,533],[432,534],431,443,438,439,440],[[1387,1141],[1388,1142],[1389,1134],[1390,1143],0,1,2,3,1391,1392,294,466],[[1393,1144],[219,1145],[1394,1146],0,1,2,3,1395,1396],[[1397,1147],1398],[348,1399,1400,340,[341,432],[342,433],343,344,[345,434],[1401,1148],[1402,1149]],[[0,37],[1,38],[2,39],[3,40],[196,41],[165,42],[197,43],[198,45],[315,1150],[316,1151],[16,16],[17,17]],[1403,1404,1405,1406,[568,1152],308],[[1407,1153],[1408,1154],[1409,1155],[1410,1156],[1411,1157],[1412,1158],[1413,1159]],[[1414,1154],[356,1160],[101,1161]],[[1408,1162],[1415,1163],[356,1164],[101,1165]],[[1416,1166]],[[356,1167],[101,1168],[1417,1169]],[[0,89],[1,90],[2,91],[3,92],[1325,1170],[1418,1171],[1419,1172],[16,456],[17,586]],[[385,1173],[263,1174]],[[355,439],[1420,1175],[1421,1176]],[[355,439],[1420,1177],[1421,1178]],[[0,89],[1,90],[2,91],[3,92],[63,456],[1422,1179],[358,1180],[606,1181],[605,1182],[1423,1183],[1424,1184],[217,1185],[328,1186]],[[0,89],[1,90],[2,91],[3,92],[63,456],[1422,1179],[358,1180],[606,1181],[605,1182],[1423,1183],[217,1187],[328,1188]],[[0,89],[1,90],[2,91],[3,92],[358,1180],[606,1181],[605,1182],[1423,1183],[217,1189],[328,1190]],[[1387,1191],[305,1192],0,1,2,3],[[1425,1192],0,1,2,3],[[0,89],[1,90],[2,91],[3,92],[165,1193],[166,158],[167,159],[1426,1194],[1427,1195],[1428,1196],[1429,1197],[1430,1198],[1431,1199],[1432,1200],[1433,1201]],[[0,89],[1,90],[2,91],[3,92],[166,158],[167,159]],[[0,89],[1,90],[2,91],[3,92],391,326,329,63],[[357,1202],[358,1203],[1434,1204]],[[357,1202],[358,1203],[373,1205],[374,1206],[375,1207]],[[357,1202],[358,1203],[1435,1208],[1436,1209],[1437,1210],[365,1211]],[[16,456],[370,89],[371,90],[357,442],[358,443],[372,457],[368,459],[369,460],[1438,1212],[1439,1213],[363,448],[273,449],[364,450]],[[16,456],[370,89],[371,90],[372,457],[357,442],[358,443],[1434,1214]],[[16,456],[370,89],[371,90],[357,461],[358,462],[372,457],[1435,1215],[1436,1216],[1437,1217],[365,458]],[[0,89],[1,90],[1440,91],[3,92],[1441,1218],[1442,1219],[1443,1220]],[[0,89],[1,90],[1440,91],[3,92],[1441,1218],[1442,1219],[1444,1221]],[[0,89],[1,90],[1440,91],[3,92],[1441,1218],[1442,1219],[1444,1221]],[[0,89],[1,90],[2,91],[3,92],[451,536],[452,537],[453,538],[454,539],[496,621],[456,541],[457,542]],[[0,89],[1,90],[2,91],[3,92],[451,536],[452,537],[453,538],[454,539],[496,621],[456,541],[457,542]],[[0,89],[1,90],[2,91],[3,92],[451,536],[452,537],[453,538],[454,539],[496,621],[456,541],[457,542]],[1445,1446,1447,1448,16,1449,1450,1451,1452,1453,1454,1455,1456,1457,1458,1459],[1460,1246,1461,[1462,1222]],[1463,1464,1465,1466,1467,[1468,1223],1469,1470],[1471,525,1472,[1473,1224]],[1474,1475,1476,1477,1478,[1479,1225]],[1480,1481,1482,[1483,1226]],[[1484,1227]],[1485,1486,1487,1488],[461,462,1489,1490,1491,1492,1493,1494,1495,1496,1497,1498,1499,1500,1501,376,1502,1503,652,1504,1505,138,1506,1507,1508,1509,1510,1511,1512,1513,1514,1515,1516,1517,1518,1519,1520,1521,1522,1523,1524,1525],[461,462,1489,1490,1491,1492,1493,1494,1495,1496,1497,1498,1499,1500,1501,376,1502,1503,652,1504,1505,138,1506,1507,1508,1509,1510,1511,1512,1513,1514,1515,1516,1517,1518,1519,1520,1521,1522,1523,1524,1525],[492,1526,493,1527,381,396,397],[385,492,1526,493,1528,381,396,397],[[356,1228],[101,475],381,[382,476],[220,477],[264,478],269,383,384,[367,479],[385,480],386,387,388,389,390,391,[392,481],393,394,[395,482],[396,1229],[397,1230],378,398,399],0,[1529,396,397,330],[[356,1228],[101,475],381,[382,476],[220,477],[264,478],269,383,384,[367,479],[385,480],386,387,388,389,390,391,[392,481],393,394,[395,482],[396,1229],[397,1230],378,398,399,330],[385,492,1526,493,1528,381,396,397,330],[492,1526,493,1527,381,396,397,330],[356,101,381,382,220,264,269,383,384,367,385,386,387,388,389,390,391,392,393,394,395,396,397,378,398,399,1530,330],[[356,485],[101,475],[396,486],[397,487],330],[[356,474],[101,475],381,[382,476],[220,477],[264,478],269,383,384,[367,479],[385,480],386,387,388,389,390,391,[392,481],393,394,[395,482],[396,483],[397,484],378,398,399,330],[1472,1531,1532,1533,1534],[1535,1536,1537,1538,1539,1540,1541,513],[1542,1543,1544,1543,1545,1546,1547,1548,1549],[524],[524],[524],[524],[1535,513],[262,215,1459,1550,401],[230,138,391,1551,244,250],[1552,1553,1554,[1555,1231],1556],[1557],[1558,1559],[1560,1561,1562,1563,1564],[1565],[293,524,513],[511,512],[401,553,[1516,720],549,1566,1257,920],[401,553,[1516,720],549,1566,1257,920],[401,553,[1516,720],549,1566,1257,920],[1567,1568,1569,1570],[1571,1572,898,1573,[1574,1232],1575],[1576,890,1577],[1578,17,1579,1580,1581,1582,1583,1584,1585,1586,1587,1588],[[409,498],410,411],[[409,498],410,411],[1589,330,909],[[1590,1233],[1591,1234]],[[260,508],[261,509],[28,510],[28,37],[29,38],[30,39],[31,40],[145,63],[146,214],[161,230],[5,1235],[6,1236],[67,1237],[0,89],[1,90],[2,91],[3,92],[68,294],[70,514],[86,515]],[[260,60],[261,61],[28,62],[28,37],[29,38],[30,39],[31,40],[145,63],[146,214],[161,230],[5,511],[6,512],[67,513],[0,89],[1,90],[2,91],[3,92],[68,294],[70,514],[86,515]],[[29,270],[30,271],[28,62],[28,37],[29,38],[30,39],[31,40],[145,63],[146,214],[161,230],[5,1238],[6,1239],[67,513],[0,89],[1,90],[2,91],[3,92],[68,294],[70,514],[86,515]],[[29,270],[30,271],[28,62],[28,37],[29,38],[30,39],[31,40],[145,63],[146,214],[161,230],[5,1238],[6,1239],[67,513],[0,89],[1,90],[2,91],[3,92],[68,294],[70,514],[86,515]],[[511,1240]],[[0,89],[1,90],[2,91],[3,92],[451,536],[452,537],[453,538],[454,539],[496,621],[456,541],[457,542]],[293,1592,391],[101,102,103,16,115,104,226,111],[101,102,103,16,115,104,226,111,299],[102,1243,107],[293,336,138,262,1593],[293,336,371],[293,336,1594,1595,1596],[293,336,1595,1594,1597,1596],[461,462,1598,1491,1492,1505,1515,427,115,1599,1600,1601],[461,462],[461,462,1602,466,1600,1601,1603],[524,513],[524],[524],[1535,1536,1537,1538,1539,1540,1541,513],[524,513],[1535,513,524],[524],[1604],[1605],[511,512,1606,1607],[1608],[293,466,1609],[1600,1601,1491,1243,1610,115,138,17,1611,1612,1613,1614,1615,1616,1617],[1618,1619],[1535,1536,1537,513],[1535,1536,1537,513],[511,512,513],[511,512,513],[511,512,1606,1607],[1620,1621,16,1622,1623,1624,1625,231,1626,1627],[548,1628,1629,330,1630,[32,1241]],[1631,1632,1633,1634,1635,1636,1637,1638,1639,588,1640,1641,589,1642,1643,1644,1645],[1646,1647,[1634,1242],1648,1649],[[100,1243],358,605,1423,606,32,17,[1650,691],[1651,693],[1652,1244],[1653,694],[1654,692]],[1573,1655,[1656,1245],1657],[1658,1659,1660,1661],[1662,1663,1664,1665,1666,1667,1668,1669,1670,1660,1661,1671,1672,1673,1674,1675,1676,32],[1662,1663,1664,1665,1666,1667,1668,1669,1670,1660,1661,1671,1672,1673,1674,1675,1676,32],[1677,1678,1679,1680,1681,1682,1683,1684,1685],[371,474,216,1578,17,8,1686,1582,115,427,1687,1688,1689,1690],[1459,[1691,1246],262,1692,1693,32,1694,391,1695,1696,[17,1247],[16,1248]],[[28,37],[29,38],[30,39],[31,40],[322,420],[323,421],[1697,1249],[324,422],[308,423],[0,89],[1,90],[2,91],[3,92],[318,416],[1698,417],[319,1250],[320,418],[1699,419]],[37,1700,1701,1702,[1580,1251],[5,1252],[216,1253],[32,1254]],[[29,64],[30,65],[28,37],[29,38],[30,39],[31,40],[5,518],[6,519],[0,89],[1,90],[2,91],[3,92]],[[28,37],[29,38],[30,39],[31,40],[46,41],[47,42],[48,43],[1703,615],[1704,616],[0,89],[1,90],[2,91],[3,92],[196,1255],[165,1256],[197,1219],[315,1257],[316,1258]],[29,1705,1702,[224,1259],[890,537],[32,1254]],[29,1705,1702,[1706,1260],[1707,1261],[224,1259],[890,537],[32,1254],[1708,1262]],[219],[1709,[1710,1263],1711,0,1,2,3],[1712],[[28,37],[29,38],[30,39],[31,40],[28,1264],[905,1265],[1713,1266],[1714,1267],[1715,1268],[0,89],[1,90],[2,91],[3,92],[4,1269],[59,1270],[60,1271],[61,1272],[62,1273]],[[90,87],[91,88],[0,89],[1,90],[2,91],[3,92],[92,93],[93,94],[1716,1274],[1717,1275],[95,96],[96,97]],[[0,89],[1,90],[2,91],[3,92],[495,620],329,63],[[0,1276],[1,1277],[2,1278],[1718,1279],[1719,1280],[1720,1281],[1721,1282],[1722,1283],[1723,1284],[1724,1285],[1725,1286],[1726,1287],[1727,1288],[1728,1289],[1729,1290],[1730,1291],[1731,1292],[1732,1293],[1733,1294],[1734,1295],[1735,1296],[1736,1297],[1737,1298],[660,1299],[843,1300],[1738,1301]],[1739,1740,1741,[1742,1302],1743],[1744,1745,525,[1746,1303]],[1744,1745,525,[1747,1303]],[1744,1745,1748,525,[1749,1303],1746],[396,397],[1535,513],[1535,513],[[1535,1304],[1536,1305],[1537,1306],[1538,1307],[1539,1308],[1540,1309],513],[[1535,1304],[1536,1305],[1537,1310],[1538,1308],[1539,1309],513],[[1535,1304],[1536,1305],[1537,1311],[1538,1312],[1539,1308],[1540,1309],513],[[1535,1304],[1536,1305],[1537,1313],[1538,1314],[1539,1315],[1540,1308],[1541,1309],513],[[1535,1304],[1536,1305],[1537,1316],[1538,1317],[1539,1318],[1540,1319],[1541,1308],[1750,1309],513],[[1535,1304],[1536,1305],[1537,1320],[1538,1321],[1539,1322],[1540,1308],[1541,1309],513],[293,428,843,1751,1752],[296,1753,1754,297,298],[1755,1756,1757,310,1758,303,305],0,0,[[28,66],[29,64],[30,65],[417,505],[418,506],[416,504],[1759,1323],[1760,1324],[4,520],[5,518],[6,519],[1761,1325],[1762,1326],[1763,1327],[1764,1328],[403,1329]],[[29,58],[28,59],[260,60],[261,61],[28,62],[28,37],[29,38],[30,39],[31,40],[145,63],[65,1097],[66,1098],[5,511],[6,512],[67,513],[0,89],[1,90],[2,91],[3,92],[68,294]],[[29,233],[200,234],[202,236],[204,238],[213,249],[208,242],[209,243],[5,623],[6,1330],[220,625],[515,627],[1765,1331],[18,629],[19,630]],[[16,305],[263,306],[265,156],[266,157],[269,310],[272,313],[273,314],[274,315]],[[16,305],[263,306],[265,156],[266,157],[269,310],[272,313],[273,314],[274,315]],[497,498],[497,498,499],[497,498,499],[1766,1767,1768,1769,1770],[1771,1772,1773,1774,1775,1776,1777,1778],[1779,1780,1781,1782,1783,1784],[[1535,1332],[1536,1333],513],[[1535,1334],[1536,1335],513],[[1535,1336],[1536,1337],[1537,1338],[1538,1339],[1539,1340],[1540,1341],[1541,1342],[1750,1343],[1785,1344],[1786,1345],[1787,1346],[1788,1347],[1789,1348],[1790,1349],[1791,1350],513],0,0,[215],[524],0,[527,528,451],0,[[1792,1351],1793,531,1794],[[1795,1352],1793,32,1796],0,0,[1797,1798,1799,1800,1801,1802,1803,1804,1805,1806,1807,1808,1809,1810,1811,1812,1813,1814,1815,1816,356,1817,1818,1819,1820,127,120,1821,1822,1823,1824,1825,1826,7,1827,1828],[1815,1816,356,1817,1818,1819,1820,127,120,1821,1822,1823,1824,1825,1826,7,1827,1828],[1815,1816,356,1817,1818,1819,1820,127,120,1821,1822,1823,1824,1825,1826,7,1827,1828],[1821,1829,1830,1831,531,1832,1833,1834,1835],[1821,1829,1830,1831,531,1832,1833,1834,1835],[1836,113,1837,1838,1839,1840,1841,1842,1843,1844],[330,909],[524],[524],[524],[524],[524],[330,231,115],[330,231,115,1845,1846],[231,115,1845,1846],[215,1847,1848],[262,215,1848],[215,1848],[231,647,1849],0,0,[115,1850,1851],[524],[524],[1852,1853,217,1854],[115,1853,217,548,1854],[115,1855],[115,1853,217,548,1856],[1852,1857,1854],[524],[524],[524],[524],[1858],[1858],[1859,843],[524],[524],[524],[524],[524],[1860,548],[458,1861],[215,1862,1863],[458],[1864,1865,330],[231,1866],[231,1866],[231,1866,330],[231,1866],[231,1867],[1628,1868],[230,138,1869,391,1551,244,250],[1870,1871,330],[230,231,370,244],[230,231,1872],[231,1873,1874,1875],[230,231,370,244],[215,1876,1877,1878,1879],[231,1880,568],[458],[230,231,1872],[1881,330],[650],[458],[458],[215,239],[231,1882,1883],[231],[231,531],[215,330,559],[231,391],[231,391],[231,1884],[231,391],[1885,1886,330,1392],[330],[330,1887],[330,1887],[231,330],[231,330],[230,1888,1889],[1557],[1604],0,[1890],[1604],[1891,854,1892,1893],[1894,1895],[1894],[1891,854,1892],[1891,854,1892],[1896],[1897],[1631,1632,1633,1634,1635,1637,1638,1639,588,589],[1631,1632,1633,1634,1635,1636,1637,1638,1639,588,1640,1641,589,1642,1643,1644,1645],[1898,405,1899],0,[524],[1900],[524],[524],[1901,1902,1903,1904,1905,1906,1907,1908,1909,1564],[1910,1911,1912,1913,1914,1915,1916,1917,1918,1919,1920,1921,1922,1923,1924,1925,1564],[1560,1561,1562,1926,1927,1928,1564],[1560,1561,1562,1563,1564],[1560,1561,1562,1563,1564],[1560,1561,1562,1926,1563,1564],[1929,17,1930,1931],[1854,1932],[17,294,330,554,1248],[1633,330],0,[594,595,32],[594,595,1933,1934,596,597],[594,595],[1935,1936],[1935,1936],[1836,113,1937,1938,228,1939,1940,1941,1942,391,1943,1944,1945,1837,1838,1839,1840,1841,1842,1843,1844],[1815,1816,1946,1947,1948,32,568,1949,1950,1951],0,0,0,0,0,0,0,[1246,1247,1952,1953,1954,1955,1956],[1246,1954,1955],[1246,1247],[1246,1247,1952,525],0,[1246,1954,1955],[1246,1247,1954,1955],[1246,1247,525],[525],[1954,1955,1956],0,[1957,1958],[1959,1960],[1961],[1961],[1957],[1962,1963,1964,1965,1960],[1966,1967],[1968,1969],[1963,525],0,0,0,[1970,1971],[1963],[1963],[1972,1973,1974,1975],0,0,[1976],0,0,0,0,0,0,0,[1973,1974,1977,1978,1979,1980,1981,1982],0,[1976],[1976],[1983,1661,1984,1985,1986],[1983,1661,1984,1985,1986],[1983,1661,1984,1985,1986],[1983,1661,1984,1985,1987,1988,1989,1990,1986],[1983,1661,1984,1985,1987,1988,1989,1990,1986],[1983,1661,1984,1985,1986],[1983,1661,1984,1985,1986],[548,1991,1992,1661,1993],0,0,[1565],[1994],[1994],[1994,1995],[1996],[1565,547],[1565],[547],[547],[1997,1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021,2022,2023,2024,2025,2026,2027,2028,2029,2030,2031,2032,2033,2034,2035,2036,2037,2038,2039,2040],[1622,2041,293,2042,2043,2044,377,2045,2046,2047,138,2048,1600,2049,2050],[1622,2041,293,2042,2043,2044,377,2045,2046,2047,138,2048,1600,2049,2050],[1622,2041,293,2045,2046],[2051,2052,2053,2054,2055,2056,2057,2058,2059,2060,2061,2062,2063,2064,2065,2066,2067],[1622,2041,293,2042,2043,2044,377,2045,2046,2047,138,2048,1600,2049,2050],[293,224,2068,560,513],[293,224,560,513],[293,224,2068,2069,513],[293],[293,513],[293,1691,513],[293,2070,2071,2072],[293],[511,512,1606,1607],[511],[511,512,1606,1607,2073,2074,2075,2076,2077,2078,2079],[296,2080,2081,2082],[293],[293],[293],[293,524,513],[293,524,513],[511,512,1606,2083],[511,512,1606,1607],[511,512,1606],[511,512],[293,524,513],[293,294,2084,2085,2086,2083],[2087,2088,305,2083],[294,2089,2090,2091,2092,2087,2093,549],[294,2089,2090,2091,2092,2087,2093,549],[2094,2095,305],[2096,2097],[2098,2099,2100,2101],[2102],[2103,843],[330,2104,1838,2105,262],[2106,2107,2108,330,2104,2109],[2110],[2110],[2110],[2110],[2111,2112,2113,915,890,2114],[2111,2112,2113,915,890,2114],[890,2112,2113,2114,2115],[293],[2116,2117,2118,2119,2120,636,2121],[627,2122],0,[623,625,626],[623],[623,625,626],0,[2123,330,2117,2116],[627,2122,2124],[2125],[623,2126],[623,625,626,2127,2128,2129],[623,2130],[2131],[622,2132,2133],[2134,2135,2136,2137,2138,2139],[2140,424],[2140],[2141,330],[2142],[623,2143],[2144,2145,2146,2142,330,2147],0,0,[2141,330],[2148,330,622,623,2149],[2148,330,622,623,2149],[2148,330,622,623,2149],[2148,330,622,623,2149],[2148,330,622,623,2149],[641,642,643,644,629],[641,642,643,644,629],0,0,0,[548],0,[220],0,0,[2150,2151,16,2152,370],[2153,2150,16,2152,370],[2153,32,16,2152,370],0,[2154,2155,2156],0,[2154,2157],[2154,2158,2159],[2154],0,[2160,100,2161,2162,2163,2164,2165,2166,2167,2168,2169,2170],[2171,2172,2173,2174,2175,2176,2177],[2178],[2179,2180,2181,2182],[2183],[2184,1336],[2185],[2186,2187,2188],0,[2189,2190,2191,2192,2193,2194,1622],[2195],[1567,1568,2196,2197],[2198,2199],[2200,2201,2202,2203,2204],[852,853,854],[852,853,854],[855],[2205,856,32,2206,2207,377],[2208,2209,843,391],[2210,2211,2212],[2213,843,2214,2215,2216,2217,2218,2219,2220,2221,2222,2223,2224],[2225,2226,32],[878,879,880,2227,2228],[2229,2230,2231,2232],[294,2233,1633,391,2234,2235],[2236,2237,138],[2236,2237,138],[2236,2237,138],0,0,[2238,2239,2240,2241,16],[217,292,32],[893,330],[2242,2243,2244,2245],[2242,2243,2244,2245],[1485,2242,2243,2244,2245],[391,2246,2247,2248],[494,893,2249],[2250],[2251,2252,2253,2254,2255,2256,2257,2258],0,0,[1996],[2259,391,2260,2261,2262,2263,2264,2265,2266,925,2267,2268,2269,444,2270,2271,2272,2273,2274,225,553,2275,2276,1794,2277,2278,2279,2280,2281,2282,2283,2284,2285,2286,2287,2288,2289,2290,235,2291,2292,2293,2294,2295,2296,2297,2298,2299,2300,2301,2302,2303,2304,2305,2306,2307,2308,2309,2310,2311,2312,2313,2314,2315,927,2316,2317,2318,2319,2320,2321,2322,2323,2324,2325,2326,2327,2328,2329,2330,2331],[2332,2333],[2334,2335,2336],[1661],[1661,2337,2338],0,0,0,[511,512,548],[2339,2340,2341,32,2342],[511],[511],[511],[511],[511],[511],[2343,2344,2345,2346,2347,2348,2349,2350,2351,2352,2353,2354,2355,2356,2357,2358,2359,2360],[2361,166],[2361,166],[2362,4,2363,2364,567,2365,2366,2367],[2362,4,2363,2364,567,2365,2366,2367],[2362,4,2363,2364,567,2365,2366,2367],[2362,4,2364,567,2365,2366],[2362,4,2364,567,2365,2366],[511,512,1606,1607,2368,2369],[1246,1247],[1246,1247,1952],[1246],[32],0,[451,1259],[1259],[1259],[1259,2370],[1259,330],[1259,2370,2276],[1259,2370,2276],[1259],[1259,330],0,0,[1259,2371,2372,2373,2374,2375],[1259,548],[1259,2376],[451,526,2377],[451,526,2377],[451,526,548],[451,526,548],[1259,2371,2372,2373,2374,2375],[2378,17],[2379,424,548,17,2380,2381],[424],[424,548],[2378,17],[2379,424,548,17],[424],[424,548],[2378],[2382,1264,424,2383],[424],[2140,1264,424,330,2384],[424],[424],[890,2385,2386],[890],0,0,0,[2387],[2387,2388],[2387,2389,2390,2391,2392],[2393],[2387,2393],[2394],0,0,[2395],0,[660],[2396],0,[2397,2276],[2398,2399],[2400,2401],[2402],[2403],[2403],[2400,2401],[1295],[2404,2405,2406,2407,2408,2409],[2410,2411,2409],[2412,2413,2414,1418,2415,2416,2417,330],[2418],0,0,0,0,[2419,2420,2421,2422],[2423],[2424,2425],[2424,2425],[2426,2427,2428,2429,2430,2431,2432,2433,2434,2435],[2436,2437,2438,2439],[2440,2441,2442,2443,2444,2445,2446,2447,2448],0,[[2449,1353]],[[28,37],[29,38],[30,39],[31,40],[2450,1354],[2451,1355],[1687,1356],[293,501],[0,89],[1,90],[2,91],[3,92],[2452,1357],[2453,1358],[16,1359],[17,1360]],[[2454,1361],[1691,1362],[4,89],[5,90],[2455,91],[7,92],[2456,1363],[2457,1364]],[[2458,1365]],[[0,89],[1,90],[2,91],[3,92],[4,560],[5,561],[6,562],[7,563],[8,1366],[312,1367],[313,407],[2459,1368],[2460,1369]],[[1314,1370],[1314,1068],[1315,1069],[1316,1070],[1315,1371],[1316,1372],[1317,1071],[1319,1073],[2461,1373],[2462,1374],[2463,1375],[2464,1376],[2465,1377],[1308,1062],[1320,1074],[1321,1075],[2466,1378],[1299,1379],[1300,1052],[1301,1053],[1302,1054],[1303,1055],[1304,1056],[1305,1057],[1307,1060],[2467,1380],[2468,1381],[2469,1382],[2470,1383],[2471,1384],[1309,1063],[1310,1064],[2472,1385]],[[1314,1370],[2473,1386],[2474,1387],[2475,1388],[1314,1068],[2476,1389],[2474,1390],[2475,1391],[1315,1069],[1316,1070],[1315,1371],[1316,1372],[1317,1071],[1319,1073],[2461,1373],[2462,1374],[2463,1375],[2464,1376],[2465,1377],[1308,1062],[1320,1074],[1321,1075],[2466,1378],[1299,1379],[2477,1392],[2478,1393],[2479,1394],[1300,1052],[2480,1395],[2481,1396],[2482,1397],[1301,1053],[1302,1054],[1303,1055],[1304,1056],[1305,1057],[1307,1060],[2467,1380],[2468,1381],[2469,1382],[2470,1383],[2471,1384],[1309,1063],[1310,1064],[2472,1385]],[[1314,1370],[2473,1386],[2474,1387],[2475,1388],[1314,1068],[2476,1389],[2474,1390],[2475,1391],[1315,1069],[1316,1070],[1315,1371],[1316,1372],[1317,1071],[1318,1072],[33,32],[1319,1073],[376,1061],[1308,1062],[1320,1074],[1321,1075],[1322,1076],[1323,1077],[1299,1379],[2477,1392],[2478,1393],[2479,1394],[1300,1052],[2480,1395],[2481,1396],[2482,1397],[1301,1053],[1302,1054],[1303,1055],[1304,1056],[1305,1057],[1306,1058],[321,1059],[1307,1060],[1309,1063],[1310,1064],[1311,1065],[1312,1066]],[[1315,1069],[2483,1398],[2276,1399],[2484,1400],[1315,1371],[2485,1401],[2276,1402],[2484,1403],[269,1404],[2486,1405],[1317,1071],[1318,1072],[33,32],[2487,1406],[376,1061],[1308,1062],[2488,1407],[2489,1408],[2466,1409],[1301,1053],[2490,1410],[2491,1411],[2492,1412],[1303,1055],[2493,1413],[2494,1414],[2495,1415],[2496,1416],[1305,1057],[1306,1058],[321,1059],[2497,1417],[2498,1418],[2472,1419],[2499,1420],[2500,1421]],[2501,2502,1317,2466,[1301,1422],[1303,1423],[1305,1424],[2472,1425]],[[0,89],[1,90],[2,91],[3,92],[196,1255],[165,1256],[197,1219],[198,1426],[1325,1427],[170,162],[169,161],[68,1428],[16,456]],[[2503,1429],[2504,1430],[491,1431],[2505,1432],[2506,1433],[32,1434],[1620,306],[2507,1435],[1729,1436],[2508,1437],[2509,1438]],[[2503,1429],[2504,1430],[48,43],[2510,1439],[491,1431],[2505,1432],[2506,1433],[1308,1440],[2511,1441],[2512,1442],[1620,306],[2507,1435],[197,1219],[2513,1443],[1729,1436],[2508,1437],[2509,1438],[878,1444],[2160,1445],[2161,1446]],[[2503,1429],[2504,1430],[491,1431],[2505,1432],[2506,1433],[1620,306],[2507,1435],[1729,1436],[2508,1437],[2509,1438]],[[2503,1429],[2504,1430],[491,1431],[2505,1432],[2514,1447],[2515,1448],[1620,306],[2507,1435],[1729,1436],[2508,1437],[2509,1449],[2516,1450]],[[28,37],[29,38],[30,39],[31,40],[2517,1451],[2518,89],[2519,90],[2520,91],[2521,92]],[[28,37],[29,38],[30,39],[31,40],[47,42],[48,43],[51,205],[52,209],[194,16],[0,89],[1,90],[2,91],[3,92],[165,1256],[197,1219],[170,162],[169,161],[16,456]],[[414,1452],[415,1453],[28,37],[29,38],[30,39],[31,40],[474,1454],[475,1455],[0,89],[1,90],[2,91],[3,92]],[511,[512,1456],1606],[0,1,2,3,2522],[[28,37],[29,38],[30,39],[31,40],[1703,1457],[1704,1458],[0,89],[1,90],[2,91],[3,92],[315,1459],[316,1460]],[[28,37],[29,38],[30,39],[31,40],[414,502],[415,503],[416,1461],[417,1462],[418,1463],[419,1464],[0,89],[1,90],[2,91],[3,92],[474,1465],[475,1466],[1763,1467],[1761,1468],[1762,1469],[2523,1470]],[[260,60],[261,61],[28,62],[28,37],[29,38],[30,39],[31,40],[145,63],[146,67],[161,83],[5,511],[6,512],[67,513],[0,89],[1,90],[2,91],[3,92],[68,294],[70,1095],[86,1096]],[[29,58],[28,59],[260,60],[261,61],[28,62],[28,37],[29,38],[30,39],[31,40],[145,63],[65,1097],[66,1098],[5,511],[6,512],[67,513],[0,89],[1,90],[2,91],[3,92],[68,294],[1335,1099]],[[29,58],[28,59],[260,60],[261,61],[28,62],[28,37],[29,38],[30,39],[31,40],[145,63],[65,1097],[66,1098],[5,511],[6,512],[67,513],[0,89],[1,90],[2,91],[3,92],[68,294]],[[260,60],[261,61],[28,62],[28,37],[29,38],[30,39],[31,40],[145,63],[5,511],[6,512],[67,513],[0,89],[1,90],[2,91],[3,92],[68,294]],[[260,60],[261,61],[28,62],[28,37],[29,38],[30,39],[31,40],[145,63],[146,67],[161,83],[5,511],[6,512],[67,513],[0,89],[1,90],[2,91],[3,92],[68,294],[70,1095],[86,1096]],[[29,58],[28,59],[260,60],[261,61],[28,62],[28,37],[29,38],[30,39],[31,40],[145,63],[65,1097],[66,1098],[5,511],[6,512],[67,513],[0,89],[1,90],[2,91],[3,92],[68,294],[1335,1099]],[[29,58],[28,59],[260,60],[261,61],[28,62],[28,37],[29,38],[30,39],[31,40],[145,63],[65,1097],[66,1098],[5,511],[6,512],[67,513],[0,89],[1,90],[2,91],[3,92],[68,294]],[[260,60],[261,61],[28,62],[28,37],[29,38],[30,39],[31,40],[145,63],[5,511],[6,512],[67,513],[0,89],[1,90],[2,91],[3,92],[68,294]],[[29,233],[30,247],[202,236],[204,238],[213,249],[208,242],[209,243],[5,623],[6,624],[220,625],[515,627],[1765,1331],[18,629],[19,630]],[37,2524,2525,[2526,1251],[1580,1471],[2527,1472]],[37,29,[1580,1251],[2526,1259]],[[29,270],[30,271],[28,62],[28,37],[29,38],[30,39],[31,40],[145,63],[146,214],[161,230],[5,1238],[6,1239],[67,513],[0,89],[1,90],[2,91],[3,92],[68,294],[70,514],[86,515]],[[29,58],[28,59],[260,60],[261,61],[28,62],[28,37],[29,38],[30,39],[31,40],[145,63],[65,1097],[66,1098],[5,511],[6,512],[67,513],[0,89],[1,90],[2,91],[3,92],[68,294],[1335,1099]],[[29,58],[28,59],[260,60],[261,61],[28,62],[28,37],[29,38],[30,39],[31,40],[145,63],[65,1097],[66,1098],[5,511],[6,512],[67,513],[0,89],[1,90],[2,91],[3,92],[68,294]],[[29,58],[28,59],[29,270],[30,271],[28,62],[28,37],[29,1473],[30,39],[31,40],[145,63],[65,1097],[66,1098],[5,1238],[6,1239],[67,513],[0,89],[1,90],[2,91],[3,92],[68,294]],[[29,58],[28,59],[29,270],[30,271],[28,62],[28,37],[29,1473],[30,39],[31,40],[145,63],[65,1097],[66,1098],[5,1238],[6,1239],[67,513],[0,89],[1,90],[2,91],[3,92],[68,294]],[[29,270],[30,271],[28,62],[28,37],[29,38],[30,39],[31,40],[145,63],[5,1238],[6,1239],[67,513],[0,89],[1,90],[2,91],[3,92],[68,294]],[[29,270],[30,271],[28,62],[28,37],[29,38],[30,39],[31,40],[145,63],[146,214],[161,230],[5,1238],[6,1239],[67,513],[0,89],[1,90],[2,91],[3,92],[68,294],[70,514],[86,515]],[[29,270],[30,271],[28,62],[28,37],[29,38],[30,39],[31,40],[145,63],[5,1238],[6,1239],[67,513],[0,89],[1,90],[2,91],[3,92],[68,294]],[[28,37],[29,38],[30,39],[31,40],[307,393],[2528,1474],[308,394],[0,89],[1,90],[2,91],[3,92],[216,1475],[5,1476],[32,1477]],[[28,37],[29,38],[30,39],[31,40],[425,525],[4,89],[5,90],[6,91],[7,92],[424,524]],[[28,37],[29,38],[30,39],[31,40],[425,525],[4,89],[5,90],[6,91],[7,92],[424,524]],[2529,2530,2531,[2532,1478],[2533,1479],[2534,1480]],[[28,37],[29,38],[30,39],[31,40],[46,41],[47,42],[48,43],[50,45],[194,16],[195,17],[2535,1481],[2535,1482],[0,89],[1,90],[2,91],[3,92],[196,1255],[165,1256],[197,1219],[198,1426],[16,456],[17,586],[171,1483],[2536,1484]],[[28,37],[29,38],[30,39],[31,40],[46,41],[47,42],[2537,1485],[2538,1486],[2539,1487],[2540,1488],[0,89],[1,90],[2,91],[3,92],[196,1255],[165,1256],[2541,1489],[2542,1490],[2543,1491],[2544,1492]],[[29,233],[200,234],[201,235],[1705,1493],[202,236],[203,237],[204,238],[205,239],[206,240],[207,241],[208,242],[209,243],[210,244],[211,245],[212,246],[1706,1260],[2545,1494],[2546,1495],[5,623],[6,1330],[67,1496],[890,1497],[220,625],[514,626],[515,627],[32,1498],[516,628],[2547,1499],[18,629],[19,630],[2548,1500],[2549,1501],[2550,1502],[1708,1262],[1707,1503],[2551,1504]],[[29,233],[30,247],[1705,1493],[202,248],[203,237],[204,238],[206,240],[208,242],[209,243],[213,249],[214,250],[39,251],[1706,1260],[2545,1494],[5,623],[6,624],[890,1497],[220,625],[514,626],[515,627],[516,628],[18,629],[19,630],[32,1331],[12,1505],[2552,1506],[1708,1262],[1707,1503]],[[29,233],[28,252],[202,236],[204,253],[213,249],[207,241],[208,242],[209,243],[210,244],[211,245],[212,246],[5,623],[67,1507],[220,625],[515,627],[32,1331],[2547,1499],[18,629],[19,630],[2548,1500],[2549,1501],[2550,1502]],[29,30,[28,64],[28,65],[29,66],[30,37],[31,38],[145,39],[306,40],489,2553,[5,518],[6,519],[67,520],[0,89],[1,90],[2,91],[3,92],[68,294],[403,1508]],[2554,2555,1348,1352,1353,1354,28,2556,[2557,1509],[2558,1510],[2559,1511],[2560,1512],[2561,1513],[2562,1514],[475,1515],[391,1516]],[[1348,1114],[1349,1115],[1350,1116],[1351,1117],[391,1118],[1352,1119],[1353,1120],[1354,1121],[1355,1122],[28,37],[29,38],[30,39],[31,40],[2559,1517],[2563,1518],[2161,1519],[2564,1520],[2560,1521],[2561,1522],[2562,1523],[475,1524],[0,89],[1,90],[2,91],[3,92]],[[28,37],[29,38],[30,39],[31,40],[1348,1114],[1349,1115],[1350,1116],[1351,1117],[391,1118],[1352,1119],[1353,1120],[1354,1121],[1355,1122],[0,89],[1,90],[2,91],[3,92],[2559,1517],[2563,1518],[2161,1519],[2564,1520],[2560,1521],[2561,1522],[2562,1523],[475,1524]],[0,1,2,3],0,0,[431,[428,529],0,1,2,3],[[2565,1525],431,[428,529],0,1,2,3],[[2566,1526],[2567,1527],[466,1143],0,1,2,3],[431,[429,530],2568,[428,529],[2569,1528]],[431,[428,529],0,1,2,3],[2570,2571,2572,[2573,1529],[2574,1530],[2575,1531]],[348,1399,1704,1400,2576,340,[341,432],[342,433],343,344,[345,434],[1401,1148],[2577,1532],[1402,1149],[2578,1533]],[[2458,1534]],[2579,2580,[2581,1535],[2582,1536]],[2583,2584,2583,2584,2579,2580,[2585,1537],[2586,1192],[2587,1537],[2588,1192],[2581,1535],[2582,1536]],[[28,37],[29,38],[30,39],[31,40],[46,41],[47,42],[48,43],[50,45],[1703,1538],[1704,1539],[194,16],[195,17],[0,89],[1,90],[2,91],[3,92],[196,1255],[165,1256],[197,1219],[198,1426],[315,1540],[316,1541],[16,456],[17,586]],[1403,1404,1405,1406,[568,1152],308,[2589,1542],[2590,1543],[2591,1544],[2592,1545],[657,1546]],[1403,1404,1405,1406,[568,1152],308,[2589,1542],[2590,1543],[2591,1544],[2592,1545],[657,1546]],[1403,1404,2593,1406,[568,1152],308,[2589,1542],[2590,1543],[2591,1547],[2592,1545],[657,1546]],[1403,1404,1406,[568,1152],425,2594,[2589,1542],[2590,1543],[2592,1545],[2388,1548],[2595,1549]],[1403,1404,1406,[568,1152],425,2596,308,[2589,1542],[2590,1543],[2592,1545],[2388,1548],[2597,1550],[657,1546]],[[2388,1548],[2378,1551],[2598,1552],[2599,1553],[305,1192],[1832,1554],[657,1546]],[2600,2601],[2600,2601,2602],[1403,1404,[2378,1551],[568,1152],308,[2589,1542],[2590,1543],[657,1546]],0,[[1408,1162],[356,1555],[101,1556]],[[1408,1162],[356,1557],[101,1558]],0,[[356,1167],[101,1168],[548,1559],[843,1169]],[[1303,1423],[2603,1560]],[[1303,1423],[2603,1560]],[[1301,1422],[1303,1423],[1305,1424]],[[1301,1422],[1303,1423],[1305,1424]],[[1301,1422],[1303,1423],[1305,1424]],[[1299,1561],[1300,1562],[1301,1563],[1302,1564],[1303,1565],[1304,1566],[1307,1567],[2467,1568],[2468,1569],[2469,1570],[2470,1571],[2471,1572],[1308,1573],[1309,1574],[1310,1575],[2472,1576],[2604,1577],[2605,1578],[2606,1579],[2607,1580],[2498,1581]],[[1299,1561],[1300,1562],[1301,1563],[1302,1564],[1303,1565],[1304,1566],[1307,1567],[2467,1568],[2468,1569],[2469,1570],[2470,1571],[2471,1572],[1308,1573],[1309,1574],[1310,1575],[2472,1576],[2604,1582],[2608,1583],[2609,1584],[2610,1585],[2605,1586],[2611,1587],[2612,1588],[2613,1589],[2607,1590],[2498,1591]],[[1299,1379],[2477,1392],[2478,1393],[2479,1394],[1300,1052],[2480,1395],[2481,1396],[2482,1397],[1301,1053],[1302,1054],[1303,1055],[1304,1056],[2467,1380],[2468,1381],[2469,1382],[2470,1383],[2471,1384],[1308,1592],[1309,1063],[1310,1064],[2472,1385],[2604,1577],[2605,1578],[2606,1579],[2607,1580],[2498,1581]],[[1299,1379],[2477,1392],[2478,1393],[2479,1394],[1300,1052],[2480,1395],[2481,1396],[2482,1397],[1302,1593],[1303,1055],[1304,1056],[2467,1380],[2468,1381],[2469,1382],[2470,1383],[2471,1384],[1308,1592],[1309,1063],[1310,1064],[2472,1385],[2604,1582],[2608,1583],[2609,1584],[2610,1585],[2605,1586],[2611,1587],[2612,1588],[2613,1589],[2607,1590],[2498,1591]],[[2604,1379],[2608,1392],[2609,1393],[2610,1394],[2605,1052],[2611,1395],[2612,1396],[2613,1397],[1301,1053],[1302,1054],[1303,1055],[1304,1056],[1306,1058],[321,1059],[376,1594],[1308,1592],[2607,1063],[2498,1418]],[[2604,1379],[2605,1052],[1301,1053],[1302,1054],[1303,1055],[1304,1056],[1306,1058],[321,1059],[2606,1060],[376,1594],[1308,1592],[2607,1063],[2498,1418]],0,[[330,1254]],[[330,1254]],[[330,1254]],[[330,1254]],[[330,1254]],0,[[330,1254]],[[330,1254]],[[0,89],[1,90],[2,91],[3,92],[2614,1595],[2615,1596],[16,456],[17,586]],[[355,439],[2616,1597],[2617,1598]],[[355,439],[2616,1599],[2617,1600]],[[355,439],[2616,1601],[2617,1602]],[[355,439],[1420,1603],[1421,1604]],[[355,439],[2618,1605],[2619,1606]],[[355,439],[2618,1607],[2619,1608]],[[355,439],[2618,1609],[2619,1610]],[[355,439],[2620,1611],[2621,1612]],[[423,1613],[16,1614],[2622,1615]],[[0,89],[1,90],[2,91],[3,92],[494,1616],[2623,1617],[16,456],[17,586]],[[0,89],[1,90],[2,91],[3,92],[2342,1618],[328,1619]],[[0,89],[1,90],[2,91],[3,92],[358,1180],[606,1181],[843,1620],[328,1621]],[[0,89],[1,90],[2,91],[3,92],[358,1180],[606,1181],[605,1182],[1423,1183],[843,1620],[328,1621]],[[2342,1618],[328,1619]],[[0,89],[1,90],[2,91],[3,92],[358,1622],[2624,1623],[217,1624],[328,1619]],[[0,89],[1,90],[2,91],[3,92],[2095,1625],[2625,1626],[217,1624],[328,1619]],[[0,89],[1,90],[2,91],[3,92],[2095,1625],[2625,1626],[303,1627],[305,1628],[328,1619]],[[0,89],[1,90],[2,91],[3,92],[2095,1625],[2625,1626],[2626,1629],[893,1630],[661,1631],[217,1624],[328,1619]],[[0,89],[1,90],[2,91],[3,92],[2095,1625],[2625,1626],[2626,1629],[893,1630],[303,1627],[305,1628],[328,1619]],[[0,89],[1,90],[2,91],[3,92],[2095,1625],[2625,1626],[2626,1629],[893,1630],[358,1632],[661,1631],[217,1624],[328,1619]],[[0,89],[1,90],[2,91],[3,92],[2095,1625],[2625,1626],[2626,1629],[893,1630],[1387,1633],[217,1624],[466,1143],[328,1619]],[[0,89],[1,90],[2,91],[3,92],[2095,1625],[2625,1626],[2626,1629],[893,1630],[1387,1633],[303,1627],[305,1628],[328,1619]],0,0,[[2627,1634],[305,1192],0,1,2,3],[[2627,1634],[2628,1635]],[[2627,1634],[2629,1636],[2630,1637],[2631,1638],[2632,1639],[2633,1640],[2634,1641],[2635,1642]],[[90,87],[91,88],[0,89],[1,90],[2,91],[3,92],[92,93],[93,94],[1716,1274],[1717,1275],[95,96],[96,97]],[[294,1643]],[[294,1643],[2636,1644]],[[264,307],[265,156],[267,308],[2637,1645],[951,1646],[2638,1647],[2639,1648],[272,313],[273,314],[274,315]],[[264,307],[265,156],[267,308],[2637,1645],[951,1646],[2638,1647],[2639,1648],[272,313],[273,314],[274,315]],[[16,305],[263,306],[264,307],[265,156],[266,157],[267,308],[268,309],[269,310],[271,312],[272,313],[273,314],[274,315]],[[0,89],[1,90],[2,91],[3,92],[2640,1649],[330,1650],[2641,1651],[2642,1652],[2643,1653]],[[0,89],[1,90],[2,91],[3,92],[1853,1654],[2644,1655],[2645,1656],[2646,1657]],[[357,442],[358,443],[368,459],[369,460],[1438,1212],[1439,1213],[363,448],[273,449],[364,450]],[[1301,1053],[2490,1410],[2491,1411],[2492,1412],[1303,1055],[2493,1658],[2494,1414],[2647,1416],[2495,1415],[2648,1659],[2649,1660],[2650,1661],[2651,1662],[2652,1663],[2653,1664],[2654,1665],[2655,1666],[2487,1667],[1308,1668],[2656,1669],[2657,1385],[2658,1670],[2659,1671],[2660,1672],[2499,1420],[2500,1421]],[[1301,1053],[2490,1410],[2491,1411],[2492,1412],[1303,1055],[2493,1658],[2494,1414],[2495,1415],[2648,1673],[2658,1674],[2499,1420],[2500,1421]],[[2661,1675]],[[2661,1676],[548,1254]],[[2661,1675]],[[2661,1675],[548,1254]],[[2661,1675]],[[2661,1675],[548,1254]],[[2661,1675],[548,1254]],[[2661,1675]],[[2661,1675],[548,1254]],[[2661,1675]],[[2661,1675],[548,1254]],[[2662,1677],[548,1254]],[[548,1254]],[[2663,1678],[449,89],[1,90],[2,91],[3,92],[2664,1679],[2665,1680],[2666,1681],[660,1682],[2667,1683],[330,1684],[2668,1685],[2669,1686],[2670,1687]],[[2671,1688],[449,89],[1,90],[2,91],[3,92],[660,1689],[2667,1690],[330,1691]],[[0,1692],[1,1693],[2,91],[3,1694],[16,1359],[17,1360],[2672,1695],[2494,1696],[2673,1697],[2533,1698],[438,1699],[439,1700],2674,2379,2675],[[330,1619],1296],[[330,1254],1296],[[0,1276],[1,1277],[2,1278],[1718,1279],[1719,1280],[1720,1281],[1721,1282],[1722,1283],[1723,1284],[1724,1285],[1725,1286],[1726,1287],[1727,1288],[1728,1289],[1729,1290],[1730,1291],[1731,1292],[1732,1293],[1733,1294],[1734,1295],[1735,1296],[1736,1297],[1737,1298],[1738,1301]],[[0,1276],[1,1277],[2,1278],[1718,1279],[1719,1280],[1720,1281],[1721,1282],[1722,1283],[1723,1284],[1724,1285],[1725,1286],[1726,1287],[1727,1288],[1728,1289],[1729,1290],[1730,1291],[1731,1292],[1732,1293],[1733,1294],[1734,1295],[1735,1296],[1736,1297],[1737,1298],[660,1299],[843,1300]],[[0,1276],[1,1277],[2,1278],[1718,1279],[1719,1280],[1720,1281],[1721,1282],[1722,1283],[1723,1284],[1724,1285],[1725,1286],[1726,1287],[1727,1288],[1728,1289],[1729,1290],[1730,1291],[1731,1292],[1732,1293],[1733,1294],[1734,1295],[1735,1296],[1736,1297],[1737,1298],[660,1299],[843,1300]],[[0,1276],[1,1277],[2,1278],[1718,1279],[1719,1280],[1720,1281],[1721,1282],[2676,1701],[1722,1283],[1723,1284],[1724,1285],[1725,1286],[1726,1287],[1727,1288],[1728,1289],[1729,1290],[1730,1291],[1731,1292],[1732,1293],[1733,1294],[1734,1295],[1735,1296],[1736,1297],[1737,1298],[2677,1702],[2678,1703],[2679,1704],[2680,1705],[2681,1706]],[[0,1276],[1,1277],[2,1278],[1718,1279],[1719,1280],[1720,1281],[1721,1282],[2676,1701],[1722,1283],[1723,1284],[1724,1285],[1725,1286],[1726,1287],[1727,1288],[1728,1289],[1729,1290],[1730,1291],[1731,1292],[1732,1293],[1733,1294],[1734,1295],[1735,1296],[1736,1297],[1737,1298],[2677,1702],[2678,1703],[2679,1704],[2680,1705],[2681,1706],[2682,1707]],[[0,1276],[1,1277],[2,1278],[1718,1279],[1719,1280],[1720,1281],[1721,1282],[2676,1701],[1722,1283],[1723,1284],[1724,1285],[1725,1286],[1726,1287],[1727,1288],[1728,1289],[1729,1290],[1730,1291],[1731,1292],[1732,1293],[1733,1294],[1734,1295],[1735,1296],[1736,1297],[1737,1298],[2677,1702],[2678,1703],[2679,1704],[2680,1705],[2681,1706]],[[0,1276],[1,1277],[2,1278],[1718,1279]],[[0,1276],[1,1277],[2,1278],[1718,1279]],[[1730,1708]],[[1730,1709]],[[1730,1710]],[[2683,1711]],[[2683,1712],[330,1254]],[[2454,1713],[2684,1714]],[[1600,1715],[2685,1716]],[[2686,1717]],[[511,1240]],[[0,89],[1,90],[2,91],[3,92],[451,536],[452,537],[453,538],[454,539],[496,621],[456,541],[457,542]],[1445,1446,1447,1448,2687,2688,2689,2690,2691,2692,2693,2694],[1445,1446,1447,1448,2687,2688,2689,2690,2691,2692,2693,2694],[1445,1446,1447,1448,2687,2688,2689,2690,2691,2692,2693,2694,2695,2696,2697,2698],[1445,1446,1447,1448,2687,2688,2689,2690,2691,2692,2693,2694],[1996],[2699],[1460,1246],0,[2699],[2700,2701],[525,2700,2701],[1463,2702,2703,2704,2705],[1463,2702,2703,2704,2705],[[1468,1223],1469,1470,1463,1464,1465,1466,1467],[2699],[2699],[2699,2706],[2707,525],[220,2708,2709,330],[[2710,1718],2711,220,330],[2699],[220,2708,2709],[2699],[2699],[525],[2712],[2713,525],0,0,0,0,0,0,[[1746,1719],1471,525,1472],0,0,[2714],[2715,2714],[2716,2714],[2716,2714],[2717],[2717],[2717],[2110,2718,330],[2719],[2719],[2719],[2720,2721],0,0,0,0,0,0,0,[293,2722,2723],[2724],[2724],[2722],[2724],[2724],[2725],[2726],[2724],[2724],[2727,548,2728],0,0,[1243,1484,1794,376],[1243,1484,1794,376],[2729],[2729],[2729],0,0,0,0,0,0,0,0,0,0,0,0,0,0,[107,549],[2233,1484,1794,2730,2731],[2732,2160,2383,401],0,0,[2733,905,2734,1243],[1243],0,0,0,[2735,2736],[2735,2736],[2732,2684],[2737,2738,2739],[2737,2740,2741,2742,2738],[2737,2740,2741,2742,2738],[2737,2740,2741,2742,2738],[2737,2740,2741,2742,2738,1472,2743],[1243,1484,1794,376],[2737],[2737],[2737],[2744,401],[2745,2746],[2745,2746],0,[2747],[2747],[2732,2748],[2732,2748,32,843],[2745,2746],[2745,2746],[2729],[2729,32,401],[2745],[2745],[2749,2750,2715,2743,2751,2752,2753],[2754,2755,2756,2757,2758],[2754,2755,2756,2757,2758],[2759,2760,1472,2761],[1480,1481,1482,1483],[2759,2760,1472,2761],[1480,1481,1482,1483],[2762,2763,2764,2765,2766,2767,2768,2769,2770],[2771,2772,2773,2774,2775,2776,2777,2778],[2779],0,0,[605],[605],[1687,1484],0,0,0,[2780,2781,330,2782],[293,1592,391],[2783,391],[1628,2784,330],[1628,330],[8,336],[8,336],[2785,2786,2787,2788,2789,2790],[2791,2792],[2793],0,[2794],0,[2794],0,0,[2719],[2795],[2796],0,0,[2797],0,0,[2798,2799,2800],[2719],[2801,2802,2791],[2803,2801,2802,2791],[2803,2801,2802,2791],[2719],0,0,0,[2804,2784],[2804,2784],[843,32,2805,2409],[2041,293,1572],[2041,293,1572],[2805,2409],[2805,2409],[2806,2807,2808,2809,2810,2811,2812],[2806,2807,2808,2809,2810,2811],0,0,[2813,2814,2815],[2816,2817,2818,2819,2820,2821],[2816,2819,2820,2818],[2813,2817],[2822],[2823,2824,2825,2826,2827,2828,2829,2830,2831,2832,2833,2834,2835,2836],[568,16],[16],[2837,16,2095],[2837,378,2780],[568],[2838,2839,2840,2841,2842],[2843,2844],[2843,2844],[330,2845,2846,2847,2848,2849,2850,2851,2852,2853],[330,568,2854,2855,2856,2857],[568],[568],[2858],[2859],[454,2860,2861],[454,2861],[358,2862],0,0,[2859,2863],[553,2864],[553,2864],[2865,2283,2866,2867,2868,2869],[2870,2866,2871,2268,2872,444,2873,2874,2875,2876,2877,2878,2879,2880,2881],[652,653,654],[2882,2883,2884,2885,2886],[2882,2883,2886,2887,2884],[2888,2889,2890,2891,2892,2893,2894,918,920,444,2895,2896,2897,2898,2899,2900,2901,2902,2903,2904],[2894,2905,2906,2888,2893,2896,2907,2908,2909,2910],[2894,2905,2906,2888,2893,2889,2890,2891,2892,918,920,444,2896,2907,2908,2909,2910,2911,2912,2913,2914,2915,2916,2917,2918,2919,2920,2921,2922],[2888,2889,2890,2891,2892,2893,925,2894,918,920,444,927,2897,377,2923,2924,2925,2926,2927,2928,2929,2930,2931,2932,2933,2934,2935,2936,2937,2938,2939,2940,2941,2942,2943],[2888,2889,2890,2891,2892,2893,925,2894,2944,918,920,444,927,2895,2896,2897,377,1101,2945,2946,2947,2948,2949,2950,2951,2952,2953,2954,2955,2956,2957,2958,2959,2960,2961,2962,2963,2964,2965,2966,2967,2968,2969,2970,2971,2972,2973,2974,2975,2976,2977,2978,2979,2980,2981,2982,2983,2984,2985,2986,2987,2988,2989,2990,2991,2992,2993,2994,2995,2996,2997,2998,2999,3000,3001,3002,1100],[2894,2905,2906,2888,2893,2889,2890,2891,2892,918,920,444,2896,3003,3004,2907,2908,2909,2910,2911,2912,2913,2914,2915,2916,2917,2918,2919,2920,2921,2922],[1535,2888,2889,2890,2891,2892,2893,2894,918,920,444,2896,3005,2905,2906],[2888,2889,2890,2891,2892,2893,925,2894,918,920,444,927,2896,377,3006,3007,1484,2874,2875,2876,3008,3009,993,3010,3011],[2894,2888,2893,2889,2890,2891,2892,918,920,444,927,3012,3013],[2894,2888,2893,2889,2890,2891,918,920,444,927],[2894,2888,2893,3014,3015],[1535,2888,2889,2890,2891,2892,2893,2894,918,920,444,2896,3005,2905,2906],[2893,2888,3016,2894,3017,391,3018,3019,3020,3021,3022],[377,2259,918,920,922,444,2271,3023,925,2318,3024,3025,3026],[377,3027,3028,3029,2259,918,920,922,444,2271,3023,925,2318,3024,3025,3026],[101,102,103,16,104,3030,3031,111,300,115],[524],[3032,330,3033,3034,3035,3036,3037,3038],[3032,330,3033,3034,3035,3036,3037,3038],[293,1996,3039],[293,1857],[293,336,3040,1661],[293,336,3040,1597],[293,336,3040,1661],[293,336,1661,3040,1597],[293,336,3040],[293,336,1661],[293,336,1661],[293,336,1661],[293,336,1661,3040],[293,336,1661],[293,336,1661],[293,336,1661],[293,336,371,1661],[293,336,371],[293,336,1595,1594,1597,1596],[293,336,1595,1594,1597],[293,336,1595],[293,336,3041,3042],[293,336,3041],[293,336,1595,3040],[293],[293],[293],[3043,3044,3045,3046,3047,3048],[3043,3044,3045,3046,3047,3048],[3043,3044],[497,498,499],[3049],0,[3050,3051],[497,498],[497,498],0,[1485,3052],[1485,3052],0,0,[293,3053,3054,310,3055,3056],[293,3053,3054,560],[293,3057,3058,3054,3059],[293,310,3055,3060,3061,3062,3063,3064,3065,3066,549,3067,3068,3056,3069,3070,3071,3072,3073,3054],[293,413,841,3054],[293,3074,3075,3076,3054,3077],[293,310,3055,3054],[293,3057,3054],[293,3078,3079,3080,3054],[293,660,3054],[293,3081,3082,3083,3084,3085,3054],[293,3078,3079,3086],[293,3078],[293,3087],[293,3088],[293],[293],0,0,0,0,[3089,3090,3091,3092,525],[3089,3093,3094,3095],[3089,3093,3094,3095,3096,3097,3098],[3089,3093,3094,3095,3097,3098,3099,3100,3101],[3089,32],[3089,376],[3089,376],[3089,376],[3089,376],[3089,3102,3103,3104],[3105,336],[330,3105,336],[1858,3106,3107,3108,3109],[1858],[3109],[1858,3110],[401],0,0,0,[3030],[3030],[3030],[3030],[554,3111],0,[8,3112,3113],[1446,3114,3115,3116],[3117],0,0,0,0,0,0,[3118,3119,3120,3121,3122,3123,3124,3125,3126,3127,3128],[3129,3130,3131,3132,3133,3134],[3135,3136,3137],[3135,3136,3137],[32,3138,3139,3140,377,391,169,3141,3142,3143,3144,3137,3145],[3144,3137],[3137],[3137],[3145],[3135,3146],[3135,32],[3135,3137],[3137],[3135,3146],[3135,32],[3144,3137],[3147,3148,3149,3150],[3147,3148,3149,3150],[3147,3148,3149,3150],[3147,3148,3149,3150],[32,293],0,[843],[897,951],[3151],[897,951],0,0,0,0,[2719,548,567],0,0,[16,3152,3153,3154],[461,462,3155,3156,3157,3158,3159,427,115,1599,3160],[461,462,3155,3156,3157,3158,3159,427,115,1599,3161,3162,3163],[461,462,3155,3156,3157,3158,3159,427,115,1599],[1600,1601,3164,3165,3166,1491,17,427,115,1599,3167,3168,3169,3170,1499,3171,3172,3173,3174,3175,3176,3177,1492,1505,3178,561,1611,1612],[1600,1601,3164,3165,3166,1491,17,427,115,1599,3167,3168,3169,3170,1499,3171,3172,3173,3174,3175,3176,3177,1492,1505,3178,561,1611,1612,262,3179,3180,3181,3182,1515,1518,3183,3184],[461,3185,1491,3186,3187],[461,3185,1491,3186,3188,3189,3190,3191,3192,3193,3194,3195,3196,3197,3198,3199,3200,3201,3202,3203,3204,3205,3206,3207,3208,3209,3210,3211,3212],[461,462,3213,3214,1491,1492,1505,427,115,1599,3215,3216,3217,3218,3219,3220],[461,462,3213,3214,3221,3222,1491,427,115,1599,3215,3216,3217,3218,3219,3220,1516,1517,3223,3224,3225,1600,1601,3226,3227,3228,3229,3230,3231,3232,3233,3234,3235,330,640,3236,3237,3238],[461,462,3219,3220,1491,1492,1505,427,115,1599,1515,1518,3239,3240],[461,462,3213,1491,1492,1505,1515,427,115,1599,3215,3216,1518,1523,3219,3241,3242,3243,3244,3245,3246,3247,3248,3249,3250,3251,3252,3253,3254],[461,462],[461,462,2780,3255,1600,1601],[1600,1601,3256,843,330,640,3257],[1600,1601,3256,843,1491,1492,3257],[461,462,3240,310,1491,3258],[461,462,3240,3259,3260,3261,1516,1517,1600,1601,3256,1699,321,330,640],[897,2671,3262,3263],[660,382,3264,269,2276,16,396],[330,3265,3266],[330,3267],[101],[356,101,381,382,220,264,269,383,384,367,385,386,387,388,389,390,391,392,393,394,395,396,397,378,398,399,1530,330],[[356,1228],[101,475],381,[382,476],[220,477],[264,478],269,383,384,[367,479],[385,480],386,387,388,389,390,391,[392,481],393,394,[395,482],[396,1229],[397,1230],378,398,399,330],[372,3268,3269,3270,3271,3272,3273],[372,900,1408,3274],[3275],[3276,142],[1858],[3277,1534],[1531,1472,1532,1533],[1531,1532,1533],[3278,3279,3280],[1531,1532,1533,1534],[3280],[3281,3280],0,0,[1531,1532,1533],[1531,1532,1533],[524],[3282,3283,3284],0,0,[3285],[2416,3286],[2416,3286],[3287,370],[3287,370],0,[3288],[3289,3290,3291],[3292,3293],[3294],0,0,0,0,[3295],[3296],0,[3297,2740,3298],0,[1472],[3292],[3299],[3299,1472],[3299,3292],[511,512,1606,1607],0,0,0,0,0,[3300,3301,3302,2686,905],[3303],[[897,1720],[3304,1721],[3305,1722],3306,[2663,1723],3307,3308,[3309,1724],3310,3311,3312,3313],[[897,1720],[3304,1721],3305,3306,[2663,1725],3307,[843,1726],3312,660],0,0,[220],[220],[524,513],[524,513],[524,513],[524,513],[524,513],0,[1535,513,524],0,0,0,0,0,[524],[524],[524],0,0,0,[1535,1536,513],[1535,1536,513],[1535,1536,1537,1538,513],[1535,1536,1537,1538,513],[1535,513],[1535,513],[1535,513],[1535,1536,513],0,0,[1535,513],[1535,513],[1535,513],[1535,513],0,0,0,[524],0,0,0,0,0,0,[524],[524],[524],[524],[524],[524],[524],0,[524],[524],[1535,513],[1535,1536,513],[1535,1536,513],[524],0,[524],[1535,1536,1537,1538,1539,1540,513],[524],[524],[524],[524],[524],[524],[524],[524],[524],[524],[1535,1536,1537,1538,1539,1540,1541,513],0,0,[1535,1536,1537,1538,1539,513],[1535,1536,513],[1535,1536,1537,1538,1539,1540,1541,513],[524],[524],0,[548,560,1752],0,0,0,0,0,[524],[524],[524],[524],0,0,0,0,[524],[524],[524],[524],[524],0,[524],[524],[524],0,0,0,0,0,0,[2518,423,3314,3315,2362,3316,3317,4,3318,525],0,[524],[215,1829,401],[215,1829,401],[215,1829,401],[215,1829,401],[3319],[909,330,3320],[909,330],[909,3321,330],[909,3321,330],[909,3322],[594,595,1933,1934,596,597],[594,595,1933,1934,596,597],[594,595,1933,1934,596,597],[594,595,596,597,598,599,32],[594,595,1933,1934,596,597],[594,3323,596,652,3324,3325,32,3326,3327,3328,3329,3330,3331,3332,3333,1832,3334,1815,1707,3335,3336,1949,1950,3337,110,3338,3339,3340,3341,2048,1600,106,1948,1835,3342,1628,494,17,1934,1941,3343,3344,3345,3346,3347,3348,3349,3350,3351],[594,3323,596,652,3324,3325,32,3326,3327,3328,3329,3330,3331,3332,3333,1832,3334,1815,1707,3335,3336,1949,1950,3337,110,3338,3339,3340,3341,2048,1600,106,1948,1835,3342,1628,494,17,1934,1941,3343,3344,3345,3346,3347,3348,3349,3350,3351],[511,512,1606],[524],[100,470,600,391,3352,2249,3353,3354,3355,3356],[524,513],[524,513],[1535,1536,1537,513],[293],[293],0,[3357],[3357],[3357],[3357],[293,524,513],[293,513],[293,513],[511,512],[293],[293,524,513],0,[511,512,1606],[2110],[3358,896],[3359,330,3358,896],[638],[3359,330,3358,896],[641,642,643,644,330,640],[3360,2150],[3360,2150],[293,3361,3362,3363,3364,3365,3366,32],[3367,3368,513],0,[839,330,840],[513],[511,512,1606,1607,2073,2074,2075,2076,2077,2078,2079,3369],[511,512],[511,512],[325,371,474,1578,17,1579,1580,1581,1582],[293,32],[3370,3371,3372,3373,3374,3375,2352,3376,3377,3378,3379,548],[401,553,1516,549,1566],[401,553,1516,549,1566],[293,466,1609],[293,1609],[524],[3380,843],[524],[3380,843],[524],[524],[3380,3381],[3380,3382],[524,513],[524,513],[[1303,1423],[2603,1560]],[[1303,1423],[2603,1560]],[[1303,1423],[2603,1560]],[[548,1254]],[524],[524],0,[524],[524],0,0,0,[524],[524],[524],[524],[524],[524],[524],[524],[524,513],[524],[524,513],[524],[524],[524],[524],[524],[524],[524],0,[524],[524],0,0,0,0,0,[2749,2716,3383,3384,3385,3386,3387],[3388],[3388],[3389],[3389],[3389],[3389],0,0,[330,3390],[401,553,549,1566],[401,553,549,1566],[401,553,549,1566],[3391],[3391],[3391],[293,336,1595],[293,336,371],[3043,3044,3045,3046,3047,3048],[3043,3044,3045,3046,3392,3393,3394,3047,3048],0,[293],[293,3395,3396,3078],[3397],[293,3398,3399],[293,560,3400,3401],0,[401,3402,3403,3404,3405,3406,3407,3408,3409,3410,3411],[401,3402,3403,3404,3405,3406,3407,3408,3409,3410,3411],[293,524],[3412,3413,3414],[3415,3416,513],[293,3417,3418,269,3419,3420,2409],[293,3421,3417,3418,269,3419,3422,3420,2409,3423],[1600,1601,1491,1492,1505,1515,1518,427,115,1599,3167,3168,3169,3170,1499,138,1523,3241,3242,3243,3244,3245,3246,3424,3178,561,1611,1612],[1600,1601,1491,1243,1610,115,138,17,1611,1612,1613,1614,1615,1616,1617],[1600,1601,1243,1610,115,295,17],[1600,1601,1243,1610,115,295,17],[1600,1601,1491,1243,115,138,17,1616],[1600,1601,1491,1243,376,1598,367,1688,549,1794,115,3425,1612],[1600,1601,1491,1243,376,1598,367,1688,549,1794,115,3425,1612],[1600,1601,1491,3426,3427,3428,3429,3430,1744,1688,549,1794,424,370,3425,1612],[1600,1601,1491,3426,3427,3428,3429,3430,1744,1688,549,1794,424,370,3425,1612],[1600,1601],[1600,1601],[3431,3432,107],[3431],[3280],[3433,3434,3435,3436],[1535,513],0,[524],0,0,[524,513],[524,513],[524,513],[524,513],[524,513],[3437],[3438,3439],[293],[293],[3440,3441,2403],[3442,3443],[1535,513],[1535,513],[1535,513],[524],0,[524,513],[1535,1536,1537,1538,1539,1540,1541,513],[524,513],[524,513],0,[524,513],0,[524,513],[524,513],[524,513],[524],[524,513],[524,513],[524,513],[524],0,0,[524],0,[1535,1536,1537,1538,1539,513],[1535,513],[524,513],[1535,513],[524,513],[524,513],[524,513],[524,513],0,0,[524],[524],[524],[524],[524],[524],[524],[524],[524],[524],[524],[524],[524],[524],[524],[524],[524,513],[1618,1619],[524],0,[1535,1536,513],[1535,1536,1537,513],[1535,1536,1537,513],0,0,[511,512],[524],[1535,1536,513],[524],[524],[524],0,0,[524],[524,513],[1535,1536,513],[511,512,513],[511,512,1606,513],[511,512,513],[511,512],[511,513],[511],[511],[511,512,1606,1607,2073,513],[511,513],[1535,1536,1537,1538,1539,1540,1541,1750,1785,1786,1787,1788,1789,1790,1791,3444,3445,3446,3447,3448,513],[1535,513],[1535,1536,1537,513],[1535,513],[1535,513],0,[524,513],[524,513],[524,513],[524,513],0,0,0,[524,513],[511,512,1606,1607,2073,2074,2075],[1535,1536,513],[1535,513],[1535,513],[1535,1536,513],0,0,0,0,[524],0,0,[524],0,0,[524,513],[524,513],[524,513],[524,513],0,[524,513],[524,513],0,0,0,0,0,0,0,[401,1566,3323,553,1516],[401,1566,3323,553,3449],[401,1566,3323,3450],[401,1566,3323,3450],[401,553,1516,549,1566],0,0,[1535,513],[[3451,1727],377,2269,2487,3452],[[3453,1728],377,2269,2487,3452],[[3454,1729],3455,3456,3457],[[3454,1730],3458,3456,3457,32],[[3451,1727],377,2269,2487,3452],[[3453,1728],377,2269,2487,3452],[[3454,1729],3455,3456,3457],[[3454,1730],3458,3456,3457,32],[215,371,474,3459,3460,426,414,3461],[[1650,691],[1653,694],[391,695],[1654,692],[3462,1731],358,606,3463,32,100],[[1650,691],[1653,694],[391,695],[1654,692],[3462,1731],358,606,3463,32,100],[296,1753,1754,3464,3465,3466,270,3467],[3468,3469,3470,3471,3472,3473,3474,3475,3476,3477,3478,511,512,1606,1607,2073,2074,2075,2076,2077,2078,2079],[[90,87],[91,88],[0,89],[1,90],[2,91],[3,92],[92,93],[93,94],[94,95],[95,96],[96,97],[97,98],[98,99],[99,100],[3479,1732],[100,101]],[[90,87],[91,88],[0,89],[1,90],[2,91],[3,92],[92,93],[93,94],[94,95],[95,96],[96,97],[97,98],[98,99],[99,100],[3479,1732],[100,101]],[[0,89],[1,90],[2,91],[3,92],1885,446,447,326,329,63],0,[3480,3481],[3480,3481],[3480],[3480,3481,3482],[3480,3481,3482,3483],[3480],[3480],[3480,3481],[3480,3481],[3480,3481],[3480],[3480,3481],[3480],[3480],[3480,3481,3482,3483],[3480,3481,3482],[3480,3481,3482,3483],[3480],[3480],[3480],[3480,3481,3482,3483,3484],[3480],[3480,3481,3482,3483,3484,3485,3486,3487,3488,3489,3490,3491,3492,3493,3494,3495,3496,3497,3498,3499,3500,3501],[3480,3481],[3480],[3480,3481],[3480,3481,3482,3483],[3480,3481],[3480,3481],[3480],[3480],0,0,0,[3502,3503,3504],0,[3502],[[3505,1733],3506,3507,3508,3509,3510,3511,3512,17,3513,3514,3515],[[3516,1734],3517],[[3518,1735],[3519,1736],3520,3521,3522,3523],[[3524,1737],[3525,1738],3520,392,3526,3527],[[3518,1739],[3519,1736],3520,3521,3522,3523],[[3528,1740],3529,3530],[[3531,1741],3529,3530],[[3532,1742],3529,3533,3530],[[3534,1743],3529,3533,3530],[[3535,1744],3529,3533,2234,3530],[[3536,1745],3529,3533,2234,3530],[[3537,1746],3529,3533,3538,3530],[[3539,1747],3540,3530,3541],[[3542,1748],3529,3533,3543,3544,3545,3530,3546,3547,3548],[[3549,1749],3550,3551,3552,2684,264,294,2234],[[3553,1750],3550,3551,3552,2684,264,294,2234],[[3553,1750],3550,3551,3552,2684,2234],[[3553,1750],3550,3551,3552,2684,2234],[[3549,1749],3550,3551,3552,2684,3554],[[3549,1749],3550,3551,3552,2684],[[3555,1751],3556],[[3557,1752],[3558,1753],3556,3559],[[3560,1754],3561],[[3562,1755],900,294],[[3563,1756],3550,3551,3552,2684,2234],[[3563,1756],3550,3551,3552,2684,2234],[[3564,1757],3550,3551,3552,2684],[[3563,1756],3550,3551,3552,2684],[[3563,1756],3550,3551,3552,2684],[[3564,1757],3550,3551,3552,2684],[[3564,1757],3550,3551,3552,2684],[[3564,1757],3550,3551,3552,2684],[[3564,1757],3550,3551,[3565,1758],3552,2684,32],[[3563,1756],3550,3551,3552,2684,2234,32],[370,173,3566,224,3567,3568],[[29,1759],[30,1760],371,474],[548],[[548,1761],[293,1762],[107,1763],3569,3570],[1794,548],[3571,3572,3573,3574,3575,3576,3577,3578,3579,3580,3581],[[115,1764],[293,1765],[1243,1766],[3582,1767],[905,1768],[367,1769],32,[1524,1770],[1525,1771]],[[115,1764],[293,1765],[1243,1766],[3582,1767],[905,1768],[138,1772],[367,1769],[1516,1773],[1517,1774],32,[1524,1770],[1525,1771]],[[293,1765],[1243,1766],[3582,1767],[905,1768],[138,1772],[115,1764],[1524,1770],[1525,1771]],[[293,1765],[1243,1766],[3582,1767],[905,1768],[138,1772],[115,1764],[1516,1773],[1517,1774],[1524,1770],[1525,1771]],[[293,1765],[1243,1766],[3582,1767],[905,1768],[138,1772],[115,1764],[1524,1770],[1525,1771]],[[293,1765],[1243,1766],[3582,1767],[905,1768],[138,1772],[115,1764],[1516,1773],[1517,1774],[1524,1770],[1525,1771]],[[2177,1775],[115,1764]],[[2177,1775],[115,1764],[1516,1773],[1517,1774]],[[293,1765],[1243,1766],[3582,1767],[905,1768],[138,1772],[3583,1776],[3584,1777],[3585,1778],32,[115,1764],[652,1779],[3586,1780],[1524,1770],[1525,1771],3587,[3588,1781]],[[293,1765],[1243,1766],[3582,1767],[905,1768],[138,1772],[3583,1776],[3584,1777],[3585,1782],[115,1764],[652,1779],[1524,1770],[1525,1771]],[[293,1765],[1243,1766],[3582,1767],[905,1768],[138,1772],[3583,1776],[3584,1777],[3585,1783],[115,1764],[652,1779],[367,1769],[3589,1784],[1516,1773],[1517,1774],[1524,1770],[1525,1771]],[[293,1765],[1243,1766],[3582,1767],[905,1768],[138,1772],[3583,1776],[3584,1777],[3585,1782],[115,1764],[652,1779],[367,1785],[3589,1786],[1516,1773],[1517,1774],[1524,1770],[1525,1771]],[[293,1765],[1243,1766],[3582,1767],[905,1768],[138,1772],[3583,1776],[3584,1777],[3585,1787],[115,1764],[652,1779],[367,1788],[3589,1784],[1516,1773],[1517,1774],[1524,1770],[1525,1771]],[[461,1789],462,[1490,1790],[115,1764],[138,1791],[652,1792],3590,[1525,1771]],[[3591,1793],[1524,1770],[1525,1771]],[[3591,1793],[1525,1771],3592,3593,3594,3595,[3192,1794],[3193,1795],[3194,1796],[3195,1797],[3596,1798],[3597,1799],[3198,1800],[3199,1801],3598,3599,3202,3203,[3204,1802],3205,3206,[3207,1803],[3208,1804]],[3600,3601,[3602,1805],[3218,1806],[115,1764],3219,3220],[[3603,1807],[3604,1808],[3222,1809],[3605,1810],[3225,1811],[3602,1805],[3218,1806],[115,1764],3219,3220,[1516,1773],[1517,1774]],[3219,3220,[3606,1812],[115,1764]],[3607,3220,[3606,1812],[115,1764],[1516,1773],[1517,1774]],[3608,[1516,1773],[1517,1774],[1524,1770],[1525,1771]],[3609,[1516,1773],[1517,1774]],[3600,[3602,1805],3219,[3610,1813],[3249,1814],[3611,1815],[3612,1816],[3253,1817],[3613,1818]],[3600,[3602,1805],3219,[3610,1813],[3249,1814],[3611,1815],[3612,1816],3614,[3253,1817],[3613,1818]],[3600,[3602,1805],3219,[1516,1773],[1517,1774],[3610,1813],[3249,1814],[3611,1815],[3612,1816],[3253,1817],[3613,1818]],[[2780,1781],3600,3219],[[2780,1781],3600,3219,[1516,1773],[1517,1774]],[[1516,1773],[1517,1774]],[[3615,1819],[1516,1773],[1517,1774],[843,1820]],[[3615,1821],[843,1820]],[[3615,1821]],[[3616,1822],[3617,1823]],[[3618,1824],[3619,1254],448],[[3620,1825],[3621,1826]],[[1516,1773],[1517,1774]],[[3622,1827],3519,1739,1740],[[3622,1827],3519,1739,1740],[[3623,1828],3624],[[3623,1828],293,567],[[1295,1829],[3625,1830],1646,3626,3627,3628,3629,3630,3631,3632],[294,3633,[3634,642],[3635,640],527,215,526,525],[294,3633,[3636,642],[3635,1831],527,215,526,525],[294,3633,[3634,642],[3635,640],527,215,526,525],[294,3633,[3634,642],[3635,640],527,215,526,525],[294,3633,[3634,642],[3635,640],527,215,526,525],[3637,3638],[3513,3639,3026,3640],[3641,3642,3643,3463,3644,3645,3646],[3641,3642,3643,3647,3648,3646],[3641,3642,3643],[3649,3650,3651],[3652,3653,3654],[3652,3653,3654,3655],[3652,3653,3637,3656],[3641,3642,3643,3644,3645],[3657,3658,3659,3660],[3657,3658,3659,3660],[3657,3658,3659,3660],[3657,3658,3659,3660],[3657,3658,3661],[3657,3658,3661,3659],[3657,3662,3663,3664],[3657,3659],[3657,3665,3662,3663,3664],[3657,3665,3659],[3666,3667,3668,3669,3670,3671,3672,3673,3674,3675],[3676],[3676,3677,3678,3679],[3657,3680,3664,3640,3681,3682,3683,3684,3685,3674,3686,3687,3669,3688,3675],[3657,3680,3640,3664,3689],[3657,3680,3640,3664,3676,3690,3691,3666,3692,3693,3694,3695,3696,3697,3698,3699,3673],[3657,3700,3701,3702,3703,3664],[3657,3700,3701,3702,3703,3664],[3704,3657,3705,3706,3707,3676,3689,3708],[3657,3680,3640,3676,3709,3710,3711,3712],[3657,3700,3701,3702,3703,3664],[3657,3713,3714,3715,3686,3716,3671,3692,3685],[3637,3638],[3513,3639,3026,3640],[3660],[3717,3642,3640,3718,3719,3720,3721,3722],[3717,3642,3640],[3717,3642,3640,3723,3718,3719,3720,3721,3722],[3724,3725,3726],0,0,[3717,3642,3640],[3717,3642,3640],[3717,3642,3640,3727],0,[3728,3729,3642,3730],[3731,3732,3733,3734,3735,3736,3737,3738,3739,3740,3741,3742,3743,3744,3745,3746],[3747,3748,3749,3750,3751,3752],[3657,3660,3664,3753,3754,3703,3640,3673,3755,3674,3756,3757],[3717,3758],[3660],[3759,3656],[3760,3761,3673,3762,3763,3764,3765,3766,3767,3768,3769,3770,3771],[3760,3772,3773],[3774,3775,3776,3777,3778,3779,3780,3781],[3774,3657,3782],[3774,3657,3783,3784],[3774,3657,3785,3786],[3774,3657,3787,3788],[3641,3789],[3641,3789],[3790,3658,3659,3660],[3790,3658,3659,3660],[3790,3658,3659,3660],[3790,3658],[3790,3658,3659],[3637,3638],[3513,3639,3026,3640],[3657,3700,3791,3702,3792,3664],[3793],[3794],0,[3795,3796,3797,3798,3799],[3800,3801],[3796,3802],[3800,3801,3803],[3804,3794],0,[3804,3805,3806,3807,3808],[3297,3800,3801],[3800,3801],0,[3800,3801,3809,3810],[3800,3801],0,0,0,[3800,3801],[3811,3812,3659],0,[3800,3801,3809],[[3813,1832],3814,3815],[[3816,1833],2176,3814,32,3817,3818],[[3819,1834],3820,2095,3821,3822,3823],[[3824,1835],1793,3821,3822],[[3825,1836],1793,32,1796],[[3826,1837],1793,32,1796],[[3827,1838],1793,32,1796],[[3828,1839],3829,1796,3830],[[3831,1840],1793,32,1796],[[3832,1841],531],[[3833,1842],32],[[3825,1836],1793,32,1796],[[3825,1836],1793,32,1796],[[3825,1836],1793,32,1796],[[3825,1836],1793,32,1796],[[3825,1836],1793,32,1796],[[3825,1836],1793,32,1796],[[3834,1843],2719],[[531,1844],[3835,1845],[3836,1846],[1793,1847],[3837,1848],[3838,1849],[3839,1850],[330,1851],[3840,1852],3841,3842,1796,3843,3110,3844,3845,640],[[531,1853],[3835,1854],[3836,1855],[1793,1856],[3837,1857],[3838,1858],[3839,1859],[330,1860],[3840,1861],3841,3842,1796,3843,3110,3844,3845,640],[[531,1862],[3835,1863],[3836,1864],[1793,1865],[3837,1866],[3838,1867],[3839,1868],[330,1869],[3840,1870],3841,3842,3846,1796,3843,3110,3844,3845,640],[[531,1871],[3835,1872],[3836,1873],[1793,1874],[3837,1875],[3838,1876],[3839,1877],[330,1878],[3840,1879],3841,3842,3846,1796,3843,3110,3844,3845,640],[[3847,1880],1793,531,1794],[[3848,1881],1793,531,1794],[[3849,1882],370,548,3850],[3851,3852,3853,3854,[3855,1883],3856,3857,1550,3858,2152,3859,3860],[[1622,1884],[2195,1885],[3861,1886],[3862,1887],[3863,1888],3864,3865,3866],[3867,3868,3869,3870],[3871,3869,3870],[3871,3869,3870],[3867,2457,3869,3870],[3872,3869,3870],[3873,3869,3870],[367,3874,295,3869,3870],[3875,3876,3869,3870],[3870],[3870],[3870],[3869,3870],[3870],[3870],[3870],[3870],[3877,3878,3870],[3879,3880,3870,3881],[3879,3880,3870,3882],[3879,3880,3870,3883],[3879,3880,3870,3884],[3879,3880,3870,3885],[3886,3870],[2160,3869,3870],[3887,1882,3870],[3870],[3870],[3887,3870],[[3888,1889],3889,3870],[3481,3890,3870],[3481,3482,3890,3870],[3481,3482,3890,3870],[3481,3482,3890,3870],[3026,3870],[3891,3892,3870],[3870],[3870],[367,3874,295,3869,3870],[[3893,1890],524,3870],[[3894,1891],524,3870],[3895,3870],[3026,3895,3870],[3026,3895,3870],[3870],[3896,3897,3870,3898,3899],[3900,3901,3870],[3870],[3870],[3870],[3870],[3870],[3870],[3870],[3870],[3870],[3870],[1263,3870,3902],[1263,3870,3902],[3895,3870],[3111,3870],[3870],[3903,3870],[3870],[3870],[3870],[3887,3026,2379,3870],[3887,3026,2379,3870],[3887,3026,2379,3870],[3870],[3870],[3870],[3870],[3904,3871,3870],[3870],[3904,3871,3870],[3870],[3905,3906,3869,3870],[3905,3906,3869,3870],[3481,3890,3870],[1815,1816,356,1817,1818,1819,1820,127,120,3907,3908,1825,1826],[1815,1816,356,1817,1818,1819,1820,127,120,3907,3908,1825,1826],[[3909,1892],3910,3911,3912,294,548],[[3913,1893],3914,3915,330,843,3916],[[3917,1894],525,3918,1687,330,3919],[[3920,1895],3921,294,3922,1936,3923,3924],[[3925,1896],3922,3926,3927,3928],[[3929,1897],3930,3931,3932,330,3933],[[3934,1898],330],[3922,3935,[3936,1899],3937,186,367,3938,3939],[3922,3935,[3940,1900],3937,186,367,3938,3939],[[3941,1901],3452,3938,1595],[[3942,1902],3452,3938,1595],[[3943,1903],3452,3938,1595],[3922,3935,[3944,1904],186,367,3945,3938,3939,3946],[[3947,1905],3452,3938,1595],[[3948,1906],3938],[[3949,1907],3938],[[1595,1908],1887,3938],[3922,3935,[3940,1900],3937,186,3945,3938,3946],[[3950,1909],3452,3938,1595],[[3951,1910],3452,3938,1595],[3922,3952,[3953,1911],3938,525],[[3954,1912],3938],[[3955,1913],115,525,424,370],[[3956,1914],115,525,424,370],[[3957,1915],3952,3958,3938],[[3959,1916],3960,3961,1418],[[3962,1917],3960,3961,1418],[[3963,1918],3938],[[3964,1919],370,1853],[[3965,1920],370,1853],[[3966,1921],370,1264],[[3967,1922],370,1264],[[3968,1923],1636,3969,3970],[[3971,1924],3969,3970],[[3972,1925],[3973,1926],3969,3970],[[3974,1927],3975,1636,3969,3970,3976],[[3977,1928],3969,3970,3976],[[3978,1929],3969],[[3979,1930],1636,3969,3970],[[3980,1931],1636,3969,3970],[[3981,1932],3982,3983,3969,3970,3976],[[3984,1933],3985,3986,1636,3987,3970,3976,3988],[[3973,1934],[1636,1926],3969,3970,3976,3988],[231,1845,1846],[[531,1935],115,16],[[531,1935],115,16],[[531,1935],115,16],[[531,1935],115,16],[[531,1935],115,16],[[531,1935],115,16],[[531,1935],115,16],[[531,1935],115,16],[330,560,561],[215,559,330],[215,559,330],[3989,330],0,[231,232],[231,3990],[231,3990],[370,3991,3992,330,3993],[370,573,330],[3989,330],[1829,330],[1829,3994],[3989,330],[215],[458],[458],[458],[458],[1870,1871,330,3995],[3996,3997,843],[458],[571,330],[370,1628],[138],[1860,548],[494,555,3998,330,215,559,3999],[494,555,3998,330,215,559,3999],[330],[330],[330],[330],[494,555,3998,330,215],[231,330],[231,4000],[231,4000],[231,4000],[231,4000],[231,4000],[4001,4002],[264,4001,231,4003,4002,4004],[1604],0,0,0,0,[4005,2161,2160,4006],[4005,2161,4007],[4005,2161,4008],[4005,2161,4008],0,0,0,0,[330,4009,[4010,1936],2234,4011,4012,4013],[4014,4015],[4014,4015],[4016],0,0,0,0,0,0,0,0,0,[330],[231,4017,3937,370],[4017,4018,2041,336,531],[4019,4020,2234,466],[32,2684],[4021,4022,1564],[4023,4024,4025,4026,4027,4028,4029,4030,1564],[4031,4032,1564],[4033,4034,4035,4036,4037,4038,4039,4040,4041,4042,1564],[4043,4044,1564],[4045,4046,4047,4048,4049,4050,4051,4052,4053,1564],[4054,4055,1564],[4056,4057,4058,4059,4060,4061,4062,4063,4064,1564],[4065,4066,4067,1564],[4068,4069,1564],[4070,4071,4072,4073,4074,1564],[4075,4076,4077,4078,4079,4080,4081,1564],[[909,1937],[4082,1938],[4083,1939],330,3320],[[909,1940],[4084,1941],[4085,1942]],[[909,1940]],[1560,1561,1562,1563,1564],[1560,1561,1562,1926,1563,1564],[1560,1561,1562,1563,1564],[293,4086,330],[293,428,330,1751],[293,4086,4087,629],[293,4086],[293,4088,3867,330,1607,2069],[293,4089,1900,4090,1607,2073,4091],[293,4088,4092],[293,330],[893],[893],[893,2728],0,[[4093,1943],879],0,[4094],[1633,377,3026],[1535,1257,1633,377,3026,524],[1535,1257,1633,377,3026,524],[197,4095,4096],0,0,[594,595,1933,1934,596,597],[594,595,1933,1934,596,597],[594,595,1933,1934,596,597],[594,595],[4097],[4097,32],[1948,32],[1948],[[4098,1944],3149,3148,893,401],[[511,1945]],[[511,1946]],[[511,1947]],[[511,1948]],[[511,1949]],[[511,1950]],[[511,1951]],[[511,1952],[512,1953],[1606,1954]],[[511,1955]],[[511,1956]],[[511,1957]],[[4099,1958],4100,1248,909],0,0,[4100,1248,4101,909],0,0,[494,4102],[32,4103],[32,4103],0,[[4104,1959],4105,[391,1960],[1654,692],4106,4107,32,17],[[4104,1959],[4108,1961],[391,695],[1654,692],4106,4109,32,17,4110,4111],[[391,695],[1654,692],32,17],[[391,695],[1654,692],32,17],[4112,567,4113,[4114,836],853,854,4115,4116,2684,594,494,852],[4112,567,4113,[4114,836],853,854,4115,4116,2684,594,494,852],[4117,4118,909,4119],[4009,4120,4121,[4122,1962],[4123,1963],4117,4124,4125,4126,4127,4128,4129,4130],[4009,4131,4132,[4133,1962],[4134,1964],[4135,1965],[4131,1966],[4136,1967],[4137,1968],[4138,1964],[4139,1969],4117,4124,4125,4126,4140,4141,4142,4143,4144,4145,4146,4147,330,560,4148],[217,4149,[4150,1970]],[4009,4151,4152,[4153,1962],[4154,1971],[1593,1972],[4155,1973],4117,4124,4125,4126,4156,4157,4158,4159],[4009,4151,4152,[1593,1962],[4160,1971],[4161,1972],4117,4124,4125,4126,4156,4157,4159,4162],[4009,4151,1593,[4160,1962],[4163,1971],4117,4124,4125,4126,4156,4159,3143],[4009,4138,4139,[4164,1962],[4165,257],[4166,1974],[4161,1975],[4167,1976],[4168,1977],[4169,1978],[4170,1979],[4171,1980],[4172,1981],4117,4124,4125,4126,330,560,4173,4174,4175,4162,4176,4177,4178,4179,4180,4181,4182,4183,4184,4185,4186,3023],[4160,4009,4138,4139,[4187,1962],[4161,257],[4170,1974],[4171,1982],4117,4124,4125,4126,330,560,4188,4162,4183,4184,4189,4190,4191,3023],[4160,4163,[4009,1983],4138,4139,[4192,1962],[4193,257],4117,3143,4124,4125,4126,330,560,4194,4195,3023],[4009,4138,4139,[4196,1962],[4169,257],[4170,1974],[4171,1984],4117,4124,4125,4126,330,560,4197,4198,4183,4184,4199,4200,3023],[4009,4201,1593,[4202,1962],4117,4124,4125,4126,4203,4159,4204],[4009,4201,1593,[4202,1962],4117,4124,4125,4126,4203,4159,4204],[4009,4201,1593,[4202,1962],4117,4124,4125,4126,4203,4159,4204],[4009,4201,1593,[4202,1962],4117,4124,4125,4126,4203,4159,4204],[4009,4201,1593,[4202,1962],4117,4124,4125,4126,4203,4159,4204],[4009,4151,4152,[4153,1962],[4154,1971],[1593,1972],[4155,1973],[4205,1985],4117,4124,4125,4126,4156,4157,4158,4159,4150],[4009,4151,4206,[1593,1962],4117,4124,4125,4126,4207,4208,4159],[4009,4138,4139,[4164,1962],[4165,257],[4166,1974],[4161,1975],[4167,1976],[4209,1977],[4210,1978],[4211,1979],[4212,1986],[4213,1987],[4214,1988],[4215,1989],[4216,1990],[4217,1991],[4218,1992],[4170,1993],[4219,1994],[4220,1995],4117,4124,4125,4126,330,560,4173,4221,4222,4223,4176,4224,4225,4226,4227,4228,4229,4230,4231,4232,4233,4183,4234,4235,4186,3023],[4009,4201,1593,[4202,1962],4117,4124,4125,4126,4203,4159,4204],[4009,4164,[4165,1975],[4166,1976],[4161,1977],[4167,1978],4209,4210,4211,[4212,1988],[4213,1989],4214,4215,[4216,1992],[4217,1993],[4218,1994],[4170,1995],[4219,1996],[4220,1997],4125,4126,4173,4221,4222,4223,4176,4224,4225,4226,4227,4228,4229,4230,4231,4232,4233,4183,4234,4235,3023],[[4236,1998],4237,4238,4239],[4240,330],0,0,0,0,0,[525],0,0,[1246],[1246,1247],[525],0,0,0,[1246],0,[525],0,[1246],[1246,4241,4242,4243,4244,4245],[525],[1460,1247,1952,1953,4244],[1246,4246,4242,4243,4244,4247,4248],[1246,1247,4242,4243,4244],[1246,1247,1952,4249,4250,1954],0,[1246,1247,1952,4249,4250,1954],[1246,1247,1952],[1246],[1246,1247,1952],0,[1246,1247,1952],[1246,1247,1952],0,[1246,1247],[1246,1247,525],[1246,525],[1246,1954,525],[1246,1247,4242,4243,4244],[525],[1246,525],[1246,1247,1952,1953,4244,4245,4248,4251,4252],[1246],[1246,525],[525],[525],[525],[525],[1954],[1246,525],[1954],0,[1246,1247,1952,525],[1954],[1246,1247,1952,525],[1954,525],[525],[1246,525],0,0,[1246],[1246],[525],0,[1246,1247,1952,1953,4250,1954],0,[525],[1246],[1246,1247,1952,1953,1954,1956],[1246,1954,525],[525],[525],[1246,525],[1954,1955,525],[1954],[1954],0,0,[1954],[1954],0,[1954,1955,1956],[525],[525],[525],[525],[1954,1955],0,[1954,525],[[4253,1999],4254,4255],[4256,4257,[4258,2000],[4259,2001],[4260,2002],4254,4261,4262,4263,4264,4265,4266],[4267,4268,4269],[4267,2409,166,4270,391,32,4271],[4272,[4273,2003],3515],[1573],[1573,4274],0,[1573,4275],[1573,330],[1573],[1573],[1573],0,[330,4276],[2626],[2626],[2626],[2626],[2626],[2626,657],[2626,4277],[2626],[2626],[2626,657],[2626],[4277,2626],[2626],[1976,2626,4278],[1976,2626,4278],[1655,4279,4280,4281,4282,4283,4284],[1655,2626],[1655,2626,657,4285,4286],[2626,4278],[2626,4278],0,[897,2626],[897,2626],[897,2626],[897,2626],[897,2626],0,0,[330],[1573],0,[330],[330],[330],[330],[2626],[2626],[2626,4278,4287],[2626,657],[2626,657],[2626,657],[1976,2626,4278],[1976,2626,4278],[2626,4288],[2626,4278],[2626,4278],0,[2626,4278,4287],[897,2626],[897,2626],[1983,1661,1984,657,1985,1986],[548,1991,1992,1661],[4289,4290,293,115],[4291,4292,293,115],[4293,4294,293,115],[4295,4296,4297,293,3111,115],[4298,293],[1622,2041,293,2045,2046],[[4299,2004],[1852,2005],[4300,2006],[4301,2007],4302,4303,4304,4305],[[4306,2008],[4307,2009],[4308,2010],[4309,2011],[4310,2012],4311,4312,4313,4314,4315],[511,512,1606,1607,513],[4316,4317,1392,4318,2080,2081,4319],[296,2080,2081,2082],[296,2080,2081,2082],[296,2080,2081,2082,4320,4321],[296,2080,2081,2082,4320,4321],[296,2082,4322],[296,2080,2081,2082,4320,4321],[296],[296,4323,4324,4325,1573,1301,4326,2082,4322,4327],[296,1753,4328,2082],[296,1753,4328,4329,2082,4320,4321],[296,4324,4325,1573,1301,2082,4322],[296,32,298,2082,4322],[296,2082,4322],[296,1753,1754,270,2082,4322],[296,1753,1754,32,298,2082,4322],[296,1753,270,4324,2082,4322],[296,1753,4324,270,32,298,2082,4322],[1573,2370,4330,4331,4332,4333,330,4334],[293,511,512,513,4335,3515],[2087,2083],[294,2089,2090,2091,2092,2087,2093,2083],[294,2089,2090,2091,2092,2087,2093,2083],[294,2089,2087,2093,2083],[4336,4337,2095],0,[2087,4338],0,[4339,4340,4341,1660,4342,1661],[4343,4344,1660,2111],[4345,1660],[4345,4346,4347,1660,4348,1858],[4349,1660],[4350,4351,1660,1858],[4352,4353,4354,4355,4356,1660,1661,4357,317,4358],[4359,4360,4361,4362,4363,4364,1660,1661,4365,2050,3341,106],[4366,4367,4368,4369,1660,1661,4357,2111],[4370,4371,4372,1660,1661,2111],[1662,1663,1664,1665,1666,1667,1668,1669,1670,1660,1661,1671,1672,1673,1674,1675,1676,32],[1662,1663,1664,1665,1666,1667,1668,1669,1670,1660,1661,1671,1672,1673,1674,1675,1676,32],[1662,1663,1664,1665,1666,1667,1668,1669,1670,1660,1661,1671,1672,1673,1674,1675,1676,32],[4373,1660],[4373,1660],[[4374,2013]],[4375],[4375],[4375],[4376,2624],[4376,2624],0,[4377,554],0,0,0,0,0,[1688,554,4378,4379,[4380,1000],890,2112,2113,2114,17,494,4381,4382,4383],[[4384,2014],905,1713,4385],[[4386,2015],905,1713,4385],[[4387,2016],4388],[[4389,2017],4388],[[4390,2018],905,1713,4385],[[4391,2019],905,1713,4385],[[4392,2020],4388],[[4393,2021],4388],[[4394,2022],905,1713,4395],[[4396,2023],905,1713,4395],[[4397,2024],905,1713,4395],[[4398,2025],905,1713,4395],[[4399,2026],905,1713],[[4400,2027],905,1713],[[4401,2028],905,1713],[[4402,2029],905,1713],[[4403,2030],905,1713],[[4404,2031],905,1713],[[4405,2032],905,1713],[[4406,2033],905,1713],[[4407,2034],905,1713],[[4408,2035],905,1713],[[4409,2036],905,1713],[[4410,2037],905,1713],[[4411,2038],905,1713],[[4412,2039],905,1713],[[4413,2040],905,1713],[[4414,2041],905,1713],[[4415,2042],905,1713],[[4416,2043],905,1713],[[4417,2044],905,1713],[[4418,2045],905,1713],[[4419,2046],4388],[[4420,2047],4388],[[4421,2048],4388],[[4422,2049],4388],[[4423,2050],4388],[[4424,2051],4388],[[4425,2052],4388],[[4426,2053],4388],[[4427,2054],4388],[[4428,2055],4388],[[4429,2056],905,1713,4395],[[4430,2057],905,1713,4395],[[4431,2058],905,1713,4395],[[4432,2059],905,1713,4395],[[4433,2060],905,1713,4434],[[4435,2061],905,1713,4434],[621,622,623,624,625,626,627,628,4436],[623],[623,4437],[2148,330,622,623,2149],[[4438,2062],4439,4440,4441,4442,4443],[[1852,2063],[4444,2064],[3836,2065],[4445,2066],371,370,3842,4446],[[294,2067],[4447,2068],4448,4449],[4450,4451,3410,4452],[4453,4454,[4455,2069],4456,4457,4458,4459,4460,531,4461,4462,4463,4464,4465,4466,4467,4468],[[1852,2070],[4444,2071],[3836,2072],[4445,2073],[4469,2074],[4470,2075],[4471,2076],371,370,3842,4446,4472,4473,4474],0,[[1852,2077],[4444,2078],[427,2079],[4475,2080],371,370],[[4444,2081],370],[[4444,2082],[1852,2083],[4476,2084],370,371,4477],[[1852,2085],[4444,2086],[4478,2087],371,370,4479],[[1852,2088],[4444,2089],[4480,2090],371,4481,4482],[[4444,2091],[1852,2092],[4483,2093],370,4484,4485],[[4480,2094],4482],[[4444,2095],[4483,2096],370,4485],[[4444,2097],370],[[4486,2098],548],[[4487,2099],4488,548,401],[[4489,2100],548],[[4490,2101],548],[[4491,2102],548],[[4492,2103],548],[[4493,2104],548],[[4494,2105],548],[[4495,2106],548],[[4496,2107],909,548,4497],[[4498,2108],909,548,4497],[[4499,2109],909,548,4497],[[4500,2110],909,548,4497],[[4501,2111],909,548,4497],[[4502,2112],2237,909,548,4503,4497],[[4494,2105],548],[[4499,2109],909,548,4497],[4504,4505,4506],[4507,4508],[1535,4509,4510,1633,4511,524],[[4512,2113],4513,4514,4270],[[4515,2114],4516,4517,4518],[[4519,2115],4516,4520,4517,4518,4521],[[4522,2116],4516,4517,4518],[[4523,2117],4516,4520,4517,4518,4521],[[4524,2118],4525,4526,4527,4528,330,32,4529,4530,1301,4531,1303,4532,4533,4534],[[4535,2119],2416,4536,4525],[[4537,2120],4525,4538,4539],[[4540,2121],4525,4541,2416,4536,4538],[4542,[4527,2122],4528,4543,4544,4545,4546,4530,1301,4531,1303,4547,4548,4549,4550,32],[4551,[4527,2123],4528,4543,4552,4530,1301,4531,1303,4547,4548,4553],[[4554,2124],4555,1254,4556],[[4557,2125],32],[2153,32,16,2152,370],[2153,2150,32,16,2152,370],[2379,32,16,2152,370],[2379,32,16,2152,370],[4558,4559,4560,4561,4562,3139,4563,4564],[4558,4559,4560,4561,4565,4566,4567,4562,3139,4563,4564],[2154,2157,4568,531],[2154,2157,4568,531],[2154,2157,2158,4568,531,4504],[2154,2157,2158,4568,531,4504],[2154,2157,2158,2159,4568,531,4504,4505],[2154,2157,2158,4568,531,4504],0,[1336],[4569,4570,4571,4572,4573,4574,4575],[4576],[4576],0,[4577],[4578,4579,2661,4580,4581,4582,4583,4584,4585,4586,4587,3849],[4588,4589,4590,4591,4592,4593,3081,4594,646],[[4595,2126],4596,4597,4598],[4599,4589,4600,4601],[[4602,2127],4603,4604,4605,4606,2274,225,553],[32,[4607,2128],4608,4609,4610,2894],[4611,[4612,2129],32,4609,4613,4614,4610,2894],[890,992,1011,988,1100,1101,1103,1104,1105,1108,1109,1110,1111,1112,1113,1114,1115,1116,1117,1118,1119,1120,1121,1122,1123,1124,1125,1126,1127,1128,1129,1130,1131,1132,1133,1134,1135,1136,1137,1138,1139,1140,4615],[890,992,1011,988,1100,1101,1103,1104,1105,1108,1109,1110,1111,1112,1113,1114,1115,1116,1117,1118,1119,1120,1121,1122,1123,1124,1125,1126,1127,1128,1129,1130,1131,1132,1133,1134,1135,1136,1137,1138,1139,1140,4616,4617,4618,4619,4620,4621,4622,4623,4624,4625,4626,4627,4628,4629,4630,4631,4632,4633,4615],[4634,4635,4636,4637,4562,3139,4638,4639],[4634,4635,4636,4637,4562,3139,4638,4639],[4558,4559,4640,4641,2156,4642,4643,4562,3139,1887,4644,330,4118,4645],0,0,[4558,4559,4562,3139],[4558,4559,4562,3139],0,0,[2158,4504],[2158,4504],0,[4558,4559,4562,3139],[2158,4504],[4558,4559,2155,2156,4562,3139,560,330],[2155,2156,560,330],[4504],[4558,4559,4562,3139],[4558,4559,4562,3139],[2158,4504],[2158,4504],[4558,4559,4562,3139],[4558,4559,4562,3139],[4558,4559,4562,3139],[4558,4559,4562,3139],0,[2158,2159,4646,4504,4505,4506],[4558,4559,4562,3139],[2158,4504],0,[2158,2159,4646,4647,4504,4505,4506,4648],[2158,2159,4646,4647,4504,4505,4506,4648],[2158,2159,4646,4647,4504,4505,4506,4648],[2158,2159,4646,4647,4504,4505,4506,4648],[2158,2159,4646,4504,4505,4506],[2158,2159,4646,4647,4649,4504,4505,4506,4648,4650],[2158,2159,4504,4505],[2158,4504],[4558,4559,4651,4652,4653,4562,3139,4654,4655,4656],[2158,2159,4504,4505],[2158,2159,4504,4505],[2158,2159,4646,4647,4504,4505,4506,4648],[2158,2159,4646,4504,4505,4506],[2158,2159,4504,4505],[2158,2159,4646,4504,4505,4506],[2158,2159,4504,4505],[4657,4658],[4657,4658],[4657,4658],[4657,4658],[4657,4658],[4657,4658],[4657,4658],[4659,4660,4661,4662,391,4663],[4659,4660,4661,4662,391,4663],[4664,4665,4666,4667,4659,4660,4661,4662,391,4663],[4664,4665,4666,4667,4659,4660,4661,4662,391,4663],[4664,4665,4666,4667,4659,4660,4661,4662,391,4663],[4668,4639,4669,4670],[4668,4639,4669,4670],[4668,4639,4669,4670],[4668,4639,4669,4670,4659,4660,4661,4662,391,4671,4672,4673,4674,4675,4676],[4677,4678,32,4668,4639,4669,4670,4679,4680,4681,4682],[4668,4639,4669,4670,4664,4665,4666,4667,4659,4660,4661,4662,4683,32],[4668,4639,4669,4670],[4668,4639,4669,4670],[4659,4660,4661,4662,391,4663],[32,4659,4660,4661,4662,4684],[4659,4660,4661,4662,391,4663],[4685,4686,4687,4688],[4668,4639,4669,4670,4664,4665,4666,4667,4659,4660,4661,4662],[4668,4639,4669,4670,217,4689],[4668,4639,4664,4665],[4664,4665,4666,4667,4659,4660,4661,4662,391,4663],[4688,4686,166,4690,4691,4692],[4558,4559,4651,4652,4653,4562,3139,4654,4655,4656],[4558,4559,4562,3139],[4558,4559,4562,3139],[4558,4559,4562,3139],[4558,4559,4562,3139],[4558,4559,4562,3139],[4558,4559,4562,3139],[4558,4559,4693,4694,4695,4696,4697,4698,4562,3139,4570,4699,4700,4701,4702,4703,4704],[4558,4559,2156,4705,2158,2159,4562,3139,330,567,4504,4505],[4558,4559,2156,4705,2158,2159,4646,4562,3139,330,567,4504,4505,4506],[4558,4559,2156,4705,2158,4562,3139,330,567,4504],[525,1755,294,401,1248,4706,4707,4708],[1755,4709,1757,4710],[1756],[879,330,4357,376,401,4711,4712,4713,4714,4715,4716,4717],[2176,2177,4711,4712,4713,4714,4715,4716,4717,4718,4719,4720,560],0,[371,2160,2068,4119],[4721,4722,[4723,2130],[4724,2131],[2491,2132],[2494,2133],4725,4726,4727,4728,4729,4730,266,289],[[4731,2134],2638,4732,4733,1900,4734,2671],[[4735,2135],4736,4737],[[4738,2136],4739,4740,4741,4736,4742],[[4738,2136],4739,4740,4741,4736,4742],[[4735,2135],4736,4737],[4743,4744,32,1459],[4743,4744,32],[32,391],[4743,4744,32,1459],0,0,[4745,444,4543,4746],[4747,4748,4749,4750],[[4751,2137],32],[[4752,2138],32],[[4753,2139],4754,4755,1673,1674],[[4756,2140],553,32,4757],[[4758,2141],581],[[4759,2142],838],[[4760,2143],838],[[4761,2144],838],[[4762,2145],4763],[839,494,330,840,321],[839,494,330,840,4764],[4765,330],[4766,4767,4768,4769,32,4770,4771],[[4772,2146],838,4616,4773,4774,4775,4776],[[4777,2147],4778,4779,4780,4781,4782,4783,4784],[1687,4785,4786,4787,4788,4789,4790,4791,4792,4793],[1687,4785,4786,4787,4788,4789,4792,4793],[1687,4785,4786,4787,4788,4789,4794,4795,4796,4797,4798,4799,4800,4792,4793],[1687,4785,4786,4787,4788,4789,4792,4793],[1687,4785,4786,4787,4788,4789,4794,4795,4796,4797,4798,4799,4800,4792,4793],[1687,4785,4786,4787,4788,4789,4792,4793],[1687,4785,4786,4787,4788,4789,4792,4793],[1687,4785,4786,4787,4788,4789,4790,4791,4792,4793],[1687,4785,4786,4787,4788,4789,4792,4793],[1687,4785,4786,4787,4788,4789,4794,4795,4796,4797,4798,4799,4800,4792,4793],[1687,4785,4786,4787,4788,4789,4792,4793],[1687,4785,4786,4787,4788,4789,4794,4795,4796,4797,4798,4799,4800,4792,4793],[1687,4785,4786,4787,4788,4789,4792,4793],[1687,4785,4786,4787,4788,4789,4792,4793],[1687,4785,4786,4787,4788,4789,4792,4793],[1687,4785,4786,4787,4788,4789,4792,4793],[4801,4802,4803,4804,4805,4806,4807,[4808,2148],[4809,2149],[4810,2150],[32,2151],[4811,2152],855,856,857,858,859,860,861,862,863,864,865,866,867,4812],[4801,4802,4803,4804,4805,4806,4807,[4808,2148],[4809,2149],[4810,2150],[32,2151],[4811,2152],855,856,857,858,859,860,861,862,863,864,865,866,867,4812],[855,857,870,32,4802],[32,4813,[4814,804],4815,4816,871,4817,872],[[4818,2153],[4819,2154]],[4820,4821,4822,4823,4824,4825,4826,4827,4757,4828,4829,4830,4831,4832,4833,4834,4835,4836,4837,4838,4839],[[4840,2155],4841,4842],[2225,2226],[262,4843,4844,4845,4846,2388,391,4847,4848,144,1459,4849,3639,231,1626,4850],[262,4843,4844,4851,1858,141,4852,4853,4854,4855,4856,4857,4858,4859,4860,1459],[262,4861,4862,4863,4864,4865,4866,4867,4868,4869],[262,4861,4862,4863,4864,4865,4866,4867,4868,4869,4870],[4871,3511,262,4872,3639,4873,1459],[4871,3511,262,4872,3639,4873,1459],[262,4861,4874,4875],[262,4861,4874,4875],[262,4861,4874,4875],[262,4861,4874,4875],[4876,4877,657,4878,4879],[4876,4877,657,4878,4879],[4880,467,4881,[4882,2156],2081,4883,468,4884,4885,2234,2235],[4880,467,4881,[4882,2156],2081,4883,468,4884,4885,2234,2235],[4880,467,4881,[4882,2156],2081,4883,468,4884,4885,2234,2235],[4880,467,4881,[4882,2156],2081,4883,468,4884,4885,2234,2235],[4886,4887,4888,[4889,2157],4890,1707,4891,4892,4893,660],[[629,2158],3502],[[629,2159],[4138,2160],3502,3503],[[4894,2161],[4895,2162],3502,3503],[[4896,2163],2270,4897,4898,4899,4900],[[4901,2164],2270,4897,4898,4899,4900],[[4902,2165],4903,4904,4905],[[4902,2166],4903,4904,4905],[[4906,2167],4907,4908,4909,4904,4910,4905,4911,4912,4913],[[4914,2168],4915,4916,4917],[[4918,2169],4915,4919,4916,4917,4920],[[4896,2163],2270,4897,4921,4899,4900],[[4901,2164],2270,4897,4921,4899,4900],[[4922,2170],3357],[[4896,2163],2270,4897,4898,4899,4900],[[4901,2164],2270,4897,4898,4899,4900],[[4923,2171],548,4924,4925],[[4926,2172],548,4924,4925],[[4927,2173],2150,4924,4899],[4928,[4929,2174],4930,4931],[[4932,2175],4933],[4928,[4934,2176],4930,4935],[[4936,2177],4937],[[4938,2178],4933],[[4939,2179],4940,4941,4942],[[4943,2180],[4944,2181],[4945,2182],[4946,2183],[4947,2184],[4948,2185],[4947,2184],4949,4950,4951,4952,4953,4954,4955],[1246],[4956,3237],0,0,0,0,0,0,0,[[4957,2186],1246],[[4958,2187],549,292,4959,1246,1247,1952,1461],[1246],[1246],[1246],[[4960,2188],4961,4962,4963,4964,1246,4965,4966,1247,1952],[[4967,2189],376,4965,4966],[1246],0,0,0,0,[1246],[1246],[1246],[[4968,2190],4969,4970,4971,4972,4973,4974,4975,4976],[[4977,2191],4978,4979,4980,4981,4982,4983,4984,4985,4986],[[4987,2192],567,4988,4335,3515],[[511,2193],[512,2194],[1606,2195],[1607,2196],[2073,2197],[2074,2198],[2075,2199],4989],[[511,2200],4989],[[4990,2201],424,4991,4992,4993,4994,4995],[[4990,2201],424,4991,4992,4993,4994,4995],[[4990,2201],424,4991,4992,4993,4994,4995],[[4990,2201],424,4991,4992,4993,4994,4995],[[4990,2201],424,4991,4992,4993,4994,4995],[[4990,2201],424,4991,4992,4993,4994,4995],[[4990,2201],424,4991,4992,4993,4994,4995],[[4990,2201],424,4991,4992,4993,4994,4995],[[4990,2201],424,4991,4992,4993,4994,4995],[[4990,2201],424,4991,4992,4993,4994,4995],[[4990,2201],424,4991,4992,4993,4994,4995],[[4990,2201],424,4991,4992,4993,4994,4995],[[4990,2201],424,4991,4992,4993,4994,4995],[[4990,2201],424,4991,4992,4993,4994,4995],[[4996,2202],2250,4997],[[4996,2202],2250,4997],[[4996,2202],2250,4997],[[4996,2202],2250,4997,4998],[[4996,2202],2250,4997],[[4996,2202],2250,4997],[[4996,2202],2250,4997],[4999,[5000,828],5001,[5002,2203],5003,[5004,2204],897,898,899,5005,18,5006,5007],[5008,[5009,828],897,898,899,5010],[5011,[5012,828],897,898,899],[5013,[5012,828],897,898,899],[5014,548,[5015,2205],898,897,5016,5017,330,2069,5018],[2457,[5019,2206],5020,5021,5022,5023,5024,5025,5026,5027,5028],[5029,[5030,2207],5031,5032,1572,5033],[[5034,2208],5035,5036,5037],[[5038,2209],5039,5040],[[5041,2210],4576,264,898,5042,5043,5044,5045],[[5046,2211],5047,4014,5048],[5049,909,5050],[5049,909,5050],[5049,909,5050],[[5051,2212],1574,5052,5053],[548],[548],[4438,5054,5055,[5056,2213],5057,4441,5058,5059,5060,1387,1390],[4438,5054,5061,[5062,2213],5057,4441,5058,5059,5063,5064,5065],[4438,5054,5061,[5062,2213],5057,4441,5058,5059,5063,5064,5065],[4438,5054,5061,[5062,2213],5057,4441,5058,5059,5063,5064,5065],[[5066,2214],5067,5068,5069,2491,1303,5070,2494,5071,5072,5073],[5074,[5075,2215],897,5076,330,5077,5078],[897,5076,330],[1705,5079,[548,2216],928,915,890,852,5080,401,5081,3150],[5082,4112,5083,5084,5085,[5086,2217],5087,910,853,854,5088,594,494,5089,5090,5091,5092,5093,843,2667],[1705,5079,[548,2216],[5094,2218],5095,928,915,890,852,5080,401,5081,3150],[1705,5079,[548,2216],[5094,2218],5095,928,915,890,852,5080,401,5081,3150],[910,853,854,938,998,5096,5097,5098,5099,5100,5101,5102,5103,5104,5105],[[5106,2219],5107,5108,5109,5110,5111,5112,5113],[[548,2220],910,911,912,913,914,915,890,916,917,918,919,920,921,922,923,924,925,5114,926,927,928],[[548,2220],5079,5115,910,911,912,913,914,915,890,916,917,918,919,920,921,922,923,924,925,2866,938,5114,926,927,937,5116],[[5117,2221],843,5118],[[5119,2222],843,548,5118],[[5120,2223],843,5118],[[5121,2224],843,5118],[911,912,915,[890,2225],548,916,917,918,919,920,921,922,923,924,925,926,927],[29,1705,1702,[1706,1260],[1707,1261],224,890,32,1708],[29,1705,1702,[1706,1260],[1707,1261],224,890,32,1708],[325,371,474,1578,17,1579,1580,1581,1582],[[1583,2226],[5122,2227],[5123,2228],[5124,2229],1578,17,5125,5126],[[1583,2230],[5122,2231],[5123,2232],[5124,2233],1578,17,5125,5126],[1459,5127,5122,5128],[[5129,2234],5130,32,5131],[[5132,2235],5130,5131,5133],[[5134,2236],401,5135],[[5136,2237],376,32],[[5137,2238],5138,5139,466,5140,294,5141],[[5142,2239],391,294],[[5143,2240],5144,5145,612,5146,5147],[[5148,2241],5145,612,5141],[[5149,2242],32,5139,612,401,5141],[[5150,2243],5151,5152,5153,401,1325],[[5154,2244],5155,5156],[[5157,2245],5158],[[5159,2246],424,5155],[[5160,2247],32,5161],[[5162,2248],401,1325],[[5163,2249],3030,5164,5138,5139,5165,5140,294,5166,5141,466],[[5148,2241],5145,612,5141],[[5143,2240],5144,5145,612,5146,5147],[[5167,2250],5168,1418,3961],[[5169,2251],32,293,612,5170,5171,1729],[[392,2251],32,293,612,5170,5171,1729],[[391,2252],376,293,2783,904,5172,5173,906],[5174,2267,[5175,2253],[1358,2254],[2270,2255],916,5176,5177,918,920,444,5178,5179,5180,5181,5182],[5174,2267,[5175,2253],[1358,2254],[2270,2255],916,5176,5177,918,920,444,5178,5179,5180,5181,5182],[5174,2267,[5175,2256],[1358,2257],[2270,2258],916,5176,5177,918,920,444,5183,5184,5185,5186,5187,5188,5189,5190,5191,5192,5193,5194,5195,5196,5197,5198,5199,5200,5201,5202,5203,5204,5205,5206,5207,5208,5209,5210,5211,5212,5213],[5174,2267,[5175,2259],[1358,2260],[2270,2261],916,5176,5177,918,920,444,5183,5184,5185,5186,5187,5188,5189,5190,5191,5192,5193,5194,5195,5196,5197,5198,5199,5200,5201,5202,5203,5204,5205,5206,5207,5208,5209,5210,5211,5212,5213],[5174,2267,[5175,2256],[1358,2257],[2270,2258],916,5176,5177,918,920,444,5183,5184,5185,5186,5187,5188,5189,5190,5191,5192,5193,5194,5195,5196,5197,5198,5199,5200,5201,5202,5203,5204,5205,5206,5207,5208,5209,5210,5211,5212,5213],[5174,2267,[5175,2262],[1358,2263],[2270,2264],916,5176,5177,918,920,444,5214],[[5215,2265],5216,2779,32,5217,5218,5219,5220,5221],[[5222,2266],5216,2779,32,5217,5218,5219,5220,5221],[[5223,2267],5216,2779,32,5217,5218,5219,5220,5221],[[5224,2268],5218],[[5225,2269],5226,5218],[454,3867,5227,401,5228,5229,5230,5231],[5232,[5233,2270],5234,1387,5235,5236],[5237,5238,[5239,2271],5240,5241,5242,5243],[[401,2272],[5244,2273],[5245,2274],[5246,2275],[5247,2276],[401,2277],[5248,2278],905,843,325,5249,5250,5251],[[1633,2279],[1661,2280],[293,2281],[2270,2282],[376,2283],[1484,2284]],[511],[424,5252,330,560,5253],[[5254,2285],548],[5255,5256,5257,5258,511,512,1606,1607],[5259,2352],[5259,2352],[5260,5261,5262,5263,5264,5265,5266,2352,5267,5243,5268,5269,5270,5271],[2518,423,5272,3315,2362,5273,3317,4,2363,2364,567,2365],[2518,423,5272,3315,2362,5273,3317,4,2363,2364,567,2365],[2518,423,5272,3315,2362,5273,3317,4,2363,2364,567,2365],[[511,2286],[512,2287],[1606,2288],2368],[[511,2286],[512,2289],[1606,2290],[1607,2288],2368,2369],[[5274,2291],401,548],[[5275,2292],401,548],0,[231,1264,1265,1266,330],[[5276,2293],401,548],[[5277,2294],401,548],[[1405,2295],2593,45,5278,5279,5280,5281,5282,267,5283,268,5284],[[909,862],548,[5079,836],890,[5115,2296],910,5285,854,938,5286,918,920,922,924,925,916,2866,5114,5287,32,5288,5289,3149],[[5290,2297],4112,[5291,850],5292,[5293,2298],[5294,2299],[5295,852],[5296,2300],5297,[5298,2301],5299,910,853,854,915,890,5287,968,5300,5301,5302,5303,5304,5305,5306,5307,982,983,984,5308,5309,5310,5311,5312,5313,5314,5315,5316,5317,5318,5319,5320,5321,5322,5323,5324,5325,5326,5327,5328,5329,5330,5331,5332,5333,5334,5335,5336],[[5337,2302],4112,[5338,2303],910,853,854,938,5339,988,5340,5341,5342,5343,5344,5345,5346,5347,5348,5349,5350,5351,5352,5353,5354,5355,5356,5357,5358,5359,5360],[[377,2304],[5337,967],4112,[5361,968],5338,[5362,2305],[5363,979],5364,5365,5363,5364,5365,5363,5365,5363,5365,5363,5365,5363,5364,5366,5365,5363,5364,5366,5365,910,853,854,938,5339,988,5340,5341,5342,5343,5344,5345,5346,5347,5348,5349,5350,5351,5352,5353,5354,5355,5356,5357,5358,5359,5360,5367,5368,5369,5370,5371,5372,5373,5374,5375,5376,5377,5378,5379,5380,1081,5381,5382,5383,1074,5384,5385,5386,5387,5388,5389,5390,5391,4616,5392,5393],[5337,4112,5361,5394,[5395,2306],5396,[5397,2307],[5398,2308],5399,[5400,2217],910,853,854,938,5339,988,16,17,594,494,989,990,991,992,995],[5337,4112,5361,5394,[5395,2306],[5396,2307],[5398,2308],5399,910,853,854,938,5339,16,17,594,494,989,990,991,993,994,996,997,5081],[[5337,967],4112,[5362,968],5401,[5338,2309],[5402,2310],[5363,2311],[5403,2312],[5365,2313],910,5285,854,938,5286,890,918,920,922,924,925,916,2866,5114,5287,5339,1097,992,1010,1011,5404,5405,999,5406,5407,5408,1104,1105,5409,5410,5411,1106,1107,5412,1108,1109,1110,1111,1112,1113,1114,1115,1116,1117,1118,1119,1120,1121,1122,1123,1124,1125,1126,1127,1128,1129,1130,1131,1132,1133,1134,1135,1136,1137,1138,1139,1140,4616,4617,4618,4619,4620,4621,4622,4623,4624,4625,4626,4627,4628,4629,4630,4631,4632,4633,5413,5414,5415],[[5079,2314],1705,[5416,2315],852,915,890,5417,5418,5419,5420,5421,5422,5423,5424,5425,5426,5427,5428,5429,5430,5431,5432,5433,5434,5435,5436,5437,5438,5439,5440,5441,5442,5443,5444,5445,5446,5447,5448,5449,5450,5451,5452,5453,5454,5455,5456,5457,5458,5459,5460,5461,5462,5463,5464,5465,5466,5467,5468,5469,5470,5471,5472,5473,5474,5475,5476,5477,5478,5479,5480,5481,5482,5483,5484,5485,5486,5487,5488,5489,5490,5491,5492,5493,5494,5495,5496,5497,5498,5499,5500,5501,5502,5503,5504,5505,5506,5507,5508,5509],[[5079,2316],1705,[5416,2317],852,915,890,5417,5418,5419,5510,5511,5512,5513,5514,5515,5516,5517,5518,5519,5520,5521,5522,5523,5524,5525,5526,5527,5528,5529,5530,5531,5532,5533,5534,5535,5536,5537,5538,5539,5540,5541,5542,5543,5544,5545,5546,5547,5548,5549,5550,5551,5552,5553,5554,5555,5556,5557,5558,5559,5560,5561,5562,5563,5564,5565,5566,5567,5568,5569,5570,5571,5572,5573,5574,5575,5576,5577,5578,5579,5580,5581,5582,5583,5584,5585,5586,5587,5588,5589,5590,5591,5592,5593,5594,5595,5596,5597,5598,5599],[[5600,2318],[5601,2319],[4138,2320],293,5602,330,5603],[[5600,2318],[5601,2319],[4138,2320],293,5602,330,5603],[[5600,2318],[5601,2319],[4138,2320],293,5602,330,5603],[[5600,2318],[5601,2319],[4138,2320],293,5602,330,5603],[[5600,2321],[5601,2322],293,5602],[[5600,2323],[5601,2324],293,5602],[1598,[5604,2325],5605,[5606,2326],5607,5608,5609,5610],0,[5611],[432,1254,5612,5613,5614,524],[2673,5615,269,5616,2379,568,439,438,20,2674],[2673,5615,269,5616,2379,568,439,438,20,2674],[32],[32],[32],[2673,5617,391,5618,5619,5620,5621],[2673,5617,391,5618,5621],[269,2379,5616,5622,5623,5624],[[5625,2327],5626,1622,5627],[[843,2328],5628,5629,5630],[[5631,2329],5632,5633,5634,5635,5636],[5637,[5638,2330],5639,5640,5641,5642,5643,5644],[[32,2331],5645,5646,4919],[[5647,2332],294,5648,5649,5650,5651,5652,5653,5654,5655,5656,5657],[[5658,2333],5659,5660,2161,5661,5662,5663,5664],[5665,[5666,2334],5667,5668],[5669,[5670,2335],5671,5672,5673,5674],[5669,[5675,2336],5676,5672,5677,5678],[5669,[5679,2337],[5680,2338],[5681,2339],[5682,2340],[5683,2341],5672,5684,5685,5686,5687,5688],[[3380,2342]],[3380,[843,2343]],[[3380,2344]],[[115,2345],3515],0,[5689,0,1,2,3],[[0,89],[1,90],[2,91],[3,92],[347,2346]],[[444,2347],[5690,2348],[32,2349],0,1,2,3],[[264,307],[265,156],[267,308],[2637,1645],[2639,1648],5691,[5692,2350],[5693,2351],[272,313],[273,314],[274,315],[5694,2352]],[[264,307],[265,156],[267,308],[2637,1645],[2639,1648],5691,[5692,2350],[5693,2351],[272,313],[273,314],[274,315],[5694,2352]],[[16,1614],[17,2353]],[[16,1614],[17,2353],[5695,2354]],[[5696,2355],5697],[5698,330],[[2409,2356],[5699,2357],[5700,2358],[1702,2359],[308,2360],330,32],[[5701,2361],[5702,2362],[3027,2363],[5703,2364],[5704,2365],[5705,2366],[5706,2367],[3027,2368],[5705,2369],[5706,2370],[3027,2371],5707,5708,5709,5710,5711,5712,5713,5714,5715],[5716,330],[325,371,474,1578,17,1579,1580,1581,1582],[325,371,474,1578,17,1579,1580,1581,1582],[5717,5718,[330,2372],5719,5716],[5720,[5721,2373],[1702,2374],[5722,2375],5723,[491,2376],[5724,2377],[5725,2378],[2555,2379],[5726,2380],[554,2381],[555,2382],5727,5728,5729,330,560,5730,5731,1729,5732,2409,325,559,3515],[5733,5734],[1445,1446,1447,1448,2687,2688,2689,2690,2691,2692,2693,2694,2695,2696,2697,2698],[1445,1446,1447,1448,16,1449,1450,1451,1452,1453,1454,1455,1456,1457,1458,1459],[5735,529,5736,[5737,2383],5738,1445,1446,1447,1448,16,1449,1450,1451,1452,1453,5739,5740,5741,5742,5743,5744,5745,5746,5747,5748,5749,5750,5751,5752,5753,5754,5755,5756,5757,5758,5759,5760,5761,5762,5763,5764,5765,5766,5767,5768,5769,5770,5771,5772,5773],[5735,529,5736,[5737,2383],5738,1445,1446,1447,1448,16,1449,1450,1451,1452,1453,5739,5740,5741,5742,5743,5744,5745,5746,5747,5748,5749,5750,5751,5752,5753,5754,5755,5756,5757,5758,5759,5760,5761,5762,5763,5764,5765,5766,5767,5768,5769,5770,5771,5772,5773],[224,5774,32],[[5775,2384],[5776,2385],[5777,2386],[5778,2387],3867,5779,5780,5781],[[5775,2384],[5776,2385],[5777,2386],[5778,2387],3867,5779,5780,5781],[525],[[5782,2388],1460,1246,5783],[1744,1745],[1744,1745],0,[525],[525],[525],[525],[1744,1745],[2714,2716],[2714,2716],[5784,5785],[2714,2716],[2714,2716],[[2760,2389],5786,[5787,2390],5788,5789,5790,5791,2761,5792],[[2760,2391],5786,[5789,2392],5790,5791,5793,5794,1472,5795,5796],[[2760,2393],5786,[5789,2392],5790,5791,5793,5794,1472,5795,5796],[1480,1481,1482,1483,2759,2760,1472,2761],[549,5797],[531],[293],[293,466],[5798],[531],[293,466],[1484],[1687,1484],[2719],[1535,524],[843,32,2805,2409,2080,1303,1301,5799,1992,1259,5800,5801,3312,5802,5803],[843,32,5799,1992,2805,2409,2080,2081,1259,2626],[32,424,5804,2805,2409,2080,2081],[32,424,5804,2805,2409,2080,2081,5805,5806],[32,424,5804,2805,2409,2080,2081],[32,424,5804,2805,2409,2080,2081,5805,5806],[5807,5808],[843,32,5809,166,5810,197],[1729],0,0,[5811,5812,5813,5814,2817,5815,5816,2827,2828,372,5817,5818,391,270,900,5819,5820,5780],[5821,5822,5823,5824],[5825],[5825,5826,5827],[5825],[5825,5826],[5825,5826],[4510,5828,2780,3390,2684,5829],[4510,5828,2780,3390,2684],[553,2864],[553,2864],[2870,2866,2871,2268,2872,444,5830,3011,5831,5832,5833],[2870,2866,2871,2268,2872,444,2873,2874,2875,2876,2877,2878,2879,2880,2881],[2894,2888,2893,2889,2890,2891,2892,918,920,444,2896,5834,3006,3007,1484,993,3011,3010],[293,336,371],[293,336],[293,336,1595],[293],[293],[32,2379,5835,5836],[5837,4530,1301,4531,1303,1418,5838],[5837,32,5835],[5837,5839,5840,5841],[2379,4530,1301,32],[2379,4530,1301,32],[2379,4530,1301,32,16,5842,5835,1450],[4530,1301,4531,1303,32,16,5843,5837,1450],[4530,1301,4531,1303,32,16,5843,5837,1450],[4530,1301,4531,1303,32,16,5843,5837,1450],[4530,1301,4531,1303,32,16,5843,5837,1450],[4530,1301,4531,1303,32,16,5843,5837,1450],[4530,1301,4531,1303,32,16,5843,5837,1450],[4530,1301,4531,1303,32,16,5843,5837,1450],[2234,3568,5844],[4530,1301,4531,1303,32,16,5843,5837,1450,5845],[4530,1301,4531,1303,32,16,5843,5837,1450],[4530,1301,4531,1303,32,16,5843,5837,1450],[3961,1418,5846,5837],[5837,5847,5848,3376,5849,5850,5851,5852],[5837,5847,5848],[5837,5847,5848],[5837,5853,5854,5855],[5837,5856,5857],[5837,5856,5857],[5858],[4530,1301,4531,1303,2091],[4530,1301,4531,1303,2091],[5837,5859,5860,5861,5862,5863],[5837,5864,5865],[5837,5864,5865],[5837,5866,5867],[5837,5868,4509,5853,5869,2234,1682,5870,5871,5872],[5837,5868,4509,5853,5869,2234,1682,5870,5871,5872],[5837,5868,4509,5853,5869,2234,1682,5870,5871,5872],[5837,5844,5853,5846,5861,5873,5874,5875,5876,5877,5878,5879,5880,5881],[5837,5844,5853,5846],[5837,5844,5853,5846,5861],[5837,5882,5883,5884,5885],[5837,5882,5883,5884,5885],[2379,5886,5853,5887,5888,5889,5890,5836,1450],[2379,5886,5853,5887,5888,5889,5890,5836,1450],[5837,5868,4509,5853,5869,2234,1682,5870,5871,5872],[5837,5868,4509,5853,5869,2234,1682,5870,5871,5872],[5837,5868,4509,5853,5869,2234,1682,5870,5871,5872],[5837,5868,4509,5853,5869,2234,1682,5870,5871,5872],[5837,5868,4509,5853,5869,2234,1682,5870,5871,5872],[5837,4530,1301,4531,1303,1418,5838],[5837,4530,1301,4531,1303,1418,5838],[5837,5856,5857],[5891,2888,5892,5893],[5891,2888,5892,5893],[5891,2888,5892,5893],[5837,5856,5857,843,5894],[5837,5856,5857],[5837,5856,5857],[1572,5895,5071,5896,5897,5898,5899,5842,5900,5901,4742,5159,5902,391,5903,5904,5905,5906,5907],[5908,5909,5835,5910,5911,5912,5913,5914,5915,843,5916,5071,4729,5917,5918,5919],[5908,5909,5835,5910,5911,5912,5913,5914,5915,843,5916,5071,4729,5917,5918,5919],[5909,5835,5887,5888,5889,5890,843,5920],[5909,5835,5910,5911,5912,5913,5914,5915,843,5920,5071,5921,265,5922,267,1572,5923,4729,5917,5918,5919,5908],[5837,5924,909],[5837,5925,5926,5927,5928,5929],[5837,5930,5931,3376,5932,5933,5934],[270,5935,2888],[5935,5936,5937,5938,5939,5940,5941,4673,5942],[5837,4530,1301,4531,1303,376,5836,1450,5943,5944],[1240,5945,5946,5947,5948,5949,5950,5951,5952,5953,5954,5932,5955,5956],[1240,5946,5947,5957,5958,5959,5960,5954,5932,5961,5962],[4316,5897,5963,5964,5965,5966,5967,5968,5842,5969,5970,5971,5972,5973],[4316,5897,5974,5975,5968,5842,5976,5977,5973],[5897,5978,5979,5980,5981,5982,5983,5984,5985,101,5986,5987,5988,5989,5990,1613,5991,5992],[5837,5862,5993,5994,5854],[5837,5862,5993,5043,5854,5878,5995,5996,5840,5997,5998,5999,5856,5857,6000,5944,6001,4530,1301,4531,1303],[5837,5884,5995,6002],[5837,5862,6003,5926,5854],[5837,5862,6003],[5837,5856,5838,6002,5996,5857,6000,5998,5999,6004,6005,6006],[530,5897,3873,6007,6008,6009,6010,6011,5009,32,6012],[5897,3873,6007,6008,6011,6010,6013],[6014,6015,6016,6017],[6014,6015,6016,6017],[5837,5856,5857,5861,6018,6019,6020,6021],[5837,6022],[5837,6023,6024,6025,6026,6027,1598,5884],[2379,32,16,5842,5835,1450],[4530,1301,32,2379,5836,1450],[4530,1301,32,2379],[4530,1301,32,2379],[5837,5856,6028,5926],[5837,5860,5846],[5837,5860,5846],[5837,5860,5846],[5837,5860,5846],[5909,5923,6029,6030,5842,5921,265,5922,267],[5909,5923,6029,6030,5280,32,5842,5921,265,5922,267,1572],[5837,5844,5853,5846,5873],[5837,5862,5993,5994,5854,6031,6032,6033,6034,6035,6036,6037,5863,6038],[5837,5862,6003,5926,5854,6039],[4316,5843,6040,6041,6042,5010,5009,4742,376,381,6043,6044,6045,391],[2233,6046,6047,6048,32],[2233,6046,6047,6049,32],[5843,6050,3873,6051,6007,6008,6052,6053,6029,6030],[2080,1301,1303,4576,6054],[2080,1301,1303,4576,6054],[5837,376,5862,6003],[5908,4316,5843,2080,3873,265,5909],[5837,5909,5835,5887,5888,5889,5890,843],[32,5887,5888,5889,5890,5998,16,6055,6056,6057,843,1450],[2379,6058,5080,6059,6060,6061,6062,32],[6063,6064,32],[6065,6066],[1572,5835,6067,6068],[5835,5909,32],[1572,5842,5897,5969,5964,5970,6069,6070,6071,391,6072],[2379,4357,293,2234,466],[5837,5856,5857,6073,6074,6031,6075],[5837,5856,5857,6076,6077,6078],[5837,5856,5857,6076,6073,6074,6031,6079,6080,6081,6000,6082],[5837],[5837,6083,6084,6085,6086,6087,6073,6088,376],[5837,6084,6085,6086,6073,6088,6089],[5837,6084,6085,6086,6087,6090,6073,6088],[6091,6092,6093,6094,6095,6096,5888,5890,6097],[6098,2413,2414,1418,2415,2416,2417,1516,330],0,[6099],[6099],0,[377,6100,6101],0,[1486,4118],[424,376,6102,2416,2417,330],[6103,6104,6105,549],0,[1486,4118],0,[1486,4118],0,0,[6106,6107,6108,6109],0,[6110,6111],[3089,3090,525],[3089,6112,6113,6114,6115,6116],[3089,376],[6117,6118,549],0,[6119],[6120,6121,427],[6122],[6123,6124],0,0,[6120,6121],[6125,330],[1295,2276,6126,330],[6127],[3135,3136,3137],[3135,3136,3137],[3135,32],[3135],[3135],[3135],[3135],[6128,3135,6129],[6128,3135,32],[3138,992,1011,988,1100,1101,1103,1104,1105,1108,1109,1110,1111,1112,1113,1114,1115,1116,1117,1118,1119,1120,1121,1122,1123,1124,1125,1126,1127,1128,1129,1130,1131,1132,1133,1134,1135,1136,1137,1138,1139,1140,4615],[3138,992,1011,988,1100,1101,1103,1104,1105,1108,1109,1110,1111,1112,1113,1114,1115,1116,1117,1118,1119,1120,1121,1122,1123,1124,1125,1126,1127,1128,1129,1130,1131,1132,1133,1134,1135,1136,1137,1138,1139,1140,4616,4617,4618,4619,4620,4621,4622,4623,4624,4625,4626,4627,4628,4629,4630,4631,4632,4633,4615],[3147,3148,3149,3150],[3147,6130,6131,6132,3148,3149,3150],[3147,6133,6134,6135,6136,3148,3149,3150],[3147,6133,3148,3149,3150],[3147,6133,6137,6138,6139,6140,3148,3149,3150],[3147,3148,3149,3150],[3147,3148,3149,3150],[897,951],[897,951],[1325,6141,6142],[1325,548,567,6143,6144],[293,6145],[293,16,2624,1622,6146],[[511,2394]],[[511,2394],[512,2395],[1606,2396]],[[511,2397],[512,2398]],[[6147,2399]],[511,512,1625],[6148,6149,6150,6151,6152,6153,6154,6155],[356,101,381,392,269,6156,6157,6158,6159,6160,6161,6162,6163,6164,367,385,6165,6166,6167,390,391,6168,6169,6170,6171,396,397,378,398],[356,101,396,397],[6172,6173,390,381,6174,391,6175,6176,6177,6178,6179,396,397,378,398],[6172,6173,390,381,6174,6180,6175,6176,6177,396,397,378,398],[6172,6173,6181,390,381,6182,6175,6176,6183,396,397,378,398,6184],[6172,6173,6181,390,381,6182,6175,6176,6183,396,397,378,398,330,6184],[6172,6173,390,381,6174,391,6175,6176,6177,6178,6179,396,397,378,398,330],[6172,6173,390,381,6174,6180,6175,6176,6177,396,397,378,398,330],[6185,396,397],[396,397,330],[278,6186,6187,6188,6189,6190,6191,3426,6192,6193,1407,388,389,6194],[1408,6195,6196,6197,6198,6199,6200,6201,6202,6203,6204,6205,6206,6207,6208,6209,6210,6211,6212,6213,6214],[356,101,381,382,220,264,269,383,384,367,385,386,387,388,389,390,391,392,393,394,395,396,397,378,398,399],[356,101,381,382,220,264,269,383,384,367,385,386,387,388,389,390,391,392,393,394,395,396,397,378,398,399,330],[6185,396,397,330],[396,397,330],[385,492,1526,493,1528,381,396,397,330],[492,1526,493,1527,381,396,397,330],[356,101,381,382,220,264,269,383,384,367,385,386,387,388,389,390,391,392,393,394,395,396,397,378,398,399,1530,330],[372,3269,6215,6216,3273,6217,6218,6219,6220],[1472,3280,1532,1533,1534],[1472,3280,1532,1533],[1472,3280,1532,1533],[6221],[6221,548],[6222,6223],[6224],[6224],[909,6225],[909,6225],[909,6225],[909,6225],[424,6027,391,6226,411],[424,6027,391,6226,411],[424,6027,391,6226,411],[424,6027,391,6226,411],0,0,0,0,[1472],0,0,0,[1472,2743],0,0,[1472],[[511,2400],[512,2401]],[[511,2402]],[[511,2403],[512,2404]],[[511,2402],[512,2405]],[[511,2406]],[[511,2407],[512,2408]],[[511,2409],[512,2410]],[[511,2411]],[[511,2412]],[[511,2413],[512,2404]],[[511,2402],[512,2405]],[[511,2414]],[[511,2415]],[[511,2416]],[[511,2411]],[[511,2417],[512,2410]],[[511,2418],[512,2419],[1606,2420]],[[511,2417],[512,2410],[1606,2421]],[[511,2418],[512,2419],[1606,2421]],[[511,2417],[512,2422],[1606,2419],[1607,2423],[2073,2424]],[[511,2418],[512,2419]],[[511,2411],512],[[511,2411]],[[6227,2425],[6228,2426]],[[511,2427]],[[6229,2428],6230],[[3440,2429],3441,[2403,2430]],[6231,[6229,2430],6230],[[2403,2430]],[[511,2431],[512,2408]],[[511,2432],512,[1606,2433],[1607,2434]],[6232,2270,1688,2379,5835,6233,269,16,32],[6232,2270,1688,2379,32],[6232,2270,1688,2379,32],[6232,2270,1688,2379,6234,6235,6236,32],[6232,2270,1688,2379,6234,6235,6236,32],[6232,2270,1688,2379,6234,6235,6236,32],[6232,2270,1688,2379,6234,6235,6236,32,6237,2081],[6232,2270,1688,2379,6234,6235,6236,32,6237,2081],[6232,2270,1688,2379,6234,6235,6236,32],[6232,2270,1688,2379,6234,6235,6236,32,6237,2081],[6232,2270,1688,2379,6234,6235,6236,32,6237,2081],[6232,2270,1688,2379,32],[6232,2270,1688,2379,6235,6236,32,6237,2081],[6232,2270,1688,2379,32],[6232,2270,1688,2379,6235,6236,32,6237,2081],[6232,2270,1688,2379,32],[6232,2270,1688,2379,6235,6236,32,6237,2081,6238,6239],[6232,2270,1688,2379,32,6237,2081],[6232,2270,1688,2379,843],[6232,2270,1688,2379,6240,466,32],[6232,2270,1688,2379,32,6237,2081,6239],[6232,2270,1688,2379,6235,6236],[6232,2270,1688,2379,6235,6236,6237,2081],[6232,2270,1688,2379,32],[6241,220,2270,391,899,6233,269],[6241,32,531],[6241,6242],[6241,32,531],[6243,296,6244,270,6245],[6243,296,6244,270,6245,6246,32],[6243,6245,6246],[6243,6245,6246,32,531],[6243,6246],[6243,6246,32],[2270],[2270,6247],[6248,6249,1620,6250],0,[6251,6252,6253,6254,6255,6256,6257,6258,6259,6260,6261,6262,6263,2161,217,6264,6265,115,63,6266,6267,6268],[6269,6270,6271,6272,6273,6274,6263,217,6275,358,4765,138],[6276,6277,2161,1597],[6278,6279,6280,6281,2161,217,6282,401],[6283,6284,6285,6286,6287,6288,6262,16,269,217,115,1256],[6289,6290,6291,217,63,6265,6266,6268],[6292,6293,6294,6291,217,391,63,6265,6266,6268],[6295,6296,6297,6298,6299,6300,6301,6302,6303,6304,6305,6306,6307,6262,6263,2161,454,3867,6308,6264,6265,115,63,6266,6267,6268],0,[6309,330,2069,142],[474,1691],[321,6310,6311,1359,513,4335,2565],[6312,6313,6314,6315],[6312,6313,6314,6315,4138],[6312,6313,6315,6316],[6312,6313,6315,6316,4138],[6312,6313,6315,6317,878],[6312,6313,6315,6317,878,4138],[6312,6313,6315],[6312,6313,6315,4138],[6312,6313,6315],[6312,6313,6315,4138],[6312,6313,6315],[6312,6313,6315,4138],[6312,6313,6315],[6312,6313,6315,4138],[6312,6313,6315],[6312,6313,6315,4138],[6312,6315,6313],[6312,6315,6313],[425,6312,6315,6313],[425,6318,6313],[425,6313,5084,6315,6319,6320,6321],[425,6313,5084,6320,6321,6315,6319],[425,6313,5084,6315,6319,6320,6321,4138],[425,6313,5084,6320,6321,6315,6319,4138],[6312,6315,425,6313],[6312,6315,425,6313],[6312,425,6313,6315],[6312,425,6313,6315,4138],[6312,425,6313,6315],[6312,425,6313,6315,4138],[6312,425,6313,6315],[6312,425,6313,6315,4138],[6312,425,6313,6315],[6312,425,6313,6315,4138],[6312,425,6313],[6312,425,6313,5084,6322],[6312,425,6313,5084,6322,4138],[6312,6315,425,6313],[6312,6315,425,6313],[6312,425,6313,6323],[6312,6315,425,6313,843,6324,6325,2267,6326,6327,6328,6329,6330,6331,6332,6333,269,6334,6335,6336],[6312,6315,425,6313,843,6324,6325,2267,6326,6327,6328,6329,6330,6331,6332,6333,269,6334,6335,6336],[6312,6315,425,6337],[6312,6315,425,6337],[6312,6315,425,6337],[6312,6315,425,6337],[6312,6315,425,6337],[6312,6315,425,6337],[6312,6315,425,6337],[6313],[6313],[6313,6312],[6313,6312,4138],[6313,6312],[425,6312,6320,6313],[425,6318,6313],[425,6313,5084,6315,6319,6320,6321],[425,6313,5084,6320,6321,6315,6319],[425,6313,5084,6315,6319,6320,6321,4138],[425,6313,5084,6320,6321,6315,6319,4138],[6312,425,6313],[6312,425,6313],[6312,425,6313],[6312,425,6313],[6312,425,6313],[6312,425,6313],[6312,425,6313,6338],[6312,425,6313,843,6324,6325,2267,6326,6327,6328,6329,6330,6331,6332,6333,269,6334,6335,6336],[6312,425,6313,843,6324,6325,2267,6326,6327,6328,6329,6330,6331,6332,6333,269,6334,6335,6336],[6312,425,6313],[6313],[6313],[6313,6312,339],[6313],[6313,6312,339],[6313,6312],[6313,339,6339],[6313],[6313,6340,6315],[6313],[6313],[6313],[890,854,6341,3150,6342,3149,513,853],[3480,3481,3482,3483,3484],[3480,3481,3482,3483,3484],[3480,3481],[3480,3481],[3480,3481],[3480,3481,3482,3483,3484,3485],[1535,1536,1537,513],[1535,1536,1537,513],[1535,1536,1537,1538,513],[1535,1536,1537,1538,513],[1535,1536,1537,1538,1539,1540,1541,1750,1785,1786,1787,1788,1789,1790,1791,3444,513],[1535,1536,1537,1538,1539,513],[1535,1536,1537,1538,1539,1540,1541,1750,1785,1786,1787,1788,1789,1790,1791,513],[1535,1536,1537,1538,1539,513],[1535,1536,1537,1538,513],[1535,1536,1537,1538,1539,1540,1541,513],[1535,1536,1537,1538,1539,1540,513],[1535,1536,1537,1538,1539,1540,1541,1750,1785,1786,1787,1788,1789,1790,1791,3444,3445,3446,3447,3448,6343,513],[1535,1536,1537,1538,1539,1540,1541,1750,1785,1786,1787,1788,1789,1790,1791,3444,3445,3446,3447,3448,6343,513],[1535,1536,1537,1538,1539,1540,1541,1750,1785,1786,1787,1788,1789,1790,1791,3444,3445,3446,3447,3448,6343,513],[1535,1536,1537,1538,1539,1540,1541,1750,513],[1535,1536,1537,1538,1539,513],[1535,1536,1537,1538,1539,1540,513],[1535,1536,1537,1538,513],[1535,1536,1537,1538,513],[1535,1536,1537,513],[1535,1536,513],[1535,1536,513],[1535,1536,513],[1535,1536,513],[1535,1536,513],[1535,513],[1535,513],[1535,1536,1537,1538,1539,1540,1541,1750,1785,1786,1787,1788,1789,1790,1791,3444,3445,3446,3447,3448,6343,6344,6345,6346,6347,6348,6349,6350,6351,6352,513],[1535,513],[1535,513],[1535,513],[451,1598,6353,6354,6355],[451,1598,16,6354],[451,1598,494,6354],[451,1598,224,6353],[451,1598,1744,494,6356,6357,6358,6354,6355,6359],[451,1598,494,6356,6357,6354],[451,1598,1744,494,6356,6357,6354],[451,1598,8,224,5774,6360,2494,6361],[451,1598,8,224,5774,6360,321],[451,1598,6360,2494,6362,269,6354],[451,890,1598,1744,494,6356,6363,6357,6364,16,1448,224,5774,6354,6365,6366,6355,6359,6367,6368],[451,1598,1744,6369,6370,6371,6372,6373,6354],[451,1598,6369,6354],[451,1598,6369,6370,6372,6373,6354],[451,1598,6369,6370,6354],[1535,1536,513],[1535,1536,513],[1535,1536,513],[524,513],[1535,513],[1535,1536,1537,1538,1539,1540,1541,1750,1785,1786,1787,1788,1789,513],[1535,513],[1535,1536,1537,1538,1539,513],[1535,1536,1537,513],[1535,1536,1537,1538,1539,513],[1535,1536,1537,1538,1539,513],[1535,1536,1537,1538,513],[1535,1536,1537,1538,1539,513],[1535,1536,1537,1538,1539,1540,513],[1535,1536,1537,1538,1539,1540,1541,513],[1535,1536,1537,1538,513],[1535,1536,1537,1538,1539,1540,1541,513],[1535,1536,1537,1538,1539,513],[1535,1536,1537,1538,513],[1535,1536,1537,1538,1539,1540,513],[524,513],[524,513],[524,513],[1535,1536,1537,1538,1539,1540,1541,1750,1785,513],[1535,1536,1537,1538,1539,1540,513],[1535,1536,1537,1538,1539,1540,513],[1535,513],[1535,513],[1535,1536,1537,513,1687,6374,325],0,[[3155,2435],[3157,2436],[3159,2437],[3160,2438],[115,1764]],[[3155,2435],[3157,2436],[3159,2437],[115,1764],[6375,2439]],[[3155,2435],[3157,2436],[3159,2437],[115,1764],[6375,2439]],[[293,1765],[1243,1766],[3582,1767],[905,2440],[138,1772],[3583,1776],[3584,1777],[3585,2441],32,[115,1764],[652,1779],[1524,1770],[1525,1771]],[3609,[6376,1814],111],[1535,1536,513],[6377,6378,6379,6380],0,[6377,6381,6382,6383],0,[6377,6381,6382,6383,6384],0,[6377,6381,6385,6379,6386,6387,6388,6389],[6377,6385,6383,6390],[6377,6378,6391,6379],0,[6377,6392,6382,6393],[6377,6381,6394,6395,6396,6397,6398,6399,6400,6401,6402,6403],0,[6377,6395,6378,6404,6405,6406,6407,6408,6409],0,[6377,6395,6378,6404,6405,6406,6407,6408,6409],0,[6410,6411],[6377,6381,6382,6383,6412,4447,6413,6414,6415,6416,6404,6405],0,[6377,6381,6382,6395,6397,6417,6418,6419],0,[6377,6381,6382,6420,6421],[6411],0,0,[6377,6382,6383,6422,6423,6424,843,6425,6396],[6395,6397,6426,6427,6428],[6395,6397,6426,6427,843],[6395,6397,6429,6428],0,0,0,0,0,0,[6412,6430],[6431,6432,6433],[6434],[6435,6436],[6437],[6438],0,[1860,6439,6440,6441,6442,4785,6443],[6378,6444,6412,6445,6446],0,[6447],[6448,6449,6450,6451,6452,6453,6454,6455],[3641,6447,6456,6457,6458,6459,6460,6461],0,[6447],0,[6447],0,[6447],0,[6447],0,[6447],0,[6447],0,[6447],0,[6447],0,[6447],0,[6447],0,[6447],0,[6447],0,[6447],0,[6447],0,[6447],0,[6447],0,[6447],0,[6447],0,[6447],0,[6447],0,[6447],0,[6447],0,[6447],0,[6447],0,[6447],0,[6447],[6462,6463,6464,6125,6465,6466,6467,6468,6469,6470,6471,6472,6473,6474,6475,6476,6477,6478,6479,6480],[6462,6463,6439,6481,6466,6447,6467,6482,6483,6484,6485,6486,6487,6488,6489,6490,6491,6492],[6465,549,6476,6493,6470,6494,6467,6495,6483,6496,6487,6497,6498],[6499,6500,6501,2388],[6500,6502,6465,6503,6504,6505],[6499,6500,6506,6507,567,640],[2388,6465,6377,6508],[6509,6395,6510,6511,6512,6513,6514],[6509],[6465,843,6515,6516],[6377,6418,6125,6517,6518,6519,6520,6521,6522,6523,6524,6525,6526,6527,6528,6529,6530,6531,6532,6533,6534,6535,6536,6537,6538,6539,6540,6541,6542,6543,6467,6468,6469,6470,6471,6472,6473,6474,6544],[6500,6465,441,548],[6499,6545],[6499,6507],0,[6447],0,[6447],0,0,[6377,6546,6547],[6548],[6549,6550,6551,6552],[6549,6553,6554,6555,6556,6557,6558,6559,6560,6561,6562],[6549,6563,6564,6565,2684,6566],0,[6447],0,[6447],[2388],[6567,6568,6468,6569,6570,6571,6572,6573,6574,6466,6575,6576],[6577,6578,6377,6579,6468,6580,6418,6466,6581,6484,6582,6447],[6466,6467,6418,6468,6469,6470,6471,6472,6544,6575,6576,6569,6476],[6447,6456,6466,6467,6473,6474,6575,6576,6583,6584],[6585,6586,6587,6588,6589,6590,6591,6444],[6592,6378,6586,6587,6588,6589,6590,6591,6444],[6509,6593,6591,6444],0,[6500,6465,6377,6567],0,0,[6447],0,[6447],0,[6447],[6592,6378,6586,6587,6588,6589,6590,6591,6444],[6570,6444,6394,6395,6594,6595],[6570,6394,6395,6396,6397],[6570,6394,6395,6396,6397],[6570,6596,6597,6598,6599,6600,6601],[6395,6602,6603,6604,6605,6606],0,0,[6549,6563,6564,6553,6554,6555,6556,6557,6558,6559,6560,6561,6562],[6607],[6607],0,[567],[6608,6377,6609,843,3380,6610,6611],[6377,6385,6612],[6377,6385,6613,6614,6615],[6377,6616,6617,6618],[6619,6620,6621,6622,6623,6624,6625,6626,6627,6628,6629,6630],[6619,6620,6621,6622,6623,6624,6625,6626,6627,6628,6629,6630],[6619,6620,6621,6622,6623,6624,6625,6626,6627,6628,6629,6630],[6631,6632,6633,6634,6635,6636,6637,6638,6639],[6640,6641,6642,6643,6644],[6608,6645,843,3380],[6646],[6646],[6549,6647,6559,6560,6561,6648,6649,6650,6651,6652,6653],[6654,6655,6656,6657,6658,6659,6660,6661,6662,6663,6664,6665,6666,6667,6668,6669,6444],[6670,1613,6671],[6672],[6448,6673,567],[6509,6674,567],[6465,6377,6462],[6465,6462],[6673],[6468],[6675,6676,6444],[6677,6678,6679,6680,6681,6682,6683],0,0,[6447],[6684,6685,6686,6687,6688,6689,6690,6691,6692,6693],[6694,6695],[6696,6697],[6377,6381,6385,6379,6698],[6377,6699,843,6700,6701],[6377,6609,843],[6377,6699,843,6700,6701],[6377,6702,6703],[6448,6575,6576],[6448,6575,6576],0,0,[6704],[6377,6705,6706,6707,6708,6709,6710],[6711,6712,6713,6714,6715,6716,6717,6718,6719,6720,6721],[6549,6563,6564,6553,6554,6555,6556,6557,6558,6559,6560,6561,6562],[6509,6722],[6509,6722,6643],[6723],[6724,6582,6725,6726,6727,6728],[6724,6729,6730,6731],[6732,6418,6733,6734],[6733,6465,6735,6736,6737,6738],[6739,2684],[6740,2684],[6741,6742,6743,6744,6745],[6493,6746,6747,6748],[6509,6377,6749,6750,6751,6752,6753,6754,6755,6756,6757,6758,6759,6760,6761,6762,6763,6764,6765,6766,6767],[6442,6468,6768],[6769],[6769],[6769,6770],0,[6771,6772,6773],[6377,6385],[3983],0,[6774],[6775,6564,6776],[6775,6564,6777,6778],[6775,6564],[6775,6564,6778,6779,6780],0,[6777,6778],[6395,6781],[6395,6781],0,0,[6395],[6395],0,[6782,6377,6783,6382,6784,6785],[6786],[6377,6787,6788,2377],[6377],[6377,6789,6790],[6377,6579,6791,6792,6793],[6699,6569],[6794,6795],[6796],0,[3641,6797,6798,6377,6468],[6799,6800,6801,6802,6803,6804],[6493,6805,6806,6807,6808,6809,6810,6811,6812,6813,6497,6814,6815,6816,6817],[3641,2110,6818,6819,6820],[3641,6821,6798,6377],[6822,6823],[6377,6824,6825,6826,6827,6828,6829,6830,6831],[6509,6412,6832,6833,6432,6834,6826,6835],[6394,6836],[6394,6837,6838],[6462,6839],[6462,6839],[6462,6839],[6377,6840,6841],0,[6842,6843],[6842,6843,6844],[6842,6843],[6843],0,0,[6845],0,[6846,6847,6848],[6849,6850,6851,6852,6853,6854,6855],[6856,6857,6858,6859,6860,6861,6862,6863,6864,6865,6866,6867,6868,6851,6869,6870,6871,6872],[6377,6873],[6509,6874,6875,6876,6877,6878,6879,6880,6881,6882,6883,6884,6885,6886,6887,6888,6889,6890,6891,6892,6893,6894],[6509,6874,6875,6876,6877,6878,6879,6880,6881,6882,6883,6884,6885,6886,6887,6888,6889,6890,6891,6892,6893,6894],[6895,6896,6897],[6377,6898],[6899],[6900,6901],[6902,6493,6903,6904,6905,6906,6907],[6908,6493,874,6497],[6493,6903,6904],[6493],[6493],[6493,6909],0,[6614,6615],[6840,6377,6910,6911,6912,6913,6914,6915],[6840,6377,6916,6917,6918,6914,6919,6920,6921],[6922,6923,6924,6925,6926,6927,6928],0,0,[6447,6456,6929,6930,6457],0,[6447],0,[6447],0,[6447],0,[6447],0,[6447],[6798,6931,6468,6469,6932,6471,6472,6473,6544],[6798,6931,6474,6447],0,[6447],[567],[567],[567,6933,6934],[567],0,[567],[567],[567],0,0,0,0,[6467,6570],[6467,6447],[6377,6591,6470],[6377,6569,6935,6591,6470,6483,6497,6936,6487,6937,6938,6939],[567],[6940],[1389,6941,6942,2379],[6943,6944,6377],[6945],[6377,6586,6946,6947,6948,6949,6950,6951,6952,6953,6382,6383],[3641,6586,6382,6383],[6462,6586,6954,6382,6383,6955],0,[6956,6957,6958],[6946,6959],0,0,0,0,[6699,6960,6418,6419,6569],[6798,6931,6468,6469,6932,6471,6472,6473,6544],[6798,6931,6474,6447],[6798,6931,6468,6469,6932,6471,6472,6473,6544],[6798,6931,6474,6447],0,[6447],0,[6447],0,[6447],0,[6447],[6608,6377],[6608,6377,294],[6608,6377,294],[6377,6418,6518,6519,6520,6521,6522,6523,6524,6525,6526,6527,6528,6529,6530,6531,6532,6533,6534,6535,6536,6537,6538,6539,6540,6541,6542,6543,6961,6470,6962],[6646],[6646],[6462,6963,6964],[6462,6963,6964,6965,6966,6457,6967,6968,6969,6970,6447,6971,6972,6973,6974,6468,6975,6976,6476],[6377,6783,6977,6946,6978,6979,6980,6981,6982,6983,6984,6985,6986,6987,6988,6989,6990,6991,6992,6993,6382,6383,6994,6995,6996,6997,6998,6999,7000,7001,7002,7003],[6377,6783,6977,7004,7005,7003],[6964,7006,7007],[6608,6569,7008],[6608],[6377,7009,7010,7011,7012],[6377,7009,7010],[6377,7009,7010],[6569,7013,7014,7015,7016,7017,7018,7019],[6569,7014,7015,7016,7017,7018,7020,7021],[6377,6964,6971,6972,7022,7023,6476,6447],0,0,[7024],0,0,0,[7025,7026],0,[6439],[7027,7028,843],[7028],[7029,7030,7031,7032,7033,7034],[7035,7036],[7035,7036],[7035,6444,6586,6616,6383,7037,7038,7039],[7035],0,[7035,7040],[7041,7042,7040],0,[7035,7043,6444,6586,6616,6383,7037,7038,7039],[7043,6444,6586,6616,6383,7037,7038,7039],[7044,7045,7046,7047,7048,7049,6444,6586,6616,6383,7037,7038,7039],[7035,6444],[7035,7043,6444,7050,7051],[7052],[7041,7042],[7035],[7053,7054],0,[7055],[7055],0,[7056],0,[7056],[7055],[7055],0,[7056],0,[7056],[7057,7055],[7056,7058,7057,7055],0,[7056,7058],0,[7056,7058],0,[7056,7058],0,[7056,7058],0,[7056,7058],[6608,7059,7060],[7061],[7059,7060,7062,7063,7064,7065],[7066,7067,7068,7069,6419,6418,7070,7071,7062,7063,7064,7065,7072,7073,7074,6493,7038,7075,7076,7077],[7078],[7079,7080,7081,7082],0,[7083,7084,7085],[6616,6383],[7086,7087,7088,7089,7090],[1392,7091],[7086,7087,7088,7089,7090],[1392],[7087,7089,7090],0,[7092,7093,7094],[7095,7092,7096,7097,7098,7099,7100],[7095,7092],[7101,7092],[7102,7101],[7103,7101,7092,7093],0,0,[7104,7105,7106,7107,7108,7109],[7110,7111,7112,7113,7114,7115,7116,7117,7118,7119],[7110,7111,7112,7113,7114,7115,7116,7117,7118,7119],[7104,7109],[7104,7109],[7120,7121,7122,7123,7124,7125],[7104,7105,7106,7107,7108,7109],[7110,7111,7112,7113,7114,7115,7116,7117,7118,7119],[7105,7126,7127,7128,7129,7130,7131],[7105,7132],[7104,7105,7106,7107,7108,7109],[7105,7126,7127,7128,7129,7130,7131],[7105,7132],[7104,7105,7106,7107,7108,7109],[7105,7126,7127,7128,7129,7130,7131],[7104,7105,7106,7107,7108,7109],[7105,7126,7127,7128,7129,7130,7131],[7105,7132],[7104,7105,7106,7107,7108,7109],[7105],[7105,7132],[7133,7104],[7105,7126,7127,7128,7129,7130,7131,7109],[7134],[4947],[7135,7136,7137],[7138,7139],[4947],[7135,7136,7137],[4947],[7135,7136,7137],[4947],[7140,7141],[7142],[7142],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],0,[7152],[7153,7154,3452],[7155,7156,7157,7158],[6377,7159,6789,7160,7161,7162,7163,7164,7165,7166,7167,7168],[7038],[6509,6569,7169,7170],[7017],[6377,6394,7171,7172],[6377,7173,7174],[7175,7176,7177,7178],[7179],[6509,6569,7180,7181],0,[7182],[7182,2417,7183,7184,7185,7186],[7182,7187,330,7188,7189],[7190,293,466,7191],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[7192,6377,6381,6395,6397,7193,7194,7195,7196,7197,7198,7199],[7200,7201,7202,7203],[294,7204],[294,7204],[6377,6382,6383],0,0,0,[6411],[6411],0,0,[7192,6382,6383,7205,7206,7207,7208],[7192,7209,7210,6395,6397],[7192,7211,6377,6381,6395,6397],0,[7212,7213,7214,7215,7216,7217],[7218,7219,7220,7221],[7222,7223,7224,7225,7226,7227,7228,7229,7230,7231,7232,7233,7234,7235,7236,7237,7238,7239,7240,7241,7242,7243,7244],[7222,7245],[7246,7247,7222,7223,7224],[7246,7247,7222,7245],[7248,6603,6604],[6603,6604],[6603,6604],[6444,7249,6398],[7250,7251,7252,7253,7254,7255,7256],[7257,7251,7258,7259],[7257],0,0,[7260,7261,7262,7263],0,[7264,7265,7266],[7267],[6509,7222,7223,7224,7225,7226,7227,7228,7268,7229,3081,7269,7270,7271,7272,7273,7274,7245],[7275,6377,6395],[7276,6377,6395],[7277,7278,7279,6377,6395],0,0,[7280,7281,7282],[7280,7283,7281,7282],[7284,7285],[7285,7286,7287],0,0,0,0,[4010,7288],[7289,7290,7291,7292,7293],[7294],[7294,6377,6381],[6395,7295,7296,7297,7298],[7299,7300,7301,7302,7303,7304,7305,7306,7307],[7308],[7308],0,0,[7309],[7309],0,0,[6704],0,[6631,6632,7310],[6631,6632,7310],[6631,6632],[6631,6632],0,[7311,7312,7070,7313,6377,6395],[6456,7314,7315,7316,3026],[7311,7312,7070,7313,6377,6395],[6456],[7311,7312,7070,7313,6377,6395],[6456],[6377,7317,7318,7319,7320,7321,3026],[7322,6518,6519,6520,6521,6522,6523,6524,6525,6526,6527,6528,6529,6530,6531,6532,6533,6534,6535,6536,6537,6538],[6509,7322,7323],[6377,7324,401],[7325,7326,7327],[3904,7328,7329,7330,7331,7332,7231,3800],[1744,7333,6613,7334,7335,7336],[6570],[6570],[7337],[7338,7339,7340,7341,7342,7343,7344],[7338,7339,7341,7342,7343,7344,7345,7346,7347,7348],[7349],[7350],0,[5783,7351],[7352],0,0,[7308],0,[6395,6397,7353,6381,7354,7355,7356,7357,7358,7359,7237,7238,7239,7240,7360,7361,7362,6757],[7363,7364,7365,7366,7367],[7368,7369],[7308],[6377,7370,7371,7372],[7373],[7370,1484,7374,7375,7376,7377,7378,7379,7380],[6377,7381,7382,7383,843],[6377,7384,7385],[6377,7386],[7387,843],[7388,7389],[7390,7391,7392,7393,7394,7395,7396,7397,7398,7399,7400,7401],[7402,7403,7404,7405,7406],[6509,6465,6586,7010,7407,6382,6383,7408,7409,7410,7411],0,[6377,7223,7412],[7373],[6377,7223,7412],[7373,7413,7414,7415],[7056,7223,7416],[6704,7223],[7417],[7418],[7419,7420],[7419,7420],[7421,2379],[7422],[293],[293,7423],[7424,567],[7425,7426],[7419,7420],[7405,7427],[7428,7429],0,[7430,7431,6897,7432,7433,7434,7435,7436,7437,7438],0,[6896],[7439],[6444,7440],[7441,7442,7443,7444],[7445,7444,7443],[7442,7443,7444],[7441,7446,7445,7442,7443,7444],[7447],[7447],0,[6377,7448,3143,7449,7450,7451,7452,7453,7454],[3143,7449,7450,7454],0,[7455],[7456],[1392],[7086],0,0,[6377],0,[7457,7458],[6093],[7454,7459,7460],[7461],[7462],0,[2684],[1243],[1243],[7463],0,[7449,7450,7464,7465,7466],[7467],[7468,7463,7457,7469],0,[7470],0,0,[7471],[6444,7249,6398],[7472,7473],0,[7474,7475],[6093],0,[6377,6783,6465,6419],[7476,7477,7478,7479,454,7480],[7481],0,[7482],[6603,6604,6398,7483,7484],[6603,6604,6398,7483,7484],[7485,7486,7487,7488,7489,7490,7491,7492,7493,7494,7495,7496],[6586],0,[7497],0,0,[7498],[7499,6586],[7499],[293,7423,7500,7501],[7502],[463,464],[6444,7503],[7504],0,[7505,7506,7507,7508,7509,7510,7511,7512],[7513,6411,7323,7514],[7513,6411,7515,7514],[7516],[7516],[7517,7518,7519,7520,7521],0,0,[7522],[7523,7524,7525],[7523],[7526],0,[7527,7528],[7527],[7529],0,[7328],0,[2110],[7530,7531,7532,7533,7534,7535,7536,7537,7538,7539,7540,7541,7542,7543,7544,7545,7546,7547,7548,7549,7550,7551,7552,7553,7554,7555,7556,7557],[7558,7559,7560,7561,7562,7563,7564],[7565],[7566],[7567],0,0,0,0,[7568,7569],[7568],[7246,7247,7222,7223,7224],0,0,0,[7570],0,[7571],[7571],[7572,7573,7574],[6377],[7575],[7575],[6377,7576,7577,7578,7579,7580],[7581,7576],[7581,7576],[7582,7583],[7582,7583],[1709],[392,7449,7584,7585],[6377,7576],[6093,7586],[6377,7449,7584],[7449,7584,7587],[7588],[7589],[6395,7449,7584],[7449,7584,6093,7590,7591,7592],[6093],0,[6377],[6377],[6395,7593],0,[6864,7594,7595],[7592],[6377,7576],[6377,7576],[6493,7596,7597,6093],[7461,7598],[7461,7598],[7461,7598],0,0,0,[6439],[7599,7600,7601,7602,7603],[7604,7605,7606,7607,7608,7609,7610,7611,7612,7613,7614,7615,7616,7617,7618,7619,7620,7621,7622,7623],[6394,6395,6396,6397,7624,7625,7626,6377,6586],[7627,7628,7629],[7630,7631,7632,7633,7634],[7635,7636],[7635,7636],[7637,7638,7639,7640,7641],[7419,843],[7642],[7642],[7643],[6783,6864,7644,6616,6383,7645,7646,7647,7648,7649],0,[7650,7645,7646,7647,7648],0,[7651,6864,7644,7652,7653,7654,7655,7656,7657,7658,7659,7660],0,[6783,6616,6383,7645,7646,7661,7662,7663],0,[6783,6616,6383,7645,7646,7661,7662,7663,7664,7665,7666,7667,7668,7669,7670,7671,7672,7673,7674,7675,7676,7677,7678,7679],[7661,7680,7681,7682,7683,7684,7685,7686,7687,7688,7689,7690,7691,7692,7693,7694,7695,7696,7697,7698,7699,7700,7701,7702,7703,7704,7705,7706,7707,7708,7709,7710,7711,7712,7713,7714,7715,7716],[7717,7718,7719,7720,7721,7722,7723,7662,7663],[7724],[6378,6616,7645,7646,7647,7648,7725,7726],0,[6783,6864,7644,6616,6383,7645,7646,7647,7648],0,0,0,[7727,7728,7729,7730,7731,7732,6383,7733,7734,7735,7736,7737,7738],0,[7739,7740,7741,7742,7743],0,[7744,7644,6382,6383,7645,7646,7647,7648,7649],0,[7745,7645,7646,7647,7648],0,[7744,7644,7652,7746,7645,7646,7647,7648],0,[6382,6383,7645,7646,7747,7748],0,[6378,7654,7655,7656,7657,7729,7749,7750,7751],0,[7752,6382,6383,7753],0,0,[7754,7755,7756,7757,7758,7759,7760,7313],0,0,[6378,7654,7655,7656,7657,7750,7751,7761,7749,6382,6383],0,0,[7762,7763,7747,7748,7764,7416],0,0,[6412,7744,7765,7766,7767,7768,7769,7770,7771,7772,6382,6383,7649,7644],[6412,7744,7765,7766,7767,7768,7769,7770,7771,7772,6382,6383,7649,7644],[6412,7744,7652,7746,7765,7766,7767,7768,7773,7644],[6412,6437,7765,7766,7767,7768],[6412,6437,7765,7766,7767,7768],[7651,6864,7644,7652,7653,7658,7659],[7774,7775,7776,7777,7778,7779,7780,7781,7782,7783,7784,7785,7786,7787,7788,7789,7790,7791,7792,7668,7793,7794,7795,7796,7797,7798,7799,7800,7801],[7802,7803,7664,7804,7805,7665,7666,7806],[7742,7743],0,[7807],0,[7807],0,[7807],0,[7807],0,[7807],0,[7807],0,[7807],0,[7807],0,[7807],0,[7807],0,[7807],0,[7807],0,[7807],0,[7807],0,[6608,7807,7808],[7809,7810,7811,7812,7813,7814,7815,7816,7817,3386,7818,7819,7820,7821,7822,7823,7824,7825,7826,7827,7828,7761,7829,7830,7831],[6377,7832],0,[7807],0,[7807],0,[7807],0,[7833],0,[7833,7834],0,[7833],0,[7833,7835],0,[7833],[7833],[7836],[7836],[7836],[7836,6378,7837,7838,7839,7840,7841,7842,7843,7844],0,[7836,6378,7845,7846,7847,7848,7849,7850],0,[7836,7851,7852,7853,7839,7840,7841,7842,7854,7855],0,[7836,7856],[7857],[7858,7859],[7860],[6377,6418,6518,6519,6520,6521,6522,6523,6524,6525,6526,6527,6528,6529,6530,6531,6532,6533,6534,6535,6536,6537,6538,6539,6540,6541,6542,6543],[6646],[6646],0,0,0,0,[7861],0,0,0,0,0,0,0,[6613],[7862],0,[7056,7863,6093],0,[7056,7863,6093],[893],[893,7056,567],0,[7056],0,[7056],[7055],[7055],[7055],[7055],[7055],[7055],[7055],[7055],0,0,[7055,7864],[7055,7864],[7055,7864],[7865],0,0,[7055,6382,6383,7199],[7055,7010,6586],[7055],[7055,7864],[7055],[7055],[7055],[7055],[7055],[7055],[7055],[7055],[7055],[7055],[7055],[7055],[7055],[7055],[7055],[7055],[6385,6420,7866,7867,7868,7869],[7056,7870],[6493,7070,7038,7871,7872,7873,7874],[7875,7876,7877,7878,7879,7880,7038,7874],[7057,7881],[7882,7883,7884,7885,7886,7887,7888],[7889,7890],[7891],[7892,3800,7893],[7894],0,[7894],[7895],0,0,[7896],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],0,[7516],0,[2383,7897,7898,6419,7899],[2383,7897,7898,7900,7901,7899,6444],[6608,6377,7902,7903],[6377,7902,7904,7905],[6377],[7906,7907],[2383,7898,6419,7908,7902,7909,7910,6377],[2383,7898,7911],[7912,7913,7914],[7915,7373],[6935,6377,7916,6569],[6935,7916,7917],[2383,7898,6419,7899],0,[6377,7918],0,[7919],[6444,7920],[6444,7921],[7922,7923],[6377,7924,7925],[6699,7926,7927,7928],[6377,6789,7929,7930,7931,7932],[7933,4947],[7934],[7935,7936,7937],[7934],[7935,7936,7937],0,[6608],[7938,6444,6377,6382,6383],[7938],[7939,7940],[7941,7942,6377,7943,7944,7945,7946],[6935,6377,6789,7916],[6789,7916,7947],[6444,7920],[6444,7921],[6377],[6377],[6377,7897,7948,7949,7950,7951,7952],[7953,7954,6377,6444,7955,7956,7957,7958,7959],[7960,7899,7948,2383,6920,7961,7962,7963,7964,7965,7966,7967,7968],[7960,7899,2383,6920,7961,7969,7970,7971,7900,7972,7973],[7974,6444],[6509],[7975,7976],[7977,7978],[6377],[7948,6935,7902,7979,7980,7951,7950,7981],[7948,6935,7902,7979,7980,7951,7950,7981],[7948,6935,7902,7979,7980,7982,7950,7981],[7948,6935,7902,7983,7984],[6448,6377],[7985],[6377,7986],[7038,7987,7988,7989,7990],[6509,6377,6385,6384],[6509,6377,6385,6384],[6626],[7991,7992,7993,7994,7995,7996,7997],[6626],[7998,7999],[3641,6377,6750,8000,8001],[7556],[8002,8003],[225,2487],[8004],[8004],[2249],[2249,1392,8005,8006,8007],[8008,3377],[8009,8010,8011,8012,8008],0,[3378,225,2276,8004],[8008],[8013,8004,8014],[8005,8008],0,[3377,1392,8015,8016,2249],0,[3377],0,[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],0,[8017,8018,8019,8020,8021,8022,8023,8024,8025,8026,8027,8028,8029,8030,8031,8032,8033,8034,8035,8036,8037],[8017,8018,8038],0,[8039,8040,8041,8022,8042,8043,8044],0,0,0,0,0,0,0,0,0,0,[7498],[8039,8045,8046,8047,8048,8049,8050,8051,8052,8053,8054,6840],[8055],[6395,6377,6586,6382,6383,8056],[6377,6586],[6377,6586,6382,7416,8057,8058,8059,8060],[6412,8061],[6412,8061,8062],[6395,6377,6586,6382,7416,8063,8064,8065,8066,8057,8058],[6608,6377,6792,8067,8068],[6608,6377,6792,8067,8068],[6608,6377,6792,8067,8068],[8069,8070,8071,8072,8073,8074,8075,8076,8077,8078,7370,8079],[6509,8080,8081,8082,8083,8084,8085],[6395,8086,8087,6446,8062,8061],[6395,8088,8089],0,0,[8090],0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,[6377,2564,7313],[6377,8091,8092,8093],0,0,[8094],[8095],0,0,0,[8096,1632,8097,8098],[8099],[3656],[8100],[8100],[8101,8102,8103,8104],[1632,8105],[1632],0,[1632,8106,8107],[1632,8108],[8109],[8110],[8100],[8111],[6377,8112,8113],[8114],[8114],[8115,3386],[8116],0,[8117,8118,8119],[8120,8121,8122],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6493,7147,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[401,7143,7144,6771,7145,7146,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[7148,7149,7150,7151,6509],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[6410,6411],[548,560,1752],[1535,1536,1537,1538,1539,1540,1541,1750,513],[1535,1536,1537,1538,1539,1540,1541,1750,513],[1535,513],[1535,513],[1535,1536,513],[1535,513],[1535,513],[1535,1536,513],[1535,513],[1535,513],[1535,1536,1537,1538,1539,1540,1541,1750,1785,1786,1787,1788,1789,1790,1791,3444,3445,513],[1535,1536,513],[3481,3870],[231,330],[230,231,138,330],[8123,8124,8125,8126,8127,8128,8129,8130,8131],0,[[1900,2442],[1636,2443],[8132,2444],[8133,2445],[8134,2446],[8135,2447],1634,1640,1647,405],[[8132,2445],[405,2446],[1634,2442],[8134,2447],[8136,2448],[1636,2443],8137,[8138,2449],[8139,2450],1898,406,1640,1638,8140,8141],[293,8142,8143],[428,843,1751,1752],[594,595,1933,1934,596,597],[594,595],[8144,8145,8146],[8144,8145,8146],[8147,120,1454,8148,8149,5239,8150,8151,8152,8153,8154,8155,8156,8157],[8147,525,8158],[8147,117,182,8148,8149,5239,8159,8160,8161,8152,8153,8156],[8147,525,8162],0,0,0,0,0,0,[8144,8145,8146,8163],0,0,0,0,[511],[511],[[511,2451]],[8164,8165,8166,8167,8168,8169,8170,8171,8172,8173,8174,8175,8176,8177,[8178,2452],8179,8180,8181,8182,8183,8184,8185],[1246,1247,1952,1953,1954,1955,1956,8186,1460,4241],[8187,1247,1952,4243,4244,8188,4248,8189,8190,8191,8192,8193,8194],[1246,1247,1952,1953,4250,1954,1956],[1973,1974,657],[1973,1974,657],[511,512,1606,1607,2073],[293,511,512,513,4335,3515],[8195,[401,2453],2352,8196,8197],[8195,[401,2454],2352,8196,8197],[8198,8199,[391,2455],[8200,2456],[8201,2457],2352,3867,454,8195,8202,8203],[8198,8204,[1256,2455],2352,893,454,3867],[8205,[1702,2458],2352,560,330],[[8206,2459],8207,8208,8209,2197,8210],0,[8211,8212,8213,330,8214,2105],[641,642,643,644,330,640,629],[641,642,643,644,330,640,629],[641,642,643,644,330,640,629],[4504,4505,4506,4648],[4504,4505,4506,4648],[4504,4505,4506,4648,4650],[567,530],[4504,4505,4648],[8215,8216,8217,4890,531],[3360,2379],[3360,2379],[[8218,2460],1254,308,8219,8220,1687,8221,8222,8223,8224,8225,8226,8227,8228,2150,657,8229,8230,16,609,8231,8232,8233,4521,8234,8235],[8236,8237,8238,8239,8240,8241,8242,8243,4562,3139,8244,8245,8246,2342],[8236,8237,8238,8239,8240,8241,8242,8243,4562,3139,8244,8245,8246,2342],[4664,4665,4666,4667,4659,4660,4661,4662,8247,8248,8249,8250,8251,8252,8253,8254,8255,8256,8257],[4664,4665,4666,4667,4659,4660,4661,4662,264,8258,294,367,8259,5068,4740,8260,8261,4738],[138,513],[1755,1756,1757,310,1758,303,305],[371],[371],[8262,513],0,0,[401,553,1516,549,1566,1257,920,548,330,1248],[8263,330],[8264,5731,1729,2409,513],0,[657],0,[657],0,[657],0,[657],[4747,8265,8266,8267,8268,8269,8270,8271,8272,8273,8274,8275,8276,8277,8278,8279,8280,8281,8282,8283,8284,8285,8286,8287,8288,8289,8290,8291,8292,8293,8294,8295,8296,8297,8298,8299,8300,8301,8302,8303,8304,8305,8306,8307,8308,8309,8310,8311],[[8312,2461],8313,8314,8315,8316,8317,8318,8319,8320,8321,8322,8323,8324,8325],[8326,8327,8328,8329,8330,8331,8332,8333,8334,8335],[8336,494],[8336,494],[3003,3145,8337,8338,8339,8340,494],[3003,3145,8336,8337],[3003,3145,8336,8337],[8341,3003,3145,8336,8337,8342,8343,8344],[8341,3003,3145,8336,8337,8342,8343,8344],[3003,3145,8336,8345,8337,8346],[3003,3145,8336,8345,8337,8346],[3003,3145,8336,8345,8337,8346],[3003,3145,8336,8337,2234,8346,8347,494],[3003,3145,8336,8337],[3003,3145,8336,8345,8337,8346],[3003,3145,8336,8345,8337,8346],[3003,8345,32],[3003,3145,8336,8337,2234,8346,8347,494],[3003,3145,8336,8345,8337,8346,1829],[3003,3145,8336,8345,8337,8346,1829],[3003,3145,8337,8338,8339,8340,494],[3003,3145,8336,8345,8337,8346],[3003,3145,8336,8345,8337,8346],[3003,3145,8336,8345,8337,8346],[[8348,2462],8349,8350,8351,8352],[[8348,2463],8349,8350,8351,8352],[[8353,2464],878,8354,8355,8356,8357,8358,8359],[[8353,2465],878,8354,8355,8356,8357,8358,8359],[[8360,2466],[8361,2467]],[8362,8363],[8364,8365,32,441,8366,8367],[8364,8365,32,441,8366,8367],[8365,32,605],[8365,32,8346,5242,605,8368,8369],[8365,32,294,5242,605,8370,8368,8369,8371,8372,8373,8374],[8365,32,605,8370],[8365,32,8346,5242,605,8370,8368,8369],[8365,32,1392,8346,5242,605,8368,8369],[8365,32,1392,8346,5242,605,8368,8369],[8365,32,2178,5242,605],[8365,32,8346,5242,605,8368,8369],[8365,32,605],[8365,32,605],[8365,32,605],0,[8375,6358],[657],[8375,8376,8377],[8378,8379],[8378,8379],[657],[3148,391],[657],[[8380,2468]],[513],[513],[513],[511,513],[511,513],[511,512,1606],[108,[8381,2469]],0,[[8382,2470],8383],[3145,8383,8384,8385,[8386,2471]],[8387,8388,8383,8384,8385,[8386,2471]],[[8389,2472]],[[8389,2472]],[[8390,2473],8391],[[8392,2474]],[[8393,2475],8394,8395,8396,8397,8398],[[8399,2476]],[[8400,2477],8401,8402,8403,8404],[8405,8401,8383,8406,[8407,2478]],[8405,8401,8383,8406,[8407,2478]],[[8408,2479]],[8409,8385,8386,[8410,2480]],[[8411,2479]],[[8412,2479],8413],[[8414,2481],8415],[[8416,2482]],[[8414,2481]],[[8417,2483],8418],[[8419,2484]],[[8414,2481],8415],[[8419,2484]],[[8420,2485]],[[8421,2486]],[[8422,2487],8401,8402,8403,8423],[[8424,2488]],[[8425,2489],8401,8402,8403],[[8426,2490],8401,8402,8403,8427],[[8428,2491],8401,8402,8403],[[8429,2492],8401,8402,8403,8430,8431],[[8432,2493],8401,8402,8403,8433],[[8434,2494],8401,8402,8403,8433],[[8435,2495],8401,8402,8403,8433],[[8436,2496],8401,8402,8403,8433],[[8437,2497],8401,8402,8403,8433],[[8438,2498],8401,8402,8403,8433],[[8439,2499],8401,8402,8403,8433],[[8440,2500],8401,8402,8403,8433],[[8441,2501],8401,8402,8403,8433],[[8442,2502],8401,8402,8403,8443],[[8444,2503],8401,8402,8403,8433],[[8445,2504],8401,8402,8403,8443],[[8446,2505],8401,8402,8403,8433],[[8447,2506],8401,8402,8403,8433],[[8448,2507],8401,8402,8403,8433],[[8449,2508],8401,8402,8403,8433],[[8450,2509],8401,8402,8403,8433],[[8451,2510],8401,8402,8403,8433],[[8452,2511],8401,8402,8403,8433,8453],[[8454,2512],8401,8402,8403,8433],[[8455,2513],8401,8402,8403],[[8456,2514],8401,8402,8403],[[8457,2515],8458],[[8459,2516],8401,8402,8403,8433],[[8460,2517],8401,8402,8403,8433],[[8461,2518],8401,8402,8403,8433],[[8462,2519],8401,8402,8403,8433,[8463,2520]],[[8464,2521],8401,8402,8403,8433],[[8465,2522],8401,8402,8403,8433],[[8464,2521],8401,8402,8403,8433],[[8465,2522],8401,8402,8403,8433],[[8466,2523],8401,8402,8403,8433],[[8467,2524],8401,8402,8403,8433],[[8468,2525],8401,8402,8403,8433],[[8469,2526],8401,8402,8403,8433],[[8470,2527],8471],[[8472,2528],8401,8402,8403,8433,8473,8474],[[8472,2528],8401,8402,8403,8433,8475,8476,8477,8478,8479,8480],[[8472,2528],8401,8402,8403,8433,8481,8475,8476,8477,8478,8479,8480,8482,8473,8474],[[8483,2529],8401,8402,8403,8433,8481,8484,8485,8486,8487,8488],[[8489,2530],8401,8402,8403],[[8490,2531],8401,8402,8403,8491],[[8492,2532]],[[8493,2533]],[[8494,2534]],[[8495,2535]],[[8496,2536],8401,8402,8403,8433],[[8496,2536],8401,8402,8403,8433],[[8497,2537],8401,8402,8403,8433],[[8498,2538],8401,8402,8403,8433],[[8498,2538],8401,8402,8403,8433],[[8499,2539],8401,8402,8403,8433],[[8500,2540],8401,8402,8403,8433],[[8501,2541],8401,8402,8403,8433],[[8502,2542],8401,8402,8403,8433],[[8503,2543],8401,8402,8403,8433],[[8504,2544],8401,8402,8403,8433],[[8505,2545],8401,8402,8403,8433],[[8505,2545],8401,8402,8403,8433,[8506,2546],8507],[[8508,2547],8401,8402,8403,8433],[[8509,2548],8401,8402,8403,8433,[8506,2546],8510,8511,8512,8513],[[8514,2549],8401,8402,8403,8433,8515],[[8516,2550],8401,8402,8403,8433],[[8517,2551],8401,8402,8403,8433],[[8518,2552],8401,8402,8403,8433],[[8519,2553],8401,8402,8403,8433],[[8520,2554],8401,8402,8403,8433],[[8521,2555],8401,8402,8403,8433],[[8522,2556],8401,8402,8403,8433,[8523,2557]],[[8524,2558],8401,8402,8403,8433,[8525,2557]],[[8526,2559],8401,8402,8403,8433],[[8527,2560],8401,8402,8403,8433,[8528,2561]],[[8529,2562],8401,8402,8403,8433,[8530,2546]],[[8531,2563],8401,8402,8403,8433,[8530,2546],8532],[[8533,2564],8401,8402,8403,8433],[[8534,2565],8401,8402,8403,8433,[8535,2566]],[[8536,2567],8401,8402,8403,8433],[[8537,2568],8401,8402,8403,8433,[8538,2569]],[[8539,2570],8401,8471,8540],[[8539,2570],8383],[[8541,2571],8401,8540],[[8542,2572],8401],[[8543,2573],8401],[[8544,2574],8401,8402,8403,8545,8546,8547],[[8548,2575],8401,8402,8403],[[8549,2576],8401,8402,8403,8550],[[8551,2577],8401,8402,8403,8550],[[8552,2578],8401,8402,8403,8553,8554,8555],[[8556,2579],8401,8402,8403],[[8557,2580],8401,8402,8403,8558,8559],[[8560,2581],8401,8402,8403],[[8561,2582],8401,8562,8563],[[8564,2583],8401,8402,8403],[[8565,2584],8401,8402,8403],[[8564,2583],8401,8402,8403,8566,8567],[[8568,2585],8401,8402,8403],[[8569,2586],8401,8402,8403],[[8570,2587],8401,8402,8403],[[8571,2588],8401,8402,8403],[[8572,2589],8401,8402,8403],[[8573,2590],8401,8402,8403],[[8574,2591],8401,8402,8403],[[8575,2592],8401,8402,8403],[[8576,2593],8401,8402,8403],[[8577,2594],8401,8402,8403],[[8578,2595],8401,8402,8403,8579],[[8580,2596],8401,8402,8403,8433],[[8581,2597],8401,8402,8403,8433],[[8582,2598]],[[8583,2599],8401,8402,8403,8433],[[8584,2600],8401,8402,8403,8433],[[8585,2601],8401,8402,8403],[[8586,2602],8401,8402,8403],[[8587,2603],8401,8402,8403],[[8588,2604],8401,8402,8403,8433],[[8589,2605],8401,8402,8403],[[8590,2606],8401,8402,8403,8433],[[8591,2607],8401,8402,8403,8433],[[8592,2608],8401,8402,8403,8433],[[8593,2609],8401,8402,8403,8433],[[8594,2610],8401,8402,8403,8433],[[8595,2611],8401,8402,8403,8433,8596],[[8597,2612],8598,8599,8402,8403,8433],[[8600,2613],8401,8402,8403,8601,8602,8603],[[8604,2614],8401,8402,8403],[[8605,2615],8401,8402,8403],[[8605,2615],8401,8402,8403],[[8606,2616],8401,8402,8403,8607],[[8608,2617],8401,8402,8403],[[8608,2617],8401,8402,8403],[[8609,2618],8401,8402,8403],[[8610,2619],8401,8402,8403],[[8611,2620],8401,8402,8403,8601,8603],[[8612,2621],8613],[8614,8615,8616,[8617,2622],[8618,2623],8619,8620],[8614,8621,8616,[8617,2622],8620],[8614,8622,[8623,2624]],[8624,[8619,2625],8625,[8626,2626],8627,[8628,2627]],[[8629,2628],8613],[[8630,2629],8401,8402,8403,8601,8603],[[8631,2630],8401,8402,8403,8601,8603],[[8632,2631],8401,8402,8403,8601,8603],[[8633,2632],8401,8402,8403,8601,8603],[[8634,2633],8401,8402,8403,8433],[[8635,2634],8401,8402,8403,8601,8603,[8636,2635]],[[8637,2636],8598,8599,8402,8403,8433,8453,[8638,2637]],[[8639,2638],8401,8402,8403,8433],[[8640,2639],8401,8402,8403,8433],[[8641,2640],8401,8402,8403,8433,[8636,2641]],[[8642,2642],8401,8402,8403,8433],[[8643,2643],8401,8402,8403,8433],[[8640,2639],8401,8402,8403,8433],[[8644,2644],8401,8402,8403,8645,[8646,2645],8647],[[8648,2646],8598,8599,8402,8403,8433,8453,[8649,2647],8650,8651,8652,8653],[[8654,2648],8598,8599,8402,8403,8433],[[8655,2649],8401,8402,8403,8433],[[8655,2649],8598,8599,8402,8403,8433],[[8656,2650],8401,8402,8403],[[8657,2651],8658],[[8659,2652]],[[8660,2653],8661,8662],[[8663,2654],8661],[[8664,2655]],[[8665,2656]],[[8666,2657],8667],[[8668,2658],8667,8669],[[8670,2659],8671],[[8672,2660],8401,8562,8563],[[8673,2661]],[[8674,2662]],[317],[2332,2333],[5174,2267,[5175,2262],[1358,2263],[2270,2264],916,5176,5177,918,920,444,5214],[409,410,411,909,8675],[409,410,411,909,8675],[409,410,411,909,8675],[511,512,1606,1607,2073,2074,2075,2076],[549,553,[8676,2663],401,1248,494,8677],[[0,2664],[1,2665],[2,2666],[3,2667],[8678,1465],[8679,1466],[4305,2668],[8680,2669]],0,[548,4335,3515],[612,[1295,2670],[391,2671],[8681,2672],8682,8683,8684,8685,8686,8687,1622,8688,8689,330],[5727,5728,5729,330,560,5730,5731,1729,5732,2409,325,559,554,555,513],[1295,8690,8691,5731,513],[1295,8692,513],[1535,513],[1535,1536,1537,1538,513],[1535,513],[[8693,2673],[8694,2674]],[[8693,2675],[8694,2676]],[[8693,2677],[8694,2674]],0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,[525],0,[525,8695],0,0,0,0,[494,8696],[525],0,[525],[8697],[525],0,[525],[8698,8699,525],[8698,8699,525],[8698,8699,525],0,0,[8700,1687],[8700,1687],[8700,1687],[8700,1687],[8700,1687],[8700,1687],[8700,1687],[8700,1687],0,0,0,0,[8700,1687],[8700,1687],[8700,1687],[8700,1687],0,0,0,0,0,0,[8700,1687],[8700,1687],0,0,0,0,0,0,0,0,0,0,0,0,[8700,1687],[8700,1687],0,0,0,0,[8700,1687],[8700,1687],[8700,1687],[8700,1687],0,0,0,0,[7461,138],0,[2684],[8701],0,[2684],0,0,[3982,8702],[3982,8702],0,0,0,0,0,0,0,0,0,0,[8703],[8703],0,0,0,[3982,8702],0,0,0,0,0,0,0,0,0,[8704,8705,8706,8707,8708,6358],[2416],0,[2416],0,[2416,1243],0,[8709],[8709],[8709],0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,[8710,8711],[293],[293,525,8712,8713,8714,8715,8716],[2081,8717,8718],[2081,525,391,293],[8719,4503,8720,8713],[8721,8722,8723,8724,8725,8726],[8721,8722,8723,8724,8725,8726],[6396,8721,8722,8723,8724,8725,8726],[6396,8721,8722,8723,8724,8725,8726],[6396,8721,8722,8723,8724,8725,8726],[8727],[8727],[8728,8727],[8728,8727],[8728,8727],[8728,8727],[8729,8730],[8731,8732,8733,8734,8735,8736],0,0,0,0,[8737,8738,8739,8740,8741],[8742,8743],[3389],[3389],[3389],0,0,0,0,[843,32,8744,173,2805,2409,8745,8746,8747,371],[5809,166,5820,5780,5171,1729,424,5804,1259,5805,8748,8749],[5809,166,5820,5780,5171,1729,424,5804,1259,5805,8748,8749],[330,3390],[5837,5924,8750,8751,8752,8753,8754,8755,8756,8757,8758],[5908,5923,8759,8760,8761,8762,8763,8764,8765,8766],[5837,8767,8768,8769,8770,8771,8772,8773,8774,8775,8776,8777,8778,8779,8780,8781,8782,8783,8784,5875,8785,8786,5876,8787,8788,8789,8790,8791,8792,8793,8794,8795,8753,376,4530,1301,4531,1303,5877,8796,5840,8797,5993,270,2491,279],[1572,898,5835,5843,3379,8798,5964,5970,2638,5899,8799,8800,5047,8801],[293,8802,8803,8804,8805],[293,8803,8804,8806],0,[8807,8808,4919],0,[8808,4919],0,[8807,8808,4919],0,[4919],0,[8809,4919],[4919],[8810],[4919],0,0,[8811,513,4335,3515],[262,8811,8812],[8813],[401,8814],[330],[293,8815,8816,8817,8818],0,[391,8819],[2403,391,8819],[1535,1536,513],[2110],[[511,2678]],[[511,2679],[512,2680]],[525,8820],[8821,8822,8820],[6241,220,2270,8823,8824,391,899,6233,2738,270,8825,8826,8827],[6241,220,2270,8823,8824,391,899,6233,2738,270,8825,8826,8827,548],[1535,513],[1535,1536,1537,1538,1539,1540,1541,513],[1535,513],[1535,513],[1535,1536,1537,1538,513],[1535,1536,1537,1538,513],[1535,513],[1535,1536,513],[1535,1536,1537,513],[1535,513],[1535,513],[1535,1536,513],[1535,1536,513],[1535,513],[1535,513],[1535,513],[1535,513],[1535,513],[1535,513],[1535,513],[1535,513],[1535,513],[1535,513],[1535,513],[1535,513],[1535,513],[1535,513],[1535,1536,513],[1535,513],[1535,513],[1535,513],[1535,1536,1537,1538,1539,513],[1535,513],[1535,1536,1537,1538,1539,513],[1535,513],[1535,513],[1535,513],[1535,1536,1537,513],[1535,1536,1537,513],[1535,1536,513],[1535,1536,513],[1535,513],[1535,513],[1535,513],[1535,513],[1535,513],[1535,513],[1535,1536,513],[1535,1536,1537,513],[1535,513],[1535,513],[1535,1536,513],[1535,1536,513],[524,513],[8828,8829],[8830,8831,8832,8833,8834],0,0,0,0,0,0,[7823,7824],[8835,8836],0,0,0,0,0,0,[8829],[6624,8837,8838,8839,8840,8841,8842,8843,8844],[8839,6624,3815,8845,2719,8846,8847,8848],[6624,8839,8845,2719,8849,8850],[8839,8851,8852],[8853,8854,8855],0,[7823,7824],[6624,8845,8856,8857],[8858,8859,8860,8861,8862,8863,8864,8865,8866],[8858,8859,8860,8861,8867,8868,8869,8870,8871,8872,8873,8874,8875,8876,8877,8878],[8858,8859,8829,7823,7824,8871,8872,8874,8875,8876,8877,8878],[8879,8880],[8881],0,[6396],[6396],[8829,6396],[8829,6396],[8877,8876],[8882,8883],[8884,8885],[8859,8886,8887],0,[8888,8889,8890,8725,8726,7823,7824],[8885,8858],0,0,[8891,8892],[8829,6396],[8893],[8829,6396],[8830,8832,8833,8834],0,0,0,[8829],[8829],[8894],[8829],[8829],[8894],[8829],[8829],[8895,8896,2110],[8897,8898],[8899,8900,8901,8902,8903,8904],[8905,2487],[8906],[8907],[8908,8909,8910,8911,8912,8913],[8908],[8908,8914],[8908],[8906,8909,8910,8911,8912,8915],[8902,8903],[8907,8916,8917],[8906,8909,8910,8911,8912],[8897,8918,8919,8920,8921,8922],[8906],[8923,8924],[8908,8914],[8907,8916],[8908],[8908,8909,8910,8911,8912],[8906,8925,8926,8927,8928],[8908],[8897],[8906,8909,8910,8911,8912],[8907,8909,8910,8911,8912],[8923,7097,7098],[8897,8918,8909,8910,8911,8912,8929,8930],[8899,8927,8928,8904],[8931,8919,8909,8910,8911,8912],[8908,8919,8932],[8906,8933],[8934,8935,8936,8937],[8906,7461],[8908,8938],[8908,8902,8903],[8906,8909,8910,8911,8912,8939],[8908,8918,8920,8921,8922,8919],[8908],[8908,8940],[8908,8902,8903],[8908,8941,8906,8942],[8908,8943],[8908,8940],[8908,8914],[8908,8909,8910,8911,8912],[8908,8944],[8908],[8908,8945,8907,8897],[8908,8909,8910,8911,8912],[8908,8909,8910,8911,8912],[8902,8903,8946],[8902,8903,8946],[8902,8903,8946],[8902,8903,8946],[8902,8903,8946],[8902,8903,8946],[8902,8903,8946],[8902,8903,8946],[8908,8947],[8908,8947],[8908,8921,8922,8948,8949,8950,8951,8952,8953,8954,8955,8956,8957],[8908,8958,8959,8960,8961,8962,8963,8964,8965,8966,8967,8902,8903],[8968],[8969,8970,8971],[8908,8972],[8908,8972],[8973,8974,8975],[525],[8976,8977],[8978,8902,8903,8977],[8976],[8978,8902,8903,8977],[8977],[8979],[909],[8980,8981],[8980,8981],[8982],[6624,8837,8838,8839,8840,8841,8842,8843,8844],0,0,[8983,8984],[8983,8984,6093],[8983,8984],[8983,8984,8985,8986,8987],[8988],[8988],[8989],[7092,8990,8909,8910,8911,8912,8970,8971],[525,8973,8991],[8971],[1622],[7092,8990,8971],[8992,8993],[7092,8990,8971],[8979,525],[8971,8970],[7092,8994,8990,8971],[8970,8995],[2195,8975],[7092,8994,8990,8971],[8970,8996,8997,8998,8971],[8999],[7092,8998,8970,8971],[6608],[9000],[8897],[9001,9002],[8897,376],[9001,531,9003],[8897,8919,9004],[8908,9005],[9006,567],[8944,8900,8901,8902,8903],[8897,8898],[8897,376],[9007,9008],[8897,9006,525],[8897,8920,9009,9010,9011,376],[8897,8918],[8944],[8897,376],[8897,376],[8944,9012],[8897,8909,8910,8911,8912,8929,8930,9013],[8944],[8897],[8897,376],[9001],0,[8897,9014,9015,8898,8919],[9016,8975],[8900,8901,9017],[8900,8901,9017],[9018,8975],[9019,9020,7645,7646,7823,7824],[8854],[8842,9021],[9022,8939],[9022],[9022],[9023,9022],0,[8902,8903,8946],[9024],[8902,8903],[8900,8901,8902,8903,9025],[8900,8901,8902,8903,9025],[8908,9026,8909,8910,8911,8912,9027,9028],[8908,9026],[8902,8903,879],[8944],[8907,8909,8910,8911,8912],[8988],[8907,8916,8917],[8907,8916,8909,8910,8911,8912,525],[8907,8916],[8907,8916,8902,8903,525],[8988],[8907],[8899,9029,8902,8903,9030],[9002,9008,9029],[9031,9029,8902,8903,9030],[9032,9033,8908,8902,8903,9030],[9033],[9002,9008,9029],[8907,8902,8903],[8899],[8899],[8899,8902,8903],[9034],[7101,9035,9036,9037,9038,9039,9040],[8934,8935,8936,8937],[8934,8935,8936,8937],[9041],[9042,9043],[3821],[9044,9045,9046,9047,8921,8922,8950],[9048,9044,8921,9049],[9050,9045,8950],[9051,8908,1391,466],[9051,8908,4010,9052],[9051,8908,4010,9052],[8908,9053,9054,9055,9056,9057,9058,9059,9060,9061,9062,9063,9064,9065,9066],[9051,8908,8902,9067],[9051,8908,8903],[9051,8908,4010,9052],[8908,8958,8959,8960,8961,8962,8963,8964,8965,9068,8902,8903,9069,9070],[9051,8908,9025,9071,9072,9073,9074,8948,8949],[9051,8908,8903,9067],[9051,8908,9025,9075],[8908,9076,9077,9078,9079,9080,9081],[8908,8900,8901,8957],[9051,8908,9025,9082],[8908,9083,9084,8955,8956,8938,9085],[9051,8908,4010,9052],[9051,8908,9086,9087,9088,9089],[8908,9090,9091,9092,9093,9094,9095,9096,9097],[9051,8908,9090,9091,9092,9093],[9051,8908,8902],[8908,8958,8959,8960,8961,8962,8963,8964,8965,9068,8902,8903],[9051,8908,9090,9091,9092,9093,9098,9099],[9051,8908,9100,9101,9102,9103],[9051,8908],[9051,8908],[9051,8908],[9051,8908,8902,8903],[9051,8908,9104,9105,9106,9107,9108,9109,8938],[9051,8908,9110,9111,9112,8938,9113,9114,9115,9116,9117,9118],[9051,8908,7097,7098,9110,9111,9112,8938,9113,9114,9115,9116,9117,9118],[9119,8950,9069],[9119,8902,8903],[9119,9044,9045,9046,9120,9121,9122,9123,8938,9124,8902,8903],[9119,8921,8922,9069],[9119,8934,8935,8936,8937],[9119,8938],[9119,8902,8903],[8835,8836],[9125,9126],[9127],[9128],[9125],[9129],[9130],[9131],[9129,525],[9127,9132],[9129],[9127],[9130],[8908,8958,8959,8960,8961,8962,8963,8964,8965,8966,8902,8903],[8908,9133,9134],[8908,8958,8959,8960,8961,8962,8963,8964,8965,9068,9135,9136,9137,9138],[8908,9139,9140],[8908,8958,8959,8960,8961,8962,8963,8964,8965,9141,8902,8903],[8908],[8908,8958,8959,8960,8961,8962,8963,8964,8965,9068,8902,8903],[8908,8967,9142,8938,9143],[8908,8958,8959,8960,8961,8962,8963,8964,8965,8966,9135,9136,9137,9138],[9119,9144,9145,8900,8901,8938],[8908,9083,9084,8955,8956,8938,9085],[9146,9147,9148,9149,9150],[451,9148,9151],[8842,8845,9152],[8837,8838,9153,9154,8843,8844],[9153,8837,8838],[9153,8837,8838],[9153,8837,8838],[9155,8837,8838,3815,8845,2719],[9156,9157,9158],[9156,9157,9158],[9156],[9155,9159,9160],[9161],[9162,9163,9164,9165,9166,9167,9168],[8908,9169,9170],[8908,9169,9170],[8908,9171,9172,9173,9174,9175,9176,9177,9178],[8908,8958,8959,8960,8961,8962,8963,8964,8965,9068,9179],[8908],[3821],[8908],[9180],[8908],[9181],[9182],[9181,9183,9184,9185],[9181,9186,9187,9188,9189,9190,9191,9192,9193],[8908],[9181],[9182,9194],[8908,8902,8903,9195],[8908,9196,9197],[8908,8902,8903],[8908,8925,8926,8927,8928],[8908,8902,8903,9198],[8908],[8908,9199],[8908,8900,8901],[8908],[9200,9183,9184,9185],[9182],[9182,9201],[8908],[9200],[9181,9186,9187,9188,9189,9190,9191,9192,9193],[8908],[8908],[8908],[8908],[9182,567],[9182],[9182,9184,9185],[8908],[9180,9188,9189,9190,9191,9192,9193],[8908,8900,8901,8902,8903],[8908,8909,8910,8911,8912],[9182,9184,9185,9194],[8908],[9202,9203,9204],[8908,567],[9202,9205],[8908],[8908],[9202],[8908,567],[8908,9201],[8908,8902,8903],[8908],[8908],[9182],[8908],[8908,8902,8903,9206,9207],[8908,8902,8903,9030,8717],[9202,9204,9203,9208],[8908],[9203,9208,9204],[8908],[8908],[8908],[9182,9194],[8908,8925,8926,8927,8928],[8908],[8908],[8908],[8908,567],[8908],[8908],[8908],[8908,8947],[8908,8902,8903,8717,9030],[8908,9209],[8908],[8908,9210],[8908],[8908],[8908,294,9211,9212,4010],[8908,294,9211,9213],[8908,294,9211,3026],[8908,9214],[8908,567],[567],[9215],[8908,294],[8908,567,294],[8908,294],[8908,294],[8908,294],[8908],[8908],[8908,8900,8901,8902,8903],[8908,8925,8926,8927,8928],[8908,8900,8901],[8908,9216,9217],[8908],[8908],[8908,9218],[8908,8958,8959,8960,8961,8962,8963,8964,8965,9068,8902,8903,9218,9219],[8908],[8908],[8908,8958,8959,8960,8961,8962,8963,8964,8965,7342,9135,9136,9137,9138],[8908],[8908],[8908,8958,8959,8960,8961,8962,8963,8964,8965,8966,8902,8903,9218],[8908],[8908,9218],[8905,9220,9221,9222,9223,9224],[8908,8909,8910,8911,8912,8902,8903],[8908,8947],[8908,8947],[8908,8947],[8908,8947],[8845,2719,9225,9226],[9227],[9227],[9227,8829,9228],[567],[567,9229],[8908,428],[8908,9090,9091,9092,9093,9094,9095,9096,9097],[8908,9090,9091,9092,9093,9094,9095,9096,9097],[8908,428],[8908,9230,9231,428],[8908,428],[8908,9230,9231,428],[8908,9232,9233],[8902,8903,8946],[8908,8902,8903,8946],[8908,8947],[8908,8958,8959,9068],[9234,9235,9236,9237,9185],[8908,9201],[8908,9238,9239],[1484,9240,9241,9242,9243,9244,9245,9246,9247,9248,9249,9250,9251,9252,9253,9254],[9184,9185,9255],[1484,9240,9241,9242,9243,9244,9245,9246,9247,9248,9249,9250,9251,9252,9253,9254],[8908,8725,8726],[9256],[9257],[9257],[9257],[9257],[9257],[9257],[9257],[9258,9259,9260,9261,9262,9263,9264],[9265],[9266,9267,9268,9269,9270],[9271,9272],[9273,9274,9275,3660],[9273,9274,9275,3660],[9273,9274,9275,3660],[9273,9274,9275,3660],[9273,9274,9275,3660],[3649],[3649],[3649],[3641,9276,9277],[3641,9276],[3641,9276,9278,9279,330],[3641,9276,9280,9281,6140,9282,9283,9284,9285,9286,9287],[3641,9276,9288,5043,9289,9290],[3641,9276,9291,9292],[6608,1661,9293,9294],[6608,1661,9295],[6608,1661,9293,9296],[9297,9298,9299],[531,9300],[531,9300,9301,9302,9289],[531,9303],[893,9304],[6608,1661,9295],[6608,1661,9293,9305],[6608,1661,9295],[1535,1536,513],[1535,513],[1535,1536,513],[1535,513],[1535,513],[422,9306],[1535,1536,1537,513],[511,512,513,4335,9307],[511,512,1606,1607,2073,513,4335,9307],[511,512,1606],[511,512],[1535,513],[1535,513],[524,513],[524,513],[511,512,1606,1607,2073,2074],[524,513],[1535,1536,513],[1535,1536,1537,513],[1535,1536,1537,1538,1539,1540,1541,1750,1785,1786,513],[1535,513],[401,553,1516,549,1566,330,1248],[1535,513],[451,1598,1744,6353,6354,6355],[451,1598,6353,6354],[451,1598,6353],[451,1598,16,6354],[451,1598,224,6353],[451,1598,6353,6354],[451,1598,6354],[451,1598,6354,494],[451,1598,494,6356,6353],[451,1598,6353,6354],[451,1598,6353,6354],[451,1598,6353,6354],[451,1598,494,6356,6357,6354],[451,1598,494,6356,6354],[451,1598,494,6356,9308,6354],[451,1598,494,6356,6357,6354],[451,890,9309,9310,9311,9312,3108,9313,9314],[451,1598,1744,8,224,5774,9315,6360,2494,6361,6354,321],[451,1598,8,224,6360],[451,1598,1744,6360,2494,6362,9316,2491,269,6354,6355],[451,1598,6360,2494,269,6354],[451,1598,9316,2491,6360,269],[451,1598,9316,2491,269,6354],[451,1598,6360,2494,269],[451,1598,6362,6360,269],[451,1598,6362,6360],[451,9317,9318,9319,5007],[451,1598,494,6356,6357,1448,224,6354,6355],[451,1598,494,16,6354,6355],[451,1598,16,224,6354],[451,1598,6369,6354],[451,1598,9320,9321,9322,9323],[451,9324,9325,9326],[451,9324,9325,9327,9328],[9329],[4525,9330],[4525,9290],[4525,9331,6035,9332,9333],[4525],[4525],[4525,9334,6262],[4525,6027,9335,9336],[4525,6027,9335,9336],[4525],[4525,9337],[9338],[9338],[2250,9339],[2250,9339],0,[2250,9339],[9338],[1461,2250],[9340,9341,8187],[9340,8187],[9340,9341,8187],[9340,9342],[9343],0,0,[9340,9344],[9340,9344],[9340,9344],[9345,9346,330,1752],[9347,9348,7931,32],0,0,[9349,9350,1796,548,640],[530,531],[32,1796],[32,1796],[1815,1816,356,1817,1818,1819,1820,127,120,1821,1822,1823,1824,1825,1826,7,1827,1828],[1815,1816,356,1817,1818,1819,1820,127,120,1821,1822,1823,1824,1825,1826,7,1827,1828],[1815,1816,356,1817,1818,1819,1820,127,120,1821,1822,1823,1824,1825,1826,7,1827,1828],[1821,1829,1830,1831,531,1832,1833,1834,1835,9351,9352,3337,9353,3338,3339,3340,3341,2048,1600,9354,106,1815,1707,3335,3336,1948],[9355,9356],[1243,377,2686,3342,1628,1862,1815,1707,3335,3336,3426,9357,32],[1243,377,2686,3342,1628,1862,1815,1707,3335,3336,3426,9357,32],[1472,5646,9358,9359,9360,9361,9362],[9363,9364],[1564],[32],[594,595,596,597,9365,32],[32],[594,3323,596,652,3324,3325,32,3326,3327,3328,3329,1832,3334,1815,1707,3335,3336,1949,1950,3337,110,3338,3339,3340,3341,2048,1600,106,494,17,1934,1941,3343,3344,3345,3346,3351],[594,3323,596,652,3324,3325,32,3326,3327,3328,3329,1832,3334,1815,1707,3335,3336,1949,1950,3337,110,3338,3339,3340,3341,2048,1600,106,494,17,1934,1941,3343,3344,3345,3346,3351],[594,595,596,597,598,599,32],[594,494,657,9366,9367,9368,9369,9370,9371,1815,1707,3335,3336],[594,494,657,9366,9367,9368,9369,9370,9371,1815,1707,3335,3336],[594,494,657,9366,9367,9368,9369,9370,9371,1815,1707,3335,3336],[1815,1816,1946,1947,1948,32,568,1949,1950,1951],[1815,1816,1946,1947,1948,32,568,1949,1950,1951],[1815,1816,1946,1947,1948,32,568,1949,1950,1951],[1815,1816,9372,9373,32],[594,595,596,597,9365,32],[594,494,657,9366,9367,9368,9369,9370,9371,1815,1707,3335,3336],[594,494,657,9366,9367,9368,9369,9370,9371,1815,1707,3335,3336],[511,512,1606,1607,2073,2074,2075,2076,2077],[9374],[1246,1247],[1246,1247,525],[1246,1247,1952],[1295,9375,3961,1418],[1295,9375,3961,1418],[1295,9375,8104],[1295,9375],[1295,9375],[1295,9375],[1295,9375],[1295,9375],[1295,9375,1418],[1295,9375,1418],[1295,9375],[1295,9375],[1295,9375],[1295,9375],[1295,9375],[1295,9375],[1295,9375],[1295,9375],[1295,9375],[1295,9375],[1295,9375],[1295,9375],[1295,9375],[1295,9375],[1295,9375],[1295,9375],[1295,9375],[1295,9375],[1295,9375],[1295,9375],[1295,9375],[1295,9375],[1295,9375],[1295,9375],[18,2409,9375],[1325,5969,9376,9377,9375],[1325,5969,9376,9377,9375],0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,[1325,5969,9376,9377,9375],[1325,5969,9376,9377,9375],[1325,9377,9375],[1325,9377,9375],[1325,9377,9375],[1325,9377,9375],[1325,9377,9375],[1325,9377,9375],[1325,9377,9375],[1325,9377,9375],[1325,9377,9375],[1325,9377,9375],[1325,9377,9375,9378,9379],[1325,9377,9375,9378,9379],[1325,9377,9375],[1325,9377,9375],[1325,5969,9377,9375],[1325,5969,9377,9375],[1325,9377,9375,9378],[1325,9377,9375,9378],[9380,2370,9381,9382],[9380,2370,9382],[9380,2370,9381,9382],[9380,2370,9382],[9383,1729],[9383,1729],[9383,1729],[9383,1729],[9383,1729],[9383,9384,1729,9385],[9383,9386,1729],[9383,1729],[9383,1729],[9383,1729],[9383,1729],[9383,1729],[9383,1729],[9383,1729],[9383,1729],[9383],[9383],[9387,1729],[9387,1729],[9387,9388,1729,9389],[9383,1729],[9383,1729],[9383,9390,1729],[9383,9391,1729,9392],[9383,9390,1729],[9393,1729],[9393,1729],[9393,1729],[9393,1729],[9383,9394,1729],[9383,9394,1729],[9383,9394,1729],[9383,9394,1729],[9386,1729],[9395,9387,1729],[9395,9387,1729],[9395,9387,1729],[9395,9387,1729],[9395,9387,1729],[9395,9387,1729],[9395,9387,1729],[9395,9387,1729],[9395,9387,1729],[9395,9387,1729],[9395,9387,9386,1729],0,0,[9396,9387,1729],[9396,9387,1729],[1729],[1729],[9397,1729,9382],[9397,1729,9382],[1729],[1729],[9397,1729,9382],[9397,1729,9382],[9383,1729],[9383,1729],[9383,1729],[9383,9384,1729,9385],[9383,9384,1729,9385],[9383,9386,1729],[9383,1729],[9383,1729],[9383,1729],[9383,1729],[9383,1729],[9383,1729],[9387,1729],[9387,1729],[9395,9387,1729],[9395,9387,1729],[9395,9387,1729],[9395,9387,1729],[9395,9387,1729],[9395,9387,1729],[9395,9387,1729],[9395,9387,1729],[9395,9387,9386,1729],[9396,9387,1729],[9396,9387,1729],[9383,1729],[9383],[9383],0,0,[9383,9398],[9398],[9383,1729],[9386,1729],[2250,1707],[2250,1707,9383],[2250,4997,1707],[2250,4997,1707,9383],[1707],[1707,9383],[2250,1707,9383],[2250,1707,9383],[9386,9399,1707],[9386,9399,1707,9383],[9386,9399,1707],[9386,9399,1707,9383],[2250,1707],[2250,1707,9383],[2250,1707],[2250,1707,9383],[4998,9400,1707],[4998,9400,1707,9383],[9401,9402,9403],[9404,9401,9403],[9404,9401,9403],[9401,9403,303,305],[9401,9403,303,305],[9401,9403,303,305],[9401,9403,303,305],[9401,9403],[9401,9403],[9401,9403],[9401,9403],[9401,9403],[2250,1707,9383],[2250,1707],0,0,[9401],0,[3319],[1295,9375],[9405,5701,5702],[548,9405,5701,5702],[9406,2150],[9406,2150,548],[9406,2150],[9406,2150],[548],0,[9407],[9408,9409,9410,9411,9412,9413,9414,9415,9416],0,0,0,[4377,554,9417,9418],[641,642,643,644,330,640,629,1375,9419],[9397,391],[4576,4504],[4504,4505,4506],[9420,9421,525],[9422,525],[9423,525],[1900,367,2661,525],[9356,1900],[9356,1900],0,[3110,1887,9424,525,9425],[9426,9427,525],[9428,9429],[9430],[9431],[9431],[9431],[9431],0,[2333],[401,9432,2333],[401,9432,2333],[401,9432,2333],0,[549,295,391,330,909],0,[511,512,1606,2368],[5600,5601,4138,293,5602,330,5603],[5600,5601,4138,293,5602,330,5603],[293,5602,330,5603,9433,9434,9435],[293,5602,330,5603,9433,9434,9435],[5600,5601,4138,293,5602,330,5603],[5600,5601,4138,293,5602,330,5603],[5600,5601,4138,293,5602,330,5603],[5600,5601,4138,293,5602,330,5603],[5600,5601,4138,293,5602,330,5603],[5600,5601,4138,293,5602,330,5603],0,[511,512],[511],[0,1,2,3],0,0,0,0,0,0,0,0,[1600,2685],[1445,1446,1447,1448,16,1449,1450,1451,1452,1453,9436,9437,9438,9439,9440,9441,9442,9443,9444,9445,9446,9447,9448],[1445,1446,1447,1448,16,1449,1450,1451,1452,1453,9449,9450,9440,9451],[1445,1446,1447,1448,16,1449,1450,1451,1452,1453,9449,9450,9440,9451],[1445,1446,1447,1448,16,1449,1450,1451,1452,1453,9452,9453,9454,9455,9456],[9457,1446,16,9458,9459,9460,9461,9462,9463,9464,9465,609],[9457,1446,16,9466,3514,9467,9468,9469,9470,9471,9465,609],[9457,1446,16,9466,3514,9467,9468,9469,9470,9471,9465,609],[9457,1446,16,9466,3514,9467,9468,9469,9470,9471,9465,609],[9457,1446,16,9466,3514,9467,9468,9469,9470,9471,9465,609],[9457,1446,16,9466,3514,9467,9468,9469,9470,9471,9465,609],0,[525],0,[2699],0,[525],[525],[9472,9473],[2699],[525],0,0,[525],[525],[525],[525],[525,2700,2701],[9474,525,9475],[525],[525],[525],[525],0,[2342,9476,9477,9478,9479],[1240,217,9480,5249],[1240,217,9480,9481,5249],0,[9482,525],[9482,525],0,[9483,9482,330],[377,32,525,560],[9472,9473],[9472,9473],[525],[525],0,[9484,9485],[525],[525],[1460],[1460,1246],[525],[525],[525],[220,330],[220],[220,2708,2709,330],[220,2708,2709],[1246,525],[525],[4241],[4241],[525],0,0,[1246,525],[525],[525],0,[525],[4241],[9486,9487,2110,9488,9489],[9486,9487,9490,2403,9488,9489,2110,525],0,[525],[1246,525],[525],[1246,525],[525],[1246,525],[525],0,[1460,1246],[1460,1246,525],[1460,1246,525],[1246,9491],[1246,9491],[1460],[1460,9491],[9492,9493,9494,9495],[9496,9497],[1460,9491],0,[525],[525],0,[525],[9498,9499,9500,525],[525],[525],[1460,1246],[1460,1246,525],[1460,1246,525],[1460],[9501,9499,9502,525],[1460,1246,9491],[1246,9491],[1460,4241],[1246,525],[9503,9504,9493,9494,9495,9505],[9506,9507,9497,9494,9495,9508],[9509,9510,9511],[1460],0,[1246,9491],[9512,9499,9513,531],[9512,9499,9513,531],[1246,525],[1460,4241],[9514,9499,9515,525],[9509,9510,9511],[9516,9499,9517,525],[9509,9510,9511],[1600,1601,9518,9519,9520,9521,9522,427,115,1599],[1600,1601,9518,9519,9520,9521,9522,427,115,1599],[1600,1601,9518,9519,9520,9521,9522,427,115,1599,330,640],[1600,1601,3164,1491,1492,657,9523,427,115,1599,3167,3168,3169,3170,1499,138,1505,1515,9524,9525,1518,1523,3241,3242,3178,561,1611,1612],[1600,1601,3164,1491,1492,657,9523,427,115,1599,3167,3168,3169,3170,1499,138,1505,1515,9524,9525,330,640,1518,1523,3178,561,1611,1612],[1600,1601,330,640,1491,1492,1505,427,115,1599,3167,3168,3169,3170,1499,138,1515,1518,1523,3241,3242,3243,3244,3245,3178,561,1611,1612],[1600,1601,1491,1492,1505,1515,1518,427,115,1599,3167,3168,3169,3170,1499,138,1523,3241,3242,3243,3244,3245,3246,3424,3178,561,1611,1612],[1600,1601,330,640,1491,1492,1505,427,115,1599,3167,3168,3169,3170,1499,138,1515,1518,1523,3241,3242,3243,3244,3245,3178,561,1611,1612],[1600,1601,1598,330,640,1491,1492,427,115,1599],[1600,1601,3164,1610,1491,1492,3168,3167,3169,3178,3170,561,1499,657,9523,376,9526,5032,17,9527,1505,138,9528,9529,9530,9531,9532,3871,9533,9534,1594,1515,330,640,1518,9535,9536,9537,9538,1523,1611,1612],[1600,1601,3164,1610,1491,1492,3168,3167,3169,3178,3170,561,1499,657,9523,376,9526,5032,17,9527,1505,138,9528,9529,9530,9531,9532,3871,9533,9534,1594,1515,330,640,1518,9535,9536,9537,9538,1523,1611,1612],[1600,1601,1491,9539,111],[1600,1601,1491,1243,1610,115,138,17,1611,1612],[1600,1601,1491,1243,1610,115,138,17,1611,1612],[1600,1601,1491,1243,1610,115,138,17,1611,1612],[1600,1601,1491,1243,1610,115,138,17,1611,1612],0,[1600,1601,3164,1610,1491,1492,3168,3167,3169,3178,3170,561,1499,657,9523,376,9526,5032,17,9527,1505,138,9528,9529,9530,9531,9532,3871,9533,9534,1594,1515,330,640,1518,9535,9536,9537,9538,1523,1611,1612],[1600,1601,3234,3235,1491,1492,1505,427,115,1599,330,640,3236,3237],[1600,1601,9540,9541,330,640,1491,1492,9542,9543],[1600,1601],[1600,1601,1491,330,640],[1600,1601],[1600,1601,1491,9544],[1600,1601,1491,9544],[1600,1601,3226,1491,1492,1505,1515,427,115,1599,3230,3231,1518,1523,3234,3241,3242,3243,3244,3245,3246,9545,9546,9547,9548,9549,9550,9551,9552,9553,9554],[1600,1601,3226,1491,1492,1505,1515,427,115,1599,3230,3231,1518,1523,3234,3241,330,640,3242,3243,3244,9545,9546,9547,9548,9549,9550,9551,9552],[1600,1601,3226,1491,1492,1505,1515,427,115,1599,3230,3231,1518,1523,3234],[2780],[1600,1601],[1600,1601,1491,330,640],[1600,1491,1492],[1600,1491,1492],[1600,1491,1492],[1600,1601,2780,3255,3226,3234,330],[427,115],[427,115],[1600,1601],[511],[511],[4757,310],[511],[1600,1601,448,9555,6722,6145],[1600,1601],[1600,1601],[1600,1601,9556,9557],[1600,1601,9556,9557],[1600,1601,3568,1240,9558],[1996],[9559,9560],[524],[524],[2110,4919,511,9561,9562],[2110,511,512,9561,9562],[9563],[9563],[2110,4919,511,9561,9562],[2110,4919,511,9561,9562],[2110,511,512,9561,9562],0,0,[4919,9564],[4919,9564],[9565,9566],[9567],[4525,401],[4525,401],[4525,401],[9340],[9343],[594,595],[594,3323,596,652,3324,3325,32,3326,3327,3328,3329,1832,3334,1815,1707,3335,3336,1949,1950,3337,110,3338,3339,3340,3341,2048,1600,106,494,17,1934,1941,3343,3344,3345,3346,3351],[594,595,596,597,1934,1941,9568,9569,9570],[401],[3820,2513],0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,[9402,9403,9401,9571,9572,9573,9574],[9401,2091,9575],[9401,2091,9575],[9401,2091,9575],[9401,2091,9575],[9401,2091,9575],[9401,2091,9575],[9401,2091,9575],[9401,2091,9575],[9401,2091,9575],[9401,2091,9575],[9576,9577],[9578],0,[1393,9579,9580,9581],[2352,9582,9583],0,0,[9257],[9584],[9584],0,0,0,0,0,0,0,[9585],0,0,[9586,9587,3054],0,[9587],[9587],[9587],0,0,0,0,[2454],[9586,9588,9589,9590,9591],[9587],[9587],[9587],[9592,9593],[6396],[6396],[9594,9595],[9584],[9596,9597,9598,9599,9600,9601,9602,9603,9417],[9604,9605,9606,9417],[6396,9607,9608,9609,9610,9611],[6396,7645,7646,7647,7648,525],[6396,9596,1794,9612,8738,8739,8740,8741],[9613,9614,9615,9616],[9617,8738,8739,8740,8741],[43,5394,2622,423,16],[641,642,643,644,330,640],[9618,9619,9397,391,9620,9621],[9622,9623,9624,4616,9625,9626,391,9627,9628],[9629,9630,4335,3515],0,0,0,[9631,9632],0,0,0,0,0,0,0,[32],[9633,1661,867],[9633,1661,867,9634,452,9635,9636],[451,1661],[451,1661,9637],[451,1661,867],[451,1661,867,32],0,0,0,0,0,0,0,0,[9638],[511],0,0,0,0,0,[401],[2780],[427,115,4757],[427,115],[427,115],[427,115],[512,2075,2076,511],[511,1606,2076,2077,512],[511,1606,2076,2077,512],0,[524],[524],[524],[4677,32,9639],[4677,32,9639],[3456,3457,3454,32],[9639],[9677,9678,9679],[9639],0,0,0,0,0,0,0,0,0,0,0,[9639],[9639],0,[9680,9681,9682,9683],[9680,9681,9684],[9685,9686,9687],[9688,9689,9690,9687],[9677],[9677,9691,9692],[9677,9691,9692],[9677,9691,9692],[9677,9691,9692],[9677,9691,9692],[9677,9691,9692],[9693,9694,9695,9696,9697,9698,9699],[4509,9700,32],[9639,9698],[9639,9698,9701],[9639,9698],[9639,9698],0,0,0,0,0,0,[9702,9703,9704,9698,32],[9705,9706,9704,9698],[9693,9694,9695,9696,9697,9698,9699],0,0,[264,9707,5853,9639,9698],[264,9639,9698,9708,5853,9709],[9639,9698],0,[9710,3458,401,32],[401],[401,32],[32],[32],[32],[32],[32],[32],[32],[9711,401],0,0,0,[3520,9712],[3520,9712,9713],[3520,9712,9714],0,[32],[9715,8356],[9716,9717,9718,9719,32],0,0,0,[3520,9712,9720,9721],[3520,9712,9720,9721],[3520,9712,9722],[3520,9712,9722],[3520,9712],[3520,9712],[3520,9712],[3520,3081],[3520,9712,9723],[3520,9712],[3520,9712,9724],[3520,9712,9724],[3520,9712,9724],[3520,9712,9723],[3520,9712,9723],[3520,9712,9725,9726],[3520,9712],[3520,9712],[3520,9712],[3520,9712],[3520,9712,9723],[3520,9712],[3520],[3520,9712],[3520],0,[3520,9712],[3520,9712],[3520,9712],[3520,9712],0,0,0,0,0,0,0,0,0,0,[9710,32,401],[553],[553,32],[32],[32],[32],[32],[32],[32],[32],[32],[32],[32],[3456,3457,3454],[9727,8356],[9728,9729,32],0,0,0,[32],0,[9705,3568],[32],[9730,553],[3552,9731,9732],[32],[3552],[3552],[32],[3552],[9733],[3561,9734],[9303],0,0,[3530,3529,3533],0,0,0,0,0,0,[3530,3529,3533],[32],[32],[32],[32],[32],[32],[32],[32],[32],[3530,3533,294,32],[553,3530,3533,9735,32],[553,3530,3533,9735,32],0,[3552],[3556,3559],0,0,0,0,0,0,0,0,0,[9736],[32],[9736],0,[9759,9760],[9759,9760],[9759,9760],0,0,0,[1543],0,[9759,9760],[9761],[9761],[9761,1472],[9761,1472],[9762,9763],[4919,9762,9763],[9764],[12422,12423,12424,12425,12426,12427,12428,12429,12430,12431,12432,12433,12434,12435],[1392,2684,12435,10093],[12436,12437,12438,12439,12440,12441,12442,11911,12443,3871,12435],[12436,12437,12438,12439,12440,12441,2684,12435,10093],[12436,12437,12438,12439,12440,12441,12444,12445,12446,2684,12435,10093],[12436,12437,12438,12439,12440,12441,12444,12445,12446,2684,12447,12435,10093],[12436,12437,12438,12439,12440,12441,12444,12445,12446,12448,12449],[1543],0,[890],[890],[890],[890],[890],[890],[890],[890],[890],[890,32],[890],[890],[890,5169],[890],[890],[890],[890],[330],[890,5169],[890],[890],[890],[890],[890,5169],[890,5169],[890],[890],[890],[890],[890],[890],[890,5169],[890,5169],[890],[890],[890],[890,5169],[890,5169],[890,5169],[890],[890,32],[890,32],[890],[890],[890,5169],[890,5169],[890,5169],[890,5169],[890,5169],[3149,32],[890,3026,25796],[890],[2234,890,32],[2234],[25797,25798,25799,25800],[890],[890],[2189,2190,890],[890],[1303,2276,16,650,24016,362,364,25835,356,101],[1601,25836,25837],0,0,[330],[843,330,25838],[1829],[1829,548],[1864,25839],[1864,25839],[1864,25839],[1864,25839,548],[1829,25840],[1829,25840],[1829,25840],[25841,466],0,[25842,25843],[17,1446,262,10548],[17,1446,262],[17,1446,262],[17,1446,262],[17,1446,262],[1829],[1829],[1829,548],[1829],[1829],[1829],[548],[548],[25842,293,138,25844],[25842,367,531],[1829],[1829,548],[25842,548],[548],0,0,0,0,[896,466],[896,466],[896],[896,466,548],[896],[896,466],[896,548],[896,466,548],[896],[138],[138],0,0,0,0,[138],0,[1484,548],[548],[25845,25846,25847],[25845,25846,25848],[560,330,25845,25846],[560,330,25845,25846],0,[293,1687,25849,25850],[531,25851,25852,25853,25854,25855],[25856],[25842,32],[25842,32],[25842,32],[25842],[25842,32],[25842],[25842,32],[293,1687,25849,25850],[25857],[890,367,25858,918,920,25859],[890,367,891,25860,918,920,25861,25862,25863,25864,25865],[4316,890,367,2779],[401],[25866,25867,25868,16175,25869,25870,25871,32],[20770],[853,854,25872,25873,25874],0,0,[560,330],[560,330],0,0,[13757,1622,2457,1858],[1829,25875],[16070,531],0,0,[25876,25877],0,[25878],[25879,25878],[25880],[16070],0,0,[25909],[25909],[113,377,25910,10131,25911,25912,1992,25913,25914,25915,25916,25917,25918],[113,377,25910,10131,25911,6570,25919,25920,219,25921,25922,25917,25918],[113,377,25910,10131,25911,25923,219,1392,25924,25925,1992,25917,25918],[25926,377,9791,612],0,0,[32,25927,474,371,1794,25928,25929],[25930],[15168,25931,25932,5731,224],[612,19016,12993,18917],[612,19016,12993,18917,32],[25934,25935],[25934,25935],[25934,25935],[25934,25935],[25942,14057,3110,138,14797],[25942,14057],[25942,14057],[25942,14057],[25942,14057],[25942,14057],[25942,14057,17457],[25942,14057,17752,2417],[25942,14057],[25942,14057,2624],[25942,14057,2624],[25942,14057],[25942,14057],[25942,14057],[25942,14057],[25942,14057],[25942,14057,20204,32],[25942,14057],[25942,14057],[25942,14057,25943,424],[25942,14057,25944],[25942,14057],[25942,14057],[25942,14057],[25942,14057],[25942,14057],[25942,14057],[25942,14057],[25942,14057],[25942,14057],[25942,14057],[25942,14057],[25942,14057],[25942,14057],[25942,14057],[25942,14057],[25942,14057],[25942,14057],[25942,14057],[25942,14057],[25942,14057],[25942,14057],[25942,14057],[25942,14057],[25942,14057,115],[25942,14057,24419,115,1308,32],[25942,14057,24419,115,25945],[25942,14057],[25942,14057,24419,115],[25942,14057,25946,24843,25947],[25942,14057],[25942,14057,358,101,25948],[25942,14057],[14057,1882,25949],[14057,1882,25950],[14057,1882,25950],[14057,1882,25950],[14057,1882,25950],[14057,1882,25950],[14057,1882,25950],[14057,1882,25950],[14057,1882,25950],[14057,1882,25950],[14057,1882,25950],[14057,1882,25950],[25934,25935],[25934,25935],[21174,25951,25952,25953],[25951,25953],[25934,25935],[25934,25935],[11930,25954,1248,25955,17438,893,13083,7724],[24016,25956,25957,3817,6053,2494,1303,25958,25959,25960,25961,25962,25963,391,25964,25965,25966,25967,1753,25968,25969],[24016,25956,25957,3817,6053,2494,1303,25961,25962,25963,391,25964,25965,25966,25967,1753,25968,25969],[24016,25956,25957,3817,6053,2494,1303,25958,25959,25960,25961,25962,25963,391,25964,25965,25966,25967,25970],[24016,25956,25957,3817,6053,2494,1303,25961,25962,25963,391,25964,25965,25966,25967,25970],[32,217,25971,6027,25972,25973,25974,25975,1622,16,1449,3145,11535,424,25976,25977,22998,25978,25979,25980,10463,25981,25982,25983,494,25984,25985,854],[32,217,25971,6027,25972,25973,25974,25975,1622,16,1449,3145,11535,424,25976,25977,22998,25978,25979,25980,10463,25981,25982,25983,494,25984,25985,854],[32,217,25971,6027,25972,25973,25974,25975,1622,16,1449,3145,11535,424,25976,25977,22998,25978,25979,25980,10463,25981,25982,25983,494,25984,25985,854],[32,217,25971,6027,25972,25973,25974,25975,1622,16,1449,3145,11535,424,25976,25977,22998,25978,25979,25980,10463,25981,25982,25983,494,25984,25985,854],[32,217,25971,6027,25972,25973,25974,25975,1622,16,1449,3145,11535,424,25976,25977,22998,25978,25979,25980,10463,25981,25982,25983,494,25984,25985,854],[32,217,25971,6027,25972,25973,25974,25975,1622,16,1449,3145,11535,424,25976,25977,22998,25978,25979,25980,10463,25981,25982,25983,494,25984,25985,854],[32,217,25971,6027,25972,25973,25974,25975,1622,16,1449,3145,11535,424,25976,25977,22998,25978,25979,25980,10463,25981,25982,25983,494,25984,25985,854],[32,217,25971,6027,25972,25973,25974,25975,1622,16,1449,3145,11535,424,25976,25977,22998,25978,25979,25980,10463,25981,25982,25983,494,25984,25985,854],[32,217,25971,6027,25972,25973,25974,25975,1622,16,1449,3145,11535,424,25976,25977,22998,25978,25979,25980,10463,25981,25982,25983,494,25984,25985,854],[32,217,25971,6027,25972,25973,25974,25975,1622,16,1449,3145,11535,424,25976,25977,22998,25978,25979,25980,10463,25981,25982,25983,494,25984,25985,854],[32,217,25971,6027,25972,25973,25974,25975,1622,16,1449,3145,11535,424,25976,25977,22998,25978,25979,25980,10463,25981,25982,25983,494,25984,25985,854],[32,217,25971,6027,25972,25973,25974,25975,1622,16,1449,3145,11535,424,25976,25977,22998,25978,25979,25980,10463,25981,25982,25983,494,25984,25985,854],[32,217,25971,6027,25972,25973,25974,25975,1622,16,1449,3145,11535,424,25976,25977,22998,25978,25979,25980,10463,25981,25982,25983,494,25984,25985,854],[32,217,25971,6027,25972,25973,25974,25975,1622,16,1449,3145,11535,424,25976,25977,22998,25978,25979,25980,10463,25981,25982,25983,494,25984,25985,854],[32,217,25971,6027,25972,25973,25974,25975,1622,16,1449,3145,11535,424,25976,25977,22998,25978,25979,25980,10463,25981,25982,25983,494,25984,25985,854],[32,217,25971,6027,25972,25973,25974,25975,1622,16,1449,3145,11535,424,25976,25977,22998,25978,25979,25980,10463,25981,25982,25983,494,25984,25985,854],[32,217,25971,6027,25972,25973,25974,25975,1622,16,1449,3145,11535,424,25976,25977,22998,25978,25979,25980,10463,25981,25982,25983,494,25984,25985,854],[32,217,25971,6027,25972,25973,25974,25975,1622,16,1449,3145,11535,424,25976,25977,22998,25978,25979,25980,10463,25981,25982,25983,494,25984,25985,854],[32,217,25971,6027,25972,25973,25974,25975,1622,16,1449,3145,11535,424,25976,25977,22998,25978,25979,25980,10463,25981,25982,25983,494,25984,25985,854],[32,217,25971,6027,25972,25973,25974,25975,1622,16,1449,3145,11535,424,25976,25977,22998,25978,25979,25980,10463,25981,25982,25983,494,25984,25985,854],[32,217,25971,6027,25972,25973,25974,25975,1622,16,1449,3145,11535,424,25976,25977,22998,25978,25979,25980,10463,25981,25982,25983,494,25984,25985,854],[32,217,25971,6027,25972,25973,25974,25975,1622,16,1449,3145,11535,424,25976,25977,22998,25978,25979,25980,10463,25981,25982,25983,494,25984,25985,854],[32,217,25971,6027,25972,25973,25974,25975,1622,16,1449,3145,11535,424,25976,25977,22998,25978,25979,25980,10463,25981,25982,25983,494,25984,25985,854],[32,217,25971,6027,25972,25973,25974,25975,1622,16,1449,3145,11535,424,25976,25977,22998,25978,25979,25980,10463,25981,25982,25983,494,25984,25985,854],[32,217,25971,6027,25972,25973,25974,25975,1622,16,1449,3145,11535,424,25976,25977,22998,25978,25979,25980,10463,25981,25982,25983,494,25984,25985,854],[32,217,25971,6027,25972,25973,25974,25975,1622,16,1449,3145,11535,424,25976,25977,22998,25978,25979,25980,10463,25981,25982,25983,494,25984,25985,854],[32,217,25971,6027,25972,25973,25974,25975,1622,16,1449,3145,11535,424,25976,25977,22998,25978,25979,25980,10463,25981,25982,25983,494,25984,25985,854],[32,217,25971,6027,25972,25973,25974,25975,1622,16,1449,3145,11535,424,25976,25977,22998,25978,25979,25980,10463,25981,25982,25983,494,25984,25985,854],[32,217,25971,6027,25972,25973,25974,25975,1622,16,1449,3145,11535,424,25976,25977,22998,25978,25979,25980,10463,25981,25982,25983,494,25984,25985,854],[32,217,25971,6027,25972,25973,25974,25975,1622,16,1449,3145,11535,424,25976,25977,22998,25978,25979,25980,10463,25981,25982,25983,494,25984,25985,854],[32,217,25971,6027,25972,25973,25974,25975,1622,16,1449,3145,11535,424,25976,25977,22998,25978,25979,25980,10463,25981,25982,25983,494,25984,25985,854],[32,217,25971,6027,25972,25973,25974,25975,1622,16,1449,3145,11535,424,25976,25977,22998,25978,25979,25980,10463,25981,25982,25983,494,25984,25985,854],[32,217,25971,6027,25972,25973,25974,25975,1622,16,1449,3145,11535,424,25976,25977,22998,25978,25979,25980,10463,25981,25982,25983,494,25984,25985,854],[32,217,25971,6027,25972,25973,25974,25975,1622,16,1449,3145,11535,424,25976,25977,22998,25978,25979,25980,10463,25981,25982,25983,494,25984,25985,854],[32,217,25971,6027,25972,25973,25974,25975,1622,16,1449,3145,11535,424,25976,25977,22998,25978,25979,25980,10463,25981,25982,25983,494,25984,25985,854],[32,217,25971,6027,25972,25973,25974,25975,1622,16,1449,3145,11535,424,25976,25977,22998,25978,25979,25980,10463,25981,25982,25983,494,25984,25985,854],[32,217,25971,6027,25972,25973,25974,25975,1622,16,1449,3145,11535,424,25976,25977,22998,25978,25979,25980,10463,25981,25982,25983,494,25984,25985,854],[32,217,25971,6027,25972,25973,25974,25975,1622,16,1449,3145,11535,424,25976,25977,22998,25978,25979,25980,10463,25981,25982,25983,494,25984,25985,854],[32,217,25971,6027,25972,25973,25974,25975,1622,16,1449,3145,11535,424,25976,25977,22998,25978,25979,25980,10463,25981,25982,25983,494,25984,25985,854],[32,217,25971,6027,25972,25973,25974,25975,1622,16,1449,3145,11535,424,25976,25977,22998,25978,25979,25980,10463,25981,25982,25983,494,25984,25985,854],[32,217,25971,6027,25972,25973,25974,25975,1622,16,1449,3145,11535,424,25976,25977,22998,25978,25979,25980,10463,25981,25982,25983,494,25984,25985,854],[32,217,25971,6027,25972,25973,25974,25975,1622,16,1449,3145,11535,424,25976,25977,22998,25978,25979,25980,10463,25981,25982,25983,494,25984,25985,854],[32,217,25971,6027,25972,25973,25974,25975,1622,16,1449,3145,11535,424,25976,25977,22998,25978,25979,25980,10463,25981,25982,25983,494,25984,25985,854],[11930,25954,1248,25955,17438,893,13083,7724],[25986,25987,25988,25989,25990],[25986,25991,25992,5031],[25986,25993,25994,25995,25996,5031],[25986],[25986,25997,5031],[25986,25998,25999,19827,25989,25988,26000,25990],[25986,19827,25989,25988,25987,16,26001,26002,26003,25990],[25986,26004,26005,19827,25989,25988,26000,25990],[25986],[25986],[25986],[25986],[25986,26006,26007,11122],[25986,26006,26007,11122],[25986,26006,26007,11122],[25986,26006,26007,11122],[25986,11824,3026,6570],[25986,11824,3026,6570],[25986,26006,11122,26008,26009],[25986,26010],[19670],[25986,26006],[12677,26006,19670],[12677,26006,26010],[14057],[14057],[14057,1755],[14057],[14057],[14057,843],[14057,843],[14057,382],[14057,26011],[14057],[14057],[14057],[14057],[14057,424],[14057,424],[14057],[14057],[14057],[14057],[14057,330],[14057],[14057],[14057,1829],[14057,1829],[14057,1829],[14057,1829,330],[14057],[14057],[14057,330],[14057],[14057],[14057],[14057,330],[14057],[14057],[14057],[14057],[14057],[14057,1829],[14057],[14057,1829],[14057,330,26012],[14057,2388],[14057,1829],[14057,1829],[14057,1829,1248,26013,26014],[14057,1829,1248,26013,26014],[14057,1829,1248,26013,26014],[14057,1829,1248,26013,26014],[14057,1829,1248,26013,26014],[14057,1829,1248,26013,26014],[14057,1248,330,107],[424,26015,1730,11900,26016,5699],[424,11327,14638,14639,14640],[424,432,4745,26017,26018],[424,432,4745,26019,26020],[424,1730,11900,26016,5699],[424,494,2249],[424,26016,5699],[424,330],[424,494,2249],[424,494],[424,330,26021],[424,494,2249],[424,494],[424],[424,494,2249],[424],[424],[424,330],[424,330,4118,4645],[424,330,4118,4645],[424,330,4118,4645],[424,330,4118,4645],[424,330,4118,4645],[424,330,4118,4645],[424,330,4118,4645],[424,330,4118,4645],[424,330,4118,4645],[26022,26023,371,26024],0,0,[360],[360],0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,[26025,330],[360],[360,330],0,[14057,10496],[14057],[14057],[14057,13892,14611,14612,14613,14614,14615],[14057,2624,13009,14693,14649],[14057,2624,13009,14693,14694,330],[14057,2624,3502,3503,330],[14057,330,110,14678,14679,14680],[14057,2624,3502,3503,330],[14057,2624,3502,3503,330],[14057,330],[14057,5243,5242],[14057,494,371,474],[14057,14682,14683,14684,14685,14686,330,14687],[14057,330],[14057,1755,14688,14689,330],[14057,14690,843,13913,14691],[14057,14650,14651,14621,14652,14653,14654],[14057,2624,13009,13914,14695,14616,330,14696],[14057,2624,13009,13914,14695],[14057,14658,14659],[14057,330],[14057,494,371,474],[14057,13914],[14057],[14057,215],[14057],[14057,14660,14661,14662,14663,14664,14665,14666,14667],[14057,14668,14669,14670,14671,14672,14673,14674,14675],[14057,14641],[14057],[14057,14676,1755,14677],[14057,1755,14621],[14057,13892,14614,14615,14622],[14057,5043,13914,14616],[14057,13914,14616,14623],[14057,14633,14634],[14057],[14057,5043,330],[14057],[14057,9290,330],[14057,1829],[14057,1756],[14057,293,294],[14057,14624,14625],[14057,14626,14627,14628,14629,14630],[14057,11327,371,14631],[14057,293,14632],[14057,293,14632],[14057,11602],[14057,494,4010,3026],[14057,6235],[14057,11602],[14057,6235],[14057,843],[14057,14633,14634,14635],[14057,2624,330],[14057,14642,14643,14644,14645,14646],[14057,14633,14634,14635],[14057,14633,14634,14635],[26026,401],[401],[26026,401],[553],0,0,0,[26027,4305],[26027,4305],[2684,8717,843,294,12435,28079],[2684,8717,12435],[12435],[2081,3026,294,12435],[2081,12435],[12435],[12435],[843,2684,12435],[28080,28081,12435,28082,9532,3871,12563,2081],[12435],[12435],[2684,12435,10093],[12436,12437,12438,12439,12440,12441],[12436,12437,12438,12439,12440,12441,843,12435],[12436,12437,12438,12439,12440,12441,12444,12445,12446,293,5242,524,12435],0,[890],[25934,25935],[25934,25935],[25934,25935],[25934,25935],[25934,25935],[25934,25935],[25934,25935],[25934,25935],[25934,25935],[25934,25935],[25934,25935],[25934,25935],[25934,25935],[25934,25935],[25934,25935],[25934,25935],[25934,25935],[25934,25935],[25934,25935],[25934,25935],[25934,25935],[25934,25935],[37067],[37068,37069,37070,391,371,474,216],[37068,37069],[7461,37071,37072,371,216],[25934,25935],[25934,25935],[25934,25935],[25934,25935],[25934,25935],[25934,25935],[25934,25935],[25934,25935],[37077],[25934,25935],[25934,25935],[25934,25935],[25934,25935],[2283,550,37078,11261,4869],[2283,550,37078,11261,4869],[2283,550,37078,11261,4869],[2283,550,37078,11261,4869],[2283,550,37078,11261,4869,37079],[2283],[2283],[2283,37080],[2283,37080],[2283,37081,37082,37083,37084,37085,37086],[5956,37087,13940,13070,37088,37089],[37087,13940],[5956,37087,37090],[37087],[37087],[37087],[5956,37087,13940,13070,37088],[11930,25954,1248,25955,17438,893,13083,7724],[3145,494],[16,37091,4862,4863,4864,4865,17510,4867,4868,4869,37092,37093,37094,37095,6499],[16,37091,4862,4863,4864,4865,17510,4867,4868,4869,37092,37093,37094,37095,6499],[16,37091,4862,4863,4864,4865,17510,4867,4868,4869,37092,37093,37094,37095,6499],[16,37091,4862,4863,4864,4865,17510,4867,4868,4869,37092,37093,37094,37095,6499],[37096,37097,37098,37099,37100,37101,37102,37103,37104],0,[37105,37106,37107,27091,37108,1691,474,37109,37110,9630,37111,37112,37113,37114,27434],[2259,13185,15568,11199,8341,3145,3003,15570,8337],[3003,8337],[3003,8337],[2259,13185,15570,3003,8337],[16,25556,4869,220,71,17,34877,34878],[37115,37116,37117,37118,37119,37120,37121,37122],[37123,32,1392,37124,605],[2259,925,10550,951,21635,3026,37125,37126,37127,37128,37129,2265,37130,37131,10925,37132,890,25861],[37123,32,1392,37124,605],[37123,32,1392,37124,605],[37133,37134,11199,37135,37136,452],[857,37137,37138,37139,37140,11044,452,2043,37141,220,869,868],[9597,10550,37142,37143,457],[37123,32,1392,37124,605],[37123,32,1392,37124,605],[1687,4785,4786,4787,4788,4789,4790,4791,4792,4793],[1687,4785,4786,4787,4788,4789,4792,4793],[1687,4785,4786,4787,4788,4789,4794,4795,4796,4797,4798,4799,4800,4792,4793],[1687,4785,4786,4787,4788,4789,4792,4793],[1687,4785,4786,4787,4788,4789,4792,4793],[37144,37145,37146,37147,37148,37149,37150,37151,37152,37153,37154,37155,37156,37157,37158,13160,11733,37159,37160,37161,37162,37163,37164,37165,37166,37167,37168,37169,37170,37171,37172,37173,37174,37175,37176,37177,37178,912,37179],[37180,37181,37182,37183,37184,37185,37186],[16,27093,4852,11199,37187,27094,27100,27095,27097,37188,8232,27099,27096,27098,37189],[37190,37191,37192,37193,37194,37195,37196,37197,37198,37199,37200],[3145,494],[122,35848,37201,37202,37203,37204,37205,37095,37206,37207,37208,11199],[37209,37210,37211,37212,12472,12473],[2378,16,8908,165,197],[37213,16,2271,424,23711,37214,391,10463,8231,142,231,647,4851],[37215,3145,37216,35469,16],[37217,34799,37218,37219,37220,25951,609,22072,15929,37221,9811,11199],0,0,0,0,[37222,609,2684,11199],[37222,609,24880,11199],[609,4874,4875,11199],[609,4874,4875,11199],[37123,37223,2249,8356,11199,134],[609,4874,4875,11199],[609,4874,4875,11199],[17510,609,878,11199],[2259,13185,15568,11199,8341,3145,3003,15570,8337],[2259,13185,15568,11199,8341,3145,3003,15570,8337],[2259,13185,15570,3003,8337],[3003,8337],[3003,8337],[3003,8337],[609,37224,37225,1593,37226,37227],[2567,609],[609,2178,11870],[27263,3145,26047,8338,21067,8340,37228],[27263,3145,8336,26047],[27263,3145,8336,26047],[4010,27263,3145,8336,26047,993,37229],[4010,27263,3145,8336,26047,993,37229],[27263,3145,8336,3380,26047,8346],[27263,3145,8336,3380,26047,8346],[27263,3145,8336,3380,26047,8346],[27263,3145,8336,26047,2234,8346,8347,494],[27263,3145,8336,26047],[27263,3145,8336,3380,26047,8346],[27263,3145,8336,3380,26047,8346],[37230,37231,37232,37233],[27263,3145,8336,26047,2234,8346,8347,494],[27263,3145,8336,3380,26047,8346,494],[27263,3145,8336,3380,26047,8346,494],[27263,3145,8336,3380,26047,8346,494],[2378,6608,16,2684],[2378,6608,16,2684],[2378,6608,16,2684],[8356],[3360,37234],[3360,37234],[37123,37223,2249,8356,11199],[37235,3145,13096,27263,37236,9640],[37235,3145,13096,27263,37236,9640],[37123,37235,3145,13096,27263,37236,9640],[37123,37235,3145,13096,27263,37236,9640],[25986,37237,37238,37239,37240],[37235,3145,13096,27263,37236,9640,32],[25986,37241,37242],[25986,37241,37242],[5956,37243,13070,13940,17136,11261,37244],[5956,37243,13070,13940,17136,11261,37244],[13940],[13940,37245,37246,37244],[13940,37245,37246],[37247,37248,37249],[14563,14547,14549,14550,14548,14551,14553,14554,14555,14556,14557,14558,14559,14560,14561,14562],[37250,37251,37252,37253,37254,37255,37256,37257,37258,37259,37260,37261,37262,37263,37264,37265,37266,37267,37268,37269,37270,37271,37272,37273,37274,37275,37276,37277,37278,37279,35493,35492,35491,14023],[3513,14745,391],[3513,31702,16,391,37280],[3513,31702,16,391,37280],0,0,0,0,[3513,14745,391],0,[3513],[3513],[3513],[3513],[3513],[3513],[3513],[3513,37281,11182,1887],[3513,37281,11182,1887],[3513,37281,11182,1887],[3513,37281,11182,1887],[3513,37281,11182,1887],[3513,37281,11182,1887],[3513,37281,11182,1887],[3513,37281,11182,1887],[3513,37281,11182,1887],[3513,37281,11182,1887],[3513,37281,11182,1887],[3513,37281,11182,1887],[3513,37281,11182,1887],[3513,37281,11182,1887],[3513,37281,11182,1887],[37282,37283,37284,1829],[37282,37283,37284,1829],[3513,37281,11182,2250,4997],[3513,37281,11182,2250,4997],[3513,37281,11182,1887],[3513,37281,11182,1887],[3513,37281,11182,1887],[3513,37281,11182,1887],[37285,37286,37287,37284,37288],[37287,37289,37290,37291,37292],[6102,37293,37294,17136,6247,37295],[6102,37293,37294,17136,6247,37295],[6102,37293,37294,17136,20266,37295,27757],[6102,3005],[6102,37294],[5873,37345,2104],[5873,37345,2104],[5873,37345,2104],[5873,37346],[5873,37345,2104],[5873,37345,2104]],"cnt":{"0":"See the [Logon Type Reference](/references/logon-types/) for a full breakdown of LogonType values and detection guidance.","1":"The Status field indicates the top-level failure reason; SubStatus provides additional detail. When Status is 0xC000006D (generic logon failure), check SubStatus for the specific cause.\n\n**Kerberos result codes** (Status, when authentication uses Kerberos):\n\n| Code | Description |\n| ---- | ----------- |\n| 0x6 | KDC_ERR_C_PRINCIPAL_UNKNOWN — invalid/non-existent user account |\n| 0x7 | KDC_ERR_S_PRINCIPAL_UNKNOWN — requested server not found |\n| 0xC | KDC_ERR_POLICY — policy restriction prohibited logon |\n| 0x12 | KDC_ERR_CLIENT_REVOKED — account locked, disabled, or expired |\n| 0x17 | KDC_ERR_KEY_EXPIRED — expired password |\n| 0x18 | KDC_ERR_PREAUTH_FAILED — invalid password |\n| 0x25 | KRB_AP_ERR_SKEW — clock skew too great between client and server |\n\n**NTSTATUS codes** (Status and SubStatus):\n\n| Code | Name | Description |\n| ---- | ---- | ----------- |\n| 0xC000006D | STATUS_LOGON_FAILURE | Generic logon failure — check SubStatus for detail |\n| 0xC0000064 | STATUS_NO_SUCH_USER | Non-existent account username |\n| 0xC000006A | STATUS_WRONG_PASSWORD | Incorrect password (username correct) |\n| 0xC000006E | STATUS_ACCOUNT_RESTRICTION | Account restriction prevented logon |\n| 0xC000006C | STATUS_PASSWORD_RESTRICTION | Password does not meet policy requirements |\n| 0xC000006F | STATUS_INVALID_LOGON_HOURS | Account not allowed to log on at this time |\n| 0xC0000070 | STATUS_INVALID_WORKSTATION | Account not allowed to log on from this computer |\n| 0xC0000071 | STATUS_PASSWORD_EXPIRED | Expired password |\n| 0xC0000072 | STATUS_ACCOUNT_DISABLED | Disabled account |\n| 0xC000005E | STATUS_NO_LOGON_SERVERS | No logon servers available |\n| 0xC0000133 | STATUS_TIME_DIFFERENCE_AT_DC | Clock skew between client and DC too great |\n| 0xC000015B | STATUS_LOGON_TYPE_NOT_GRANTED | Logon type not granted to this account |\n| 0xC000018D | STATUS_TRUSTED_RELATIONSHIP_FAILURE | Trust relationship between domain and trusted domain failed |\n| 0xC0000192 | STATUS_NETLOGON_NOT_STARTED | Netlogon service not started |\n| 0xC0000193 | STATUS_ACCOUNT_EXPIRED | Expired account |\n| 0xC0000224 | STATUS_PASSWORD_MUST_CHANGE | Password must change at next logon |\n| 0xC0000234 | STATUS_ACCOUNT_LOCKED_OUT | Account locked out |\n| 0xC0000388 | STATUS_DOWNGRADE_DETECTED | Kerberos/NTLM downgrade detected |\n| 0xC0000413 | STATUS_AUTHENTICATION_FIREWALL_FAILED | Blocked by authentication policy/silo |","2":"Operation on AD object, may indicate enum of domain trusts, OUs, SPNs, ACLs. Also logged when an attacker uses mimikatz or similar to extract the DPAPI Domain Backup Key.","3":"May also indicate remote creation via relayed SMB/WinRM session, PS cmdlets, DCOM over RPC, WMI, others.","4":"May indicate path or trigger edits.","5":"System audit policy changed. Attackers often disable auditing to reduce detection.","6":"Member added to security-enabled global group. May indicate domain-level privilege escalation, ie membership in Domain Admins.","7":"User account changed, may capture priv-esc, password changes, or UAC flag changes.","8":"Attackers may rename an existing, highly privileged account to blend in.","9":"May indicate high-impact changes in AD, like adding SID history or malicious GPOs. Attribute change to msDS-AllowedToActOnBehalfOfOtherIdentity is usually suspicious and indicates a Kerberos relay attack.","10":"May indicate high-impact changes in AD.","11":"Image loaded. Generated when a process loads a DLL into memory, ie, side-loading.","12":"CreateRemoteThread. Detects some process-injection methods.","23":"Logon with explicit credentials (RunAs, SchTasks, Pass-the-Hash, WinRM, SMB). May appear when an NTLM relayed session is used to create a service/task. Useful with 4624 (successful logon)/4634 (logoff completed) for reconstructing interactive or service logons.","24":"Combined with 4663, may reveal bulk reads of sensitive shares before data exfil.\n\nThe AccessMask shown assumes **File** access rights (the most common context). The actual meaning of bits 0x01–0x80 depends on the ObjectType GUID at runtime. Common alternatives:\n\n| Bit | File | Registry | Process | Service |\n| --- | ---- | -------- | ------- | ------- |\n| 0x01 | ReadData / ListDirectory | KEY_QUERY_VALUE | PROCESS_TERMINATE | SERVICE_QUERY_CONFIG |\n| 0x02 | WriteData / AddFile | KEY_SET_VALUE | PROCESS_CREATE_THREAD | SERVICE_CHANGE_CONFIG |\n| 0x04 | AppendData / AddSubDir | KEY_CREATE_SUB_KEY | PROCESS_SET_SESSIONID | SERVICE_QUERY_STATUS |\n| 0x08 | ReadEA | KEY_ENUMERATE_SUB_KEYS | PROCESS_VM_OPERATION | SERVICE_ENUMERATE_DEPENDENTS |\n| 0x10 | WriteEA | KEY_NOTIFY | PROCESS_VM_READ | SERVICE_START |\n| 0x20 | Execute / Traverse | KEY_CREATE_LINK | PROCESS_VM_WRITE | SERVICE_STOP |\n\nStandard rights are shared across all types: DELETE (0x10000), READ_CONTROL (0x20000), WRITE_DAC (0x40000), WRITE_OWNER (0x80000).","25":"An attempt was made to access an object. May catch mass permission changes or tampering. Also catches renaming, and may be noisy (pair with 4660).\n\nThe AccessMask shown assumes **File** access rights (the most common context). The actual meaning of bits 0x01–0x80 depends on the ObjectType at runtime. Common alternatives:\n\n| Bit | File | Registry | Process | Service |\n| --- | ---- | -------- | ------- | ------- |\n| 0x01 | ReadData / ListDirectory | KEY_QUERY_VALUE | PROCESS_TERMINATE | SERVICE_QUERY_CONFIG |\n| 0x02 | WriteData / AddFile | KEY_SET_VALUE | PROCESS_CREATE_THREAD | SERVICE_CHANGE_CONFIG |\n| 0x04 | AppendData / AddSubDir | KEY_CREATE_SUB_KEY | PROCESS_SET_SESSIONID | SERVICE_QUERY_STATUS |\n| 0x08 | ReadEA | KEY_ENUMERATE_SUB_KEYS | PROCESS_VM_OPERATION | SERVICE_ENUMERATE_DEPENDENTS |\n| 0x10 | WriteEA | KEY_NOTIFY | PROCESS_VM_READ | SERVICE_START |\n| 0x20 | Execute / Traverse | KEY_CREATE_LINK | PROCESS_VM_WRITE | SERVICE_STOP |\n\nStandard rights are shared across all types: DELETE (0x10000), READ_CONTROL (0x20000), WRITE_DAC (0x40000), WRITE_OWNER (0x80000).\n\n---\n\nBinary Defense post [Windows Defender ACL Blocking: A Silent Technique With Serious Impact](https://binarydefense.com/resources/blog/windows-defender-acl-blocking-a-silent-technique-with-serious-impact) — attackers can modify DACLs on the Windows Defender directory to block the antimalware service from reading its own binaries, silently disabling protection without triggering tamper alerts. Look for WRITE_DAC (0x40000) access to Defender paths paired with 4670 ACL changes.","26":"May alert on golden ticket style attacks.","27":"Kerberos TGT request (consider Pass-the-Ticket, Golden TGT attacks). Requests from a non-interactive source prior to 4769 may indicate ticket replay or Pass-the-Ticket staging.","28":"Tickets for hosts that a user previously hasn't accessed may indicate Pass-the-Ticket or RDP/WMI pivoting. Confirm that the target server is also the host that is contacted, and unusual/vulnerable encryption types (may indicate [S4U2Proxy](https://docs.specterops.io/ghostpack/rubeus/constrained-delegation-abuse)) like RC4. Check for movement between services or SPNs, and unusual service names.","29":"May indicate password spraying. Pivot on ClientAddress.","30":"This may capture fall-back NTLM use. Note Workstation (does it list the client? If not, this may be NTLM coercion).\n\nThe Status field is an NTSTATUS code indicating the credential validation result:\n\n| Code | Name | Description |\n| ---- | ---- | ----------- |\n| 0x00000000 | STATUS_SUCCESS | Credentials validated successfully |\n| 0xC000006D | STATUS_LOGON_FAILURE | Generic failure (bad username or password) |\n| 0xC0000064 | STATUS_NO_SUCH_USER | Non-existent account |\n| 0xC000006A | STATUS_WRONG_PASSWORD | Incorrect password |\n| 0xC0000234 | STATUS_ACCOUNT_LOCKED_OUT | Account locked out |\n| 0xC0000072 | STATUS_ACCOUNT_DISABLED | Account disabled |\n| 0xC0000193 | STATUS_ACCOUNT_EXPIRED | Account expired |\n| 0xC0000071 | STATUS_PASSWORD_EXPIRED | Password expired |\n| 0xC000006F | STATUS_INVALID_LOGON_HOURS | Outside allowed logon hours |\n| 0xC0000070 | STATUS_INVALID_WORKSTATION | Not allowed from this workstation |\n| 0xC0000224 | STATUS_PASSWORD_MUST_CHANGE | Password must change at next logon |\n| 0xC000005E | STATUS_NO_LOGON_SERVERS | No logon servers available |\n| 0xC00002DB | STATUS_NTLM_BLOCKED | NTLM blocked by policy |","31":"Tracks who is accessing shared folders on the network. Very noisy.","32":"May surface registration of WMI event-based auto-runs that survive reboots.","34":"Detects Administrator or SYSTEM-equivalent sessions at logon time.","35":"Logs direct interaction with objects that require SeSecurity/SeTakeOwnership, ie SAM hives.","36":"Tracks changes to token privileges.","37":"May capture cross-domain privilege escalation in a multi-forest trust.","38":"RawAccessRead, may indicate direct disk reads of ntds.dit, SAM, or page files for offline hash extraction.","39":"May contain Mark of the Web, referrer, and host URL data.","41":"This will show System, Application, and other non-Security logs being cleared. Review the event to identify which one.","43":"Generated when token privileges are changed (tracks rights like SeDebugPrivilege, SeLoadDriverPrivilege).","58":"May be seen when a process injects into LSASS.","59":"Requires AuditRegistry/SetValue SACL.","60":"May indicate BloodHound-style LDAP reads.\n\nThis event covers SAM object handle requests. The default bitmask shown uses **SAM_DOMAIN** rights (the most commonly audited SAM object type). Bits 0x01–0x0400 vary by SAM object subtype:\n\n| Bit | SAM_SERVER | SAM_DOMAIN | SAM_GROUP | SAM_ALIAS | SAM_USER |\n| --- | ---------- | ---------- | --------- | --------- | -------- |\n| 0x01 | ConnectToServer | ReadPasswordParameters | ReadInformation | AddMember | ReadGeneralInformation |\n| 0x02 | ShutdownServer | WritePasswordParameters | WriteAccount | RemoveMember | ReadPreferences |\n| 0x04 | InitializeServer | ReadOtherParameters | AddMember | ListMembers | WritePreferences |\n| 0x08 | CreateDomain | WriteOtherParameters | RemoveMember | ReadInformation | ReadLogon |\n| 0x10 | EnumerateDomains | CreateUser | ListMembers | WriteAccount | ReadAccount |\n| 0x20 | LookupDomain | CreateGlobalGroup | — | — | WriteAccount |\n\nStandard rights are shared: DELETE (0x10000), READ_CONTROL (0x20000), WRITE_DAC (0x40000), WRITE_OWNER (0x80000).","62":"A member was removed from a security-enabled global group, may be an effort to slow IR or clean-up after escalation. Security-enabled local group changed, indicates changes to local Administrators or Remote Desktop Users.","63":"May indicate DCShadow or similar lateral movement attacks.","65":"Indicates what process (application path) on the local machine made an outbound connection to a specific destination IP and port. Helpful for reviewing connections made by a suspect process.","68":"May indicate an attacker attempting to reduce visibility prior to staging a payload.","69":"Shows the full AD group list for every successful logon (useful to detect changes in privileges).","70":"Permissions on an object were changed, may detect ACL edits on files, registry, or tokens that grant elevated rights.\n\n---\n\nBinary Defense post [Windows Defender ACL Blocking: A Silent Technique With Serious Impact](https://binarydefense.com/resources/blog/windows-defender-acl-blocking-a-silent-technique-with-serious-impact) — attackers can modify DACLs on the Windows Defender directory to block the antimalware service from reading its own binaries, silently disabling protection without triggering tamper alerts. Look for ACL changes targeting Defender paths (e.g. `C:\\ProgramData\\Microsoft\\Windows Defender\\`) paired with 4663 WRITE_DAC access.","71":"Logs use of SeDebugPrivilege (often precedes scraping memory), SeTcbPrivilege.","72":"Backup of a user/computer master key to the DC, rarely seen after first logon. Several events may indicate key theft or mass profile creation.","73":"Prefer 5157 when both are available as it is per-connection.","74":"Credential Manager credentials were read. Large numbers of reads may indicate automated credential theft.","83":"Logs rules that open ports or disable filtering. Attackers may add rules to enable implants to communicate with external servers.","124":"Could be a filesystem, kernel, or registry object. Does not track names, but is generated only during real deletes (pair with 4663).","125":"Pair with 4625 and related IPs during investigation. Review Caller_Computer_Name.","128":"Detects Domain Admins or other high-value SIDs logging onto non-DC hosts.","129":"Detects unexpected services binding, often precedes C2 beaconing.","130":"Unexpected binds on high ports may be a prelude to data exfiltration.","134":"Windows LiveId sign-in activity.","135":"Alerts when a copied ticket is reused.","136":"When seen outside of software installation it may indicate payload staging hidden in DPAPI.","137":"Pair with 4694 to identify which user accessed encrypted blobs.","138":"Attackers with Domain Admin may weaken password/lockout requirements to speed credential attacks. May precede password spraying or Kerberos ticket forgery. Pair with 4768 and 4771. Also a prelude to DCShadow or other directory-level attacks.","139":"May indicate DCShadow or similar lateral movement attacks.","140":"Useful for tracing session re-use.","141":"Captures SACL changes to files, registry keys, and services.","142":"Tracks changes to core settings such as disabling a profile (domain, private, public), or default block/allow behavior.","143":"May indicate that malware attempted to load an unsigned or tampered driver/system file.","144":"May be a prelude to data exfiltration. Includes named pipes and IPC$ (confirm if the client address is external/unexpected). May indicate share enumeration and directory walking prior to exfiltration. The RelativeTargetName field may show the original file name and path on the attacker's machine.","145":"Backup of Credential Manager vault, shows a user exporting stored passwords and keys. Often precedes lateral movement or exfiltration.","146":"May indicate removable storage or network adapters to stage tools or exfiltrate data.","148":"Remote desktop services shell start. Occurs when a user successfully establishes a session and the shell starts, confirming a successful interactive logon.","149":"Can be used for remote execution.","150":"These consumers survive reboots. WMI abuse is a classic technique for file-less persistence.","157":"Process tampering, detects [process herpaderping](https://jxy-s.github.io/herpaderping).","211":"May indicate download/staging. See this Google Cloud post [Back in a Bit: Attacker Use of the Windows Background Intelligent Transfer Service](https://cloud.google.com/blog/topics/threat-intelligence/attacker-use-of-windows-background-intelligent-transfer-service)","410":"RDP user auth succeeded, combine with 4624 (successful logon)/4625 (logoff) to track lateral movement.","473":"MS SQL Server xp_cmdshell execution. See this DFIR Report write-up: [SELECT XMRig FROM SQLServer](https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/)","488":"Application hang, may occur if a TA tool fails to execute as expected.","490":"Surfaces Background Intelligent Transfer Service misuse for exfil or downloads.","497":"Windows LiveId sign-in activity.","498":"Appearing prior to 4624/4776 may indicate unsuccessful coercion probes.","500":"May appear when an attacker re-uses offline profiles or moves tokens between hosts. Correlate with LogonType 7/9 in 4624. [Detecting Credential Stealing Attacks Through Active In-Network Defense](https://www.trellix.com/blogs/research/detecting-credential-stealing-attacks-through-active-in-network-defense)","501":"Logged when NTLM credential validation fails. Pair with 4776 (which logs both successes and failures).\n\nThe Status field is an NTSTATUS code — see Event 4776 for the full code table.","502":"May indicate Pass-the-Hash. Legitimate use occurs during AD password migration operations under SYSTEM or a dedicated migration account.","503":"Attackers that wish to suppress object-access logging can clear/replace the global SACL.","504":"NTLM authentication was blocked because the account is a member of the Protected Users group. Protected Users cannot authenticate via NTLM.\n\nThe Status field is an NTSTATUS code:\n\n| Code | Name | Description |\n| ---- | ---- | ----------- |\n| 0xC000006D | STATUS_LOGON_FAILURE | Generic failure |\n| 0xC000006E | STATUS_ACCOUNT_RESTRICTION | Protected User restriction prevented NTLM |","505":"NTLM authentication was blocked by access control restrictions (authentication policy or silo).\n\nThe Status field is an NTSTATUS code:\n\n| Code | Name | Description |\n| ---- | ---- | ----------- |\n| 0xC000006D | STATUS_LOGON_FAILURE | Generic failure |\n| 0xC0000413 | STATUS_AUTHENTICATION_FIREWALL_FAILED | Blocked by authentication policy/silo |","506":"May be a prelude to AD CS abuse, ie, ESC1/ESC5.","507":"May indicate tampering with permissions to issue trusted certificates and impersonate any domain principal. Can detect AD CS abuse techniques, ie ESC1. Any Subject SID that is not NT AUTHORITY\\SYSTEM or approved service identity indicates unauthorized privilege abuse.","508":"Deleting privileged SIDs will prevent Event ID 4964 from firing. Also appears at every reboot, so IR can compare boot-time record against later changes.","509":"If Changes is set to None or Failure include removed, this may be an attempt to hide activity. Pair with 4719, 4902, and 4624 to reconstruct a timeline.","510":"May indicate high-impact changes in AD.","511":"Credential Manager credentials were restored from a backup, may indicate import of stolen vaults from another host.","512":"Large numbers of Reason 16 or 23 from the same IP or MAC indicates bruting of WiFi, VPN, 802.1x portals. Repeat denials for privileged accounts should be investigated.","518":"Indicates system boot, and is a reliable indicator for establishing a timeline.","519":"Indicates system shutdown. An absence of this before 6005 suggests an unexpected shutdown or crash, which may be suspicious.","1742":"Exposes the DPAPI operations (protect/unprotect) and the calling process. Disabled by default. See this Google Security blog post: [Detecting browser data theft using Windows Event Logs](https://security.googleblog.com/2024/04/detecting-browser-data-theft-using.html).","3319":"Records changes to a CA ACL, may indicate privilege escalation via addition of rogue accounts. Critical for detecting AD CS abuse.","3720":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3721":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3722":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3723":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3724":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3725":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3726":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3727":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3728":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3729":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3730":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3731":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3732":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3733":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3734":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3735":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3736":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3737":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3738":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3739":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3740":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3741":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3742":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3743":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3744":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3745":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3746":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3747":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3748":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3749":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3750":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3751":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3752":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3753":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3754":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3755":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3756":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3757":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3758":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3759":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3760":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3761":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3762":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3763":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3764":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3765":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3766":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3767":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3768":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3769":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3770":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3771":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3772":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3773":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3774":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3775":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3776":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3777":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3778":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3779":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3780":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3781":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3782":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3783":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3784":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3785":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3786":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3787":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3788":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3789":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3790":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3791":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3792":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3793":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3794":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3795":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3796":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3797":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3798":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3799":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3800":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)","3801":"[Legitimate RATs: a comprehensive forensic analysis of the usual suspects](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html#atera-and-splashtop)"},"rlt":{"0":[[0,0],[1,1],[2,2],[3,3],[4,4],[5,5],[6,6],[7,7],[8,8],[9,9],[10,10],[11,11],[12,12],[13,13]],"1":[[36,35],[12,12],[13,13],[37,36]],"2":[[45,44],[46,45],[47,46],[48,47],[49,48],[50,49],[51,50]],"3":[[60,59]],"4":[[74,73]],"5":[[76,75],[77,76]],"6":[[81,80]],"7":[[87,86],[88,87],[89,88]],"8":[[97,96]],"9":[[101,100],[87,86],[102,101],[103,102],[50,49],[104,103],[105,104],[106,105],[107,106],[108,107]],"10":[[50,49]],"11":[[144,143],[145,144],[146,145],[147,146],[148,147],[149,148],[150,149],[151,150],[152,151],[153,152],[154,153],[155,154],[156,155],[157,156],[158,157],[159,158],[160,158],[161,159],[162,160],[163,161],[164,162],[165,163],[166,164],[167,165],[168,166],[169,167],[170,168],[171,169],[172,170],[173,171],[174,172],[175,173],[176,174],[177,175],[178,176],[179,177],[180,178],[181,179],[182,180],[183,181],[184,182],[185,183],[186,184],[187,185],[188,186],[189,187],[190,188],[191,189],[192,190],[193,191],[194,192],[195,193],[196,194],[197,195],[198,196],[199,197],[200,198],[201,199],[202,200],[203,201],[204,202],[205,203],[206,204],[207,205],[208,206],[209,207],[210,208],[211,209],[212,210],[213,211],[214,212],[215,213],[216,214],[217,215],[218,216],[219,217],[220,218],[221,219],[222,220],[223,221],[224,222],[225,223],[226,224],[227,225],[228,226],[229,227],[230,228],[231,229],[232,230],[233,231],[234,232],[235,233],[236,234],[237,235],[238,236],[239,237],[240,238],[241,239]],"12":[[278,276],[279,277],[280,278],[281,279],[282,280],[283,281],[284,282],[285,283],[286,283],[287,284],[288,285]],"13":[[298,295]],"14":[[301,298],[302,299],[303,300],[304,301],[305,302],[306,303],[307,304],[308,305],[309,306],[310,307],[311,308],[312,309],[313,310],[314,311],[315,312],[316,313],[317,314],[318,315],[319,316],[320,317],[321,318],[322,319],[323,320],[324,321],[325,322],[326,323],[327,324],[328,325],[329,326],[330,327],[331,328],[332,329],[333,330],[334,328],[335,331],[336,332],[337,333],[338,334],[339,335],[340,336],[341,337],[342,338],[343,339],[344,340],[345,341],[346,342],[347,343],[348,344],[349,345],[350,329],[351,346],[352,347],[353,348],[354,349],[355,350],[356,351],[357,352],[358,353],[359,354],[360,355],[361,356],[362,357],[363,358],[364,359],[365,360],[366,361],[367,362],[368,363],[369,364],[370,365],[371,366],[372,367],[373,368],[374,369],[375,370],[376,371],[377,372],[378,373],[379,374],[380,375],[381,376],[382,377],[383,378],[384,379],[385,380],[386,381],[387,382],[388,383],[389,384],[390,385],[391,386],[392,387],[393,388],[394,389],[395,390],[396,391],[397,392],[398,393],[399,394],[400,395],[401,396],[402,397],[403,398],[404,399],[405,400],[406,401],[407,402],[408,403],[409,404],[410,405],[411,406],[412,407],[413,408],[414,409],[415,409],[416,410],[417,411],[418,412],[419,413],[420,414],[421,415],[422,383],[423,416],[424,417],[425,418],[426,419],[427,420],[428,421],[429,422],[430,423],[431,424],[432,425],[433,426],[434,427],[435,428],[436,429],[437,430],[438,431],[439,432],[440,433],[441,434],[442,435],[443,436],[444,437],[445,438],[446,439],[447,440],[448,422],[449,441],[450,442],[451,443],[452,444],[453,445],[454,446],[455,447],[456,448],[457,449],[458,450],[459,451],[460,452],[461,453],[462,366]],"15":[[584,575],[585,576],[586,577],[587,578],[588,579],[589,580],[590,581],[591,582],[592,583],[593,584],[594,585],[595,586],[596,587],[597,588],[598,589],[599,590],[600,591],[601,592],[602,593],[603,594],[604,595],[605,596],[606,597],[607,598],[608,599],[609,600],[610,601],[611,602],[612,603],[613,604],[614,605],[615,606],[616,607],[617,608],[618,609],[619,610],[620,611],[621,612],[622,613],[623,614],[624,615],[625,616],[626,617],[627,618],[628,619],[629,620],[630,621],[631,622],[632,623],[633,624],[634,625],[635,626],[636,627],[637,628],[638,629],[639,630],[640,631],[641,632],[642,633],[643,634],[644,635],[645,636],[646,637],[647,638],[648,639],[649,640],[650,641],[651,642],[652,643],[653,644],[654,645],[655,646],[656,647],[657,648],[658,649],[659,650],[660,651],[661,652],[662,653],[663,654],[664,655],[665,656],[666,657],[667,658],[668,659],[669,660],[670,661],[671,662],[672,347],[673,663],[674,349],[675,350],[676,351],[677,353],[678,354],[679,355],[680,357],[681,664],[682,665],[683,666],[684,667],[685,668],[686,669],[687,670],[688,671],[689,672],[690,673],[691,674],[692,675],[693,676],[694,677],[695,678],[696,679],[697,680],[698,681],[699,682],[700,683],[701,684],[702,685],[703,686],[704,687],[705,688],[706,689],[707,690],[708,691],[709,692],[710,693],[711,694],[712,695],[713,696],[714,697],[715,698],[716,699],[717,700],[718,701],[719,702],[720,703],[721,704],[722,705],[723,706],[724,707],[725,708],[726,709],[727,710],[728,711],[729,712],[730,713],[731,714],[732,715],[733,716],[734,717],[735,155],[736,718],[737,719],[738,720],[739,721],[740,722],[741,723],[742,222],[743,724],[744,725],[745,726],[746,727],[747,728],[748,729],[749,730],[750,731],[751,732],[752,733],[753,734],[754,735],[755,736],[756,737],[757,738],[758,739],[759,740],[760,741],[761,742],[762,743],[763,744],[764,745],[765,746],[766,747],[767,748],[768,305],[769,749],[770,750],[771,751],[772,752],[773,753],[774,754],[775,755],[776,756],[777,757],[778,758],[779,759],[780,760],[781,761],[782,762],[783,763],[784,764],[785,765],[786,326],[787,766],[788,767],[789,768],[790,327],[791,769],[792,330],[793,770],[794,771],[795,772],[796,773],[797,774],[798,775],[799,776],[800,777],[801,778],[802,382],[803,344],[804,409],[805,360],[806,361],[807,779],[808,780],[809,781],[810,782],[811,783],[812,784],[813,785],[814,786],[815,430],[816,787],[817,788],[818,789],[819,790],[820,453],[821,433],[822,791],[823,792],[824,793],[825,794],[826,795],[827,796],[828,797],[829,798],[830,799],[831,800],[832,801],[833,802],[834,803],[835,804],[836,805],[837,806],[838,807],[839,808],[840,809],[841,810],[842,811],[843,812],[844,813],[845,814],[846,815],[847,816],[848,817],[849,818],[850,819],[851,820],[852,821],[853,822],[854,823],[855,824],[856,825],[857,334],[858,391],[859,826],[860,827],[861,828],[862,829],[863,830],[864,831],[865,832],[866,833],[867,834],[868,835],[869,836],[870,837],[871,838],[872,839],[873,840],[874,841],[875,842],[876,843],[877,844],[878,845],[879,846],[880,847],[881,848],[882,849],[883,850],[884,851],[885,852],[886,853],[887,854],[888,855],[889,856],[890,857],[891,858],[892,859],[893,860],[894,861],[895,862],[896,863],[897,864],[898,865],[899,866],[900,867],[901,868],[902,869],[903,870],[904,871],[905,872],[906,873],[907,874],[908,875],[909,876],[910,877],[911,878],[912,879],[913,880],[914,881],[915,882],[916,883],[917,884],[918,885],[919,886],[920,887],[921,888],[922,889],[923,890],[924,891],[925,892],[926,893],[927,894],[928,895],[929,896],[930,897],[931,898],[932,899],[933,900],[934,901],[935,902],[936,903],[937,904],[938,905],[939,906],[940,907],[941,908],[942,909],[943,910],[944,911],[945,912],[946,913],[947,914],[948,915],[949,916],[950,917],[951,918],[952,919],[953,920],[954,920],[955,920],[956,920],[957,921],[958,922],[959,923],[960,924],[961,925],[962,926],[963,927],[964,928],[965,929],[966,930],[967,931],[968,932],[969,933],[970,934],[971,935],[972,936],[973,937],[974,938],[975,939],[976,940],[977,941],[978,942],[979,444],[980,943],[981,944],[982,945],[983,946],[984,947],[985,948],[986,949],[987,950],[988,951],[989,952],[990,953],[991,954],[992,955],[993,956],[994,957],[995,958],[996,959],[997,960],[998,961],[999,962],[1000,963],[1001,964],[1002,965],[1003,966],[1004,967],[1005,968],[1006,969],[1007,970],[1008,971],[1009,972],[1010,973],[1011,974],[1012,975],[1013,976],[1014,977],[1015,978],[1016,979],[1017,980],[1018,981],[1019,982],[1020,983],[1021,984],[1022,985],[1023,986],[1024,987],[1025,988],[1026,989],[1027,990],[1028,991],[1029,992],[1030,993],[1031,994],[1032,995],[1033,996],[1034,997],[1035,998],[1036,999],[1037,1000],[1038,1001],[1039,1002],[1040,1003],[1041,1004],[1042,1005],[1043,1006],[1044,1007],[1045,1008],[1046,1009],[1047,1010],[1048,1011],[1049,1012],[1050,1013],[1051,1014],[1052,1015],[1053,1016],[1054,1017],[1055,1018],[1056,1019],[1057,1020],[1058,1021],[1059,1022],[1060,1023],[1061,1024],[1062,1025],[1063,1026],[1064,1027],[1065,1028],[1066,1029],[1067,1030],[1068,1031],[1069,1032],[1070,1033],[1071,1034],[1072,1035],[1073,1036],[1074,1037],[1075,1038],[1076,1039]],"16":[[1096,1059]],"17":[[1097,1060]],"18":[[104,103]],"19":[[1103,1066],[1104,1067],[1105,1068],[103,102],[1106,1069],[1107,1070],[1108,1071],[1109,1072],[1110,1073],[1111,1074],[1112,1075],[106,105],[1113,1076],[1114,1077],[1115,1078],[1116,1079],[1117,1080]],"20":[[1124,1087],[1125,1024],[1126,1088],[1127,1089],[584,575],[1128,1090],[1129,1091],[1130,1092],[1131,1093],[1132,1093],[1133,1094],[585,576],[586,577],[587,578],[588,579],[589,580],[590,581],[1134,1095],[1135,1096],[1136,1097],[591,582],[1137,1098],[1138,1099],[592,583],[1139,1100],[1140,1101],[1141,1102],[1142,1103],[1143,1104],[593,584],[594,585],[595,586],[1144,1105],[1145,1106],[1146,1107],[1147,1108],[1148,1109],[1149,1110],[596,587],[597,588],[598,589],[599,590],[600,591],[601,592],[602,593],[603,594],[1150,1111],[604,595],[1151,1112],[1152,1113],[1153,1114],[1154,1115],[1155,1116],[1156,1117],[1157,1118],[1158,1119],[1159,1120],[1160,1121],[1161,1122],[1162,1123],[1163,1124],[1164,1125],[1165,1126],[1166,1127],[1167,1128],[1168,1129],[605,596],[1169,1130],[1170,1131],[1171,1132],[606,597],[1172,1133],[607,598],[608,599],[1173,1134],[1174,1135],[1175,1136],[609,600],[1176,1137],[1177,1138],[1178,1139],[610,601],[611,602],[1179,1140],[1180,1141],[612,603],[1181,1142],[613,604],[614,605],[1182,1143],[1183,1144],[615,606],[1184,1145],[1185,1146],[616,607],[1186,1147],[617,608],[618,609],[619,610],[620,611],[1187,1148],[1188,1149],[1189,1150],[621,612],[622,613],[1190,1151],[1191,1152],[623,614],[1192,1153],[624,615],[1193,1154],[1194,1155],[1195,1156],[1196,1157],[1197,1158],[1198,1159],[1199,1160],[1200,1161],[1201,1162],[1202,1163],[1203,1164],[1204,1165],[1205,1166],[1206,1167],[1207,1168],[1208,1169],[1209,1170],[1210,1171],[1211,1172],[1212,1173],[625,616],[1213,1174],[626,617],[627,618],[1214,1175],[628,619],[629,620],[1215,1176],[630,621],[1216,1177],[631,622],[632,623],[1217,1178],[633,624],[634,625],[1218,1179],[1219,1180],[1220,1181],[1221,1182],[635,626],[636,627],[637,628],[638,629],[639,630],[640,631],[641,632],[1222,1183],[1223,1184],[1224,1185],[1225,1186],[1226,1187],[1227,1188],[1228,1189],[1229,1190],[642,633],[1230,1191],[1231,1192],[1232,1193],[1233,1194],[643,634],[1234,1195],[1235,1196],[1236,1197],[644,635],[645,636],[646,637],[647,638],[1237,1198],[1238,1199],[1239,1200],[1240,1201],[1241,1202],[1242,1203],[648,639],[1243,1204],[1244,1205],[1245,1206],[1246,1207],[1247,1208],[1248,1209],[1249,1210],[1250,1211],[649,640],[1251,1212],[1252,1213],[1253,1214],[1254,1215],[1255,1216],[650,641],[1256,1217],[1257,1218],[651,642],[1258,1219],[1259,1220],[1260,1221],[1261,1222],[652,643],[653,644],[1262,1223],[654,645],[655,646],[1263,1224],[1264,1225],[656,647],[1265,1226],[657,648],[1266,1227],[658,649],[1267,1228],[1268,1229],[1269,1230],[1270,1231],[1271,1232],[1272,1233],[1273,1234],[659,650],[660,651],[661,652],[662,653],[1274,1235],[1275,1236],[663,654],[1276,1237],[1277,1238],[1278,1239],[1279,1240],[664,655],[665,656],[666,657],[1280,1241],[1281,1242],[1282,1243],[1283,1244],[667,658],[668,659],[669,660],[670,661],[1284,1245],[671,662],[1285,1246],[1286,1247],[672,347],[673,663],[674,349],[675,350],[676,351],[677,353],[678,354],[679,355],[680,357],[1287,1248],[1288,1249],[1289,1250],[1290,1251],[1291,1252],[681,664],[1292,1253],[682,665],[683,666],[684,667],[1293,1254],[685,668],[1294,1255],[1295,1256],[686,669],[687,670],[688,671],[689,672],[1296,1257],[1297,1258],[1298,1259],[1299,1260],[1300,1261],[1301,1262],[1302,1263],[1303,1264],[1304,1265],[1305,1266],[1306,1267],[1307,1268],[1308,1269],[1309,1270],[1310,936],[690,673],[1311,1271],[691,674],[692,675],[1312,1272],[1313,1273],[1314,1274],[1315,1275],[1316,1276],[1317,1277],[693,676],[694,677],[1318,1278],[695,678],[696,679],[697,680],[1319,1279],[698,681],[699,682],[1320,1280],[1321,1281],[1322,1282],[1323,1283],[1324,1284],[1325,1285],[1326,1286],[1327,1287],[1328,1288],[700,683],[1329,1289],[701,684],[1330,1290],[702,685],[1331,1291],[703,686],[704,687],[705,688],[706,689],[707,690],[708,691],[1332,1292],[1333,1293],[709,692],[1334,1294],[710,693],[1335,1295],[1336,1296],[1337,1297],[1338,1298],[1339,1299],[711,694],[1340,1300],[1341,1301],[1342,1302],[712,695],[713,696],[714,697],[1343,1303],[715,698],[1344,926],[1345,1304],[1346,1305],[716,699],[1347,1306],[717,700],[1348,1307],[718,701],[1349,1308],[719,702],[720,703],[721,704],[722,705],[1350,1309],[1351,706],[723,706],[724,707],[725,708],[1352,1310],[726,709],[1353,1311],[727,710],[728,711],[729,712],[1354,1312],[1355,1313],[730,713],[731,714],[732,715],[733,716],[1356,1314],[734,717],[1357,1315],[1358,1316],[735,155],[1359,1317],[736,718],[737,719],[1360,1318],[1361,1319],[1362,1320],[1363,1321],[1364,1322],[738,720],[739,721],[1365,1323],[740,722],[1366,1324],[741,723],[1367,1325],[1368,1326],[742,222],[1369,1327],[1370,1328],[1371,1329],[743,724],[1372,1330],[1373,1331],[1374,1332],[1375,1333],[1376,1334],[744,725],[1377,1335],[745,726],[1378,1336],[1379,1337],[1380,1338],[1381,1339],[1382,1340],[746,727],[1383,727],[1384,1341],[1385,1342],[747,728],[1386,1343],[1387,1344],[1388,1345],[1389,1346],[1390,1347],[1391,1348],[748,729],[1392,1349],[749,730],[1393,1350],[1394,1351],[1395,1352],[1396,1352],[750,731],[751,732],[1397,1353],[1398,416],[1399,1354],[1400,1355],[1401,1356],[1402,1357],[1403,1358],[1404,1359],[1405,1360],[1406,1361],[1407,1362],[1408,1363],[1409,1364],[1410,1365],[1411,1366],[1412,1367],[1413,1368],[1414,1369],[1415,1370],[1416,936],[1417,1371],[1418,1372],[1419,1373],[1420,1374],[1421,1375],[1422,1376],[1423,1377],[1424,1377],[752,733],[753,734],[754,735],[755,736],[1425,1378],[1426,1379],[756,737],[1427,1380],[1428,1381],[1429,1382],[1430,1383],[1431,1384],[1432,1385],[1433,1386],[757,738],[1434,1387],[1435,1388],[1436,1389],[758,739],[1437,1390],[759,740],[760,741],[761,742],[762,743],[763,744],[1438,1391],[1439,1392],[1440,1393],[1441,1394],[764,745],[1442,1395],[1443,1396],[765,746],[1444,1397],[1445,1398],[766,747],[1446,1399],[1447,298],[1448,300],[1449,302],[767,748],[768,305],[769,749],[1450,1400],[1451,1401],[770,750],[771,751],[1452,1402],[772,752],[1453,1403],[773,753],[774,754],[775,755],[1454,1404],[776,756],[777,757],[778,758],[1455,1405],[1456,1406],[1457,1407],[1458,1408],[1459,1409],[1460,314],[779,759],[780,760],[781,761],[1461,1410],[782,762],[783,763],[1462,1411],[1463,1412],[784,764],[785,765],[786,326],[787,766],[788,767],[789,768],[1464,1413],[1465,1414],[790,327],[791,769],[792,330],[793,770],[1466,1415],[794,771],[795,772],[796,773],[797,774],[798,775],[799,776],[800,777],[1467,422],[801,778],[802,382],[803,344],[1468,345],[804,409],[1469,1416],[1470,1417],[1471,1418],[805,360],[806,361],[807,779],[1472,1419],[808,780],[809,781],[810,782],[811,783],[1473,1420],[812,784],[813,785],[814,786],[1474,1421],[1475,1422],[1476,1423],[1477,387],[1478,1424],[1479,1425],[815,430],[1480,1426],[1481,1427],[816,787],[817,788],[1482,1428],[818,789],[819,790],[1483,1429],[1484,439],[1485,1430],[820,453],[1486,1431],[821,433],[1487,1432],[1488,1433],[822,791],[823,792],[1489,1434],[824,793],[825,794],[826,795],[1490,1435],[827,796],[1491,1436],[828,797],[1492,1437],[1493,1438],[1494,1439],[829,798],[830,799],[831,800],[1495,1440],[1496,1441],[1497,1442],[832,801],[1498,1443],[1499,1444],[1500,1445],[1501,1446],[833,802],[1502,1447],[834,803],[1503,1448],[1504,1449],[1505,1450],[835,804],[1506,1451],[1507,1452],[1508,1453],[1509,1454],[1510,1455],[1511,1456],[1512,1457],[1513,1458],[1514,1459],[836,805],[837,806],[1515,1460],[1516,1461],[838,807],[1517,1462],[1518,1463],[839,808],[1519,1464],[1520,1465],[840,809],[841,810],[842,811],[843,812],[844,813],[845,814],[1521,1466],[846,815],[1522,1467],[1523,1468],[1524,1469],[847,816],[1525,1470],[848,817],[849,818],[850,819],[1526,1471],[1527,1472],[1528,1473],[1529,1474],[1530,1475],[1531,1476],[851,820],[1532,1477],[1533,1478],[852,821],[1534,1479],[853,822],[854,823],[1535,365],[855,824],[1536,1480],[1537,1481],[856,825],[857,334],[858,391],[1538,1482],[1539,1483],[859,826],[1540,1484],[860,827],[1541,1485],[1542,1486],[1543,1487],[1544,1488],[1545,1489],[1546,1490],[1547,1491],[861,828],[1548,1492],[1549,1493],[862,829],[863,830],[1550,1494],[864,831],[865,832],[866,833],[867,834],[868,835],[869,836],[870,837],[871,838],[872,839],[873,840],[874,841],[1551,1495],[1552,1496],[1553,1497],[875,842],[1554,1498],[1555,1499],[1556,1500],[876,843],[1557,1501],[1558,850],[877,844],[1559,1502],[878,845],[1560,850],[1561,850],[1562,850],[879,846],[880,847],[1563,850],[1564,1503],[1565,1504],[1566,1505],[1567,850],[881,848],[1568,1506],[1569,1507],[882,849],[883,850],[884,851],[885,852],[1570,850],[886,853],[1571,1508],[1572,1509],[1573,1510],[1574,1511],[1575,1511],[1576,1512],[1577,1513],[1578,1514],[1579,1515],[1580,1516],[1581,1517],[1582,1518],[1583,1519],[1584,1520],[1585,1521],[1586,1522],[1587,1523],[1588,1524],[1589,1525],[1590,1526],[1591,1527],[1592,1528],[1593,1529],[1594,1530],[1595,1531],[887,854],[1596,1532],[1597,1533],[1598,1534],[1599,1535],[1600,1536],[1601,1537],[1602,1538],[1603,1539],[1604,1540],[1605,1541],[1606,1542],[1607,1543],[888,855],[1608,1544],[1609,1545],[889,856],[890,857],[1610,1546],[1611,1547],[1612,1548],[1613,1549],[1614,1550],[891,858],[1615,1551],[1616,1552],[1617,1553],[1618,1554],[1619,1555],[1620,1556],[1621,1557],[892,859],[1622,1558],[893,860],[894,861],[1623,1559],[1624,1560],[1625,1561],[1626,1562],[1627,1563],[1628,1564],[895,862],[1629,1565],[896,863],[897,864],[1630,1566],[898,865],[1631,1567],[1632,1568],[1633,1569],[1634,1570],[1635,1571],[899,866],[900,867],[1636,1572],[901,868],[902,869],[903,870],[904,871],[905,872],[906,873],[907,874],[908,875],[1637,1573],[1638,1574],[909,876],[1639,1575],[1640,1576],[1641,1577],[1642,1578],[1643,1579],[1644,1580],[1645,1581],[1646,1582],[1647,1583],[910,877],[911,878],[1648,1584],[912,879],[1649,1585],[1650,1586],[913,880],[914,881],[1651,1587],[1652,1588],[915,882],[916,883],[1653,1589],[1654,1590],[917,884],[918,885],[919,886],[920,887],[921,888],[922,889],[923,890],[1655,1591],[924,891],[925,892],[1656,1592],[1657,1593],[926,893],[927,894],[928,895],[1658,1594],[929,896],[930,897],[931,898],[932,899],[1659,1595],[933,900],[934,901],[935,902],[936,903],[1660,1596],[937,904],[938,905],[939,906],[1661,309],[1662,1597],[940,907],[1663,1598],[941,908],[1664,1599],[942,909],[943,910],[1665,1600],[944,911],[1666,299],[1667,1601],[1668,1602],[1669,1603],[945,912],[946,913],[947,914],[948,915],[1670,1604],[949,916],[950,917],[1671,1605],[951,918],[1672,1606],[1673,1607],[952,919],[953,920],[954,920],[955,920],[956,920],[957,921],[958,922],[1674,1608],[1675,1609],[959,923],[960,924],[1676,1610],[961,925],[962,926],[963,927],[964,928],[965,929],[966,930],[967,931],[1677,1611],[968,932],[969,933],[1678,1612],[1679,1613],[1680,1614],[970,934],[971,935],[972,936],[973,937],[974,938],[975,939],[976,940],[977,941],[978,942],[979,444],[1681,1615],[980,943],[981,944],[982,945],[983,946],[984,947],[1682,1616],[1683,1617],[1684,1618],[985,948],[986,949],[987,950],[1685,309],[988,951],[989,952],[1686,1619],[990,953],[991,954],[1687,1620],[992,955],[993,956],[994,957],[995,958],[996,959],[1688,1621],[1689,1622],[1690,1623],[1691,1624],[997,960],[998,961],[1692,1625],[999,962],[1000,963],[1693,1626],[1001,964],[1694,1627],[1002,965],[1003,966],[1004,967],[1005,968],[1006,969],[1007,970],[1695,1628],[1696,1629],[1008,971],[1009,972],[1697,1630],[1698,1631],[1699,1632],[1010,973],[1700,1633],[1701,1634],[1011,974],[1012,975],[1013,976],[1702,1635],[1014,977],[1015,978],[1703,1636],[1016,979],[1704,1637],[1705,1638],[1706,1639],[1707,1640],[1708,1641],[1017,980],[1709,1642],[1710,1643],[1711,1644],[1018,981],[1712,1645],[1713,1646],[1019,982],[1020,983],[1714,1647],[1715,1648],[1021,984],[1716,1649],[1022,985],[1023,986],[1024,987],[1717,1650],[1025,988],[1026,989],[1718,1651],[1027,990],[1719,1652],[1720,1653],[1721,1654],[1028,991],[1029,992],[1030,993],[1031,994],[1032,995],[1722,1655],[1723,1656],[1724,1657],[1033,996],[1034,997],[1725,1658],[1035,998],[1036,999],[1037,1000],[1726,1659],[1727,1660],[1728,1661],[1038,1001],[1729,1662],[1039,1002],[1040,1003],[1730,1663],[1041,1004],[1731,1664],[1042,1005],[1732,1665],[1043,1006],[1044,1007],[1733,1666],[1734,1667],[1735,1668],[1045,1008],[1736,1669],[1737,1670],[1738,1671],[1046,1009],[1739,1672],[1740,1673],[1047,1010],[1741,1674],[1742,1675],[1048,1011],[1049,1012],[1743,1676],[1744,1677],[1745,1678],[1746,1679],[1747,1678],[1050,1013],[1051,1014],[1052,1015],[1748,1680],[1749,1681],[1053,1016],[1750,1682],[1751,1683],[1752,1684],[1054,1017],[1055,1018],[1753,1685],[1754,1686],[1755,1687],[1756,338],[1757,1688],[1758,1689],[1759,1690],[1760,1691],[1761,1692],[1762,1693],[1056,1019],[1763,1694],[1764,1695],[1765,1696],[1766,1697],[1767,1698],[1768,1699],[1769,1700],[1057,1020],[1770,1701],[1058,1021],[1059,1022],[1771,1702],[1060,1023],[1061,1024],[1772,1703],[1062,1025],[1773,1704],[1063,1026],[1064,1027],[1774,1705],[1775,1706],[1776,1707],[1777,1708],[1778,1709],[1779,1710],[1780,1711],[1781,1712],[1782,1713],[1783,1714],[1784,1715],[1785,1716],[1786,1717],[1787,1718],[1788,1719],[1789,1720],[1790,1721],[1791,1722],[1065,1028],[1792,1723],[1793,1724],[1066,1029],[1794,1725],[1067,1030],[1795,1726],[1068,1031],[1069,1032],[1070,1033],[1071,1034],[1796,1727],[1072,1035],[1797,1728],[1073,1036],[1798,1729],[1799,1730],[1800,1731],[1074,1037],[1075,1038],[1801,1732],[1076,1039]],"21":[[1844,612],[1845,1774],[1846,1775],[1847,1776],[1848,1777],[1849,1778],[1850,1779],[1851,1780],[1852,1781],[1853,1782],[1854,1783],[1855,1784],[1856,1785],[1857,1786],[1858,1787],[1859,1788],[1860,1789],[1861,1790],[1862,1791],[1863,1792],[1864,1793],[1865,1794],[1866,1795]],"22":[[1887,1816],[1888,1817],[1889,1818],[1890,1819],[1891,1820],[1892,1821],[1893,1822],[1894,1823],[1895,1824],[1896,1825],[1897,1826],[1898,1827],[1899,1828],[1900,1829],[1901,1830],[1902,1831],[1903,1832]],"23":[[1914,1843]],"24":[[1917,1846],[1918,1847],[1919,1848],[1920,1849],[1921,1850],[1922,1851],[1923,1852],[1924,1853],[1925,1854],[1926,1855],[1927,1856],[1928,1857]],"25":[[1917,1846],[1918,1847],[1919,1848],[1930,1859],[1920,1849],[1921,1850],[1931,1860],[1924,1853],[1932,1861],[1926,1855],[1927,1856],[1933,1862],[1934,1863],[1928,1857]],"26":[[1952,1881]],"27":[[1955,1884],[1956,1885],[1957,1886]],"28":[[1966,1896],[1957,1886],[1967,1897]],"29":[[1957,1886]],"30":[[12,12],[13,13],[37,36]],"31":[[1980,1910]],"32":[[1982,1912],[1983,1913],[1984,1914]],"33":[[1986,1916],[1987,1917],[1988,347],[1989,1918],[1990,349],[1991,350],[1992,351],[1993,352],[1994,353],[1995,354],[1996,355],[1997,356],[1998,357],[1999,1919],[2000,1920],[2001,1921],[2002,1922],[2003,1923],[2004,1924],[2005,1925],[2006,1926],[2007,1927],[2008,1928],[2009,1929],[2010,1930],[2011,1931],[2012,1932],[2013,1933],[2014,1934],[2015,1935],[2016,1936],[2017,1937],[2018,1938],[2019,1939],[2020,1940],[2021,1941],[2022,1942],[2023,1943],[2024,1944],[2025,1945],[2026,1946]],"35":[[2041,1961]],"36":[[2043,1963]],"38":[[2046,1966]],"39":[[2049,1969],[2050,1970],[2051,1971],[2052,1971],[2053,1972],[2054,1973],[2055,1974],[2056,1975],[2057,1976]],"40":[[2061,1980],[2062,1981]],"41":[[2063,295],[2064,1983]],"42":[[2065,1916],[2066,1984],[2067,347],[2068,1918],[2069,349],[2070,350],[2071,351],[2072,352],[2073,353],[2074,354],[2075,355],[2076,356],[2077,357],[2078,1920],[2079,1985],[2080,1921],[2081,1986],[2082,1923],[2083,1934],[2084,1937],[2085,1987]],"44":[[2089,1991],[97,96],[2090,1992],[2091,1993]],"45":[[2094,1996]],"46":[[1952,1881]],"47":[[2096,1998]],"48":[[2098,2000],[2099,2001],[2100,2002],[2101,2003],[2102,2004],[2103,2005],[2104,2006],[2105,2007],[2106,2008],[2107,2009],[2108,2010],[2109,2011],[2110,2012],[2111,2013],[2112,2014],[2113,2015],[2114,2016],[2115,2017],[2116,2018],[2117,2019],[2118,2020],[2119,2021],[2120,2022],[2121,2023],[2122,2024],[2123,2025],[2124,2026],[2125,2027],[2126,2028],[2127,2029],[2128,2030],[2129,2031],[2130,2032],[2131,2033],[2132,2034],[2133,2035],[2134,2036],[2135,2037],[2136,2038],[2137,2039],[2138,2040],[2139,2041],[2140,2042],[2141,2043],[2142,2044],[2143,2045],[2144,2046],[2145,2047],[2146,2048],[2147,2049],[2148,2050]],"49":[[2158,2060],[2159,1437],[2160,850],[2161,2061],[2162,2062],[2163,2063],[2164,2064],[2165,2065],[2166,2066],[2167,2067],[2168,2068],[2169,2069],[2170,825],[2171,2070],[2172,2071],[2173,2072],[2174,2073],[2175,2074],[2176,2075],[2177,2076],[2178,2077],[2179,2078],[2180,2079],[2181,2080],[2182,2081],[2183,2082],[2184,2083],[2185,850],[2186,2084],[2187,2085],[2188,2086],[2189,2087],[2190,2088],[2191,2089],[2192,2090],[2193,2091],[2194,2092],[2195,2093],[2196,2094],[2197,2095],[2198,2096],[2199,2097],[2200,2098],[2201,2099],[2202,2100],[2203,2101],[2204,2102],[2205,2103],[2206,2104],[2207,2105],[2208,2106],[2209,2107],[2210,2108],[2211,2109],[2212,2110],[2213,2111],[2214,2112],[2215,2113],[2216,2114],[2217,2115],[2218,2116],[2219,2117],[2220,2118],[2221,2119],[2222,2120],[2223,2121],[2224,2122],[2225,2123],[2226,2124],[2227,2125],[2228,2126],[2229,2127],[2230,2125],[2231,2128],[2232,2129],[2233,2130],[2234,2131],[2235,2132],[2236,2133],[2237,2134],[2238,2135],[2239,2136],[2240,2137],[2241,2138],[2242,2139],[2243,2140],[2244,2141],[2245,2142],[2246,2143],[2247,2144],[2248,2145],[2249,2146],[2250,850],[2251,2147],[2252,2148],[2253,2149],[2254,2150],[2255,2151],[2256,2152],[2257,2153],[2258,2154],[2259,2155],[2260,2156],[2261,2157],[2262,2158],[2263,2159],[2264,2160],[2265,2161],[2266,2162],[2267,2163],[2268,2164],[2269,2165],[2270,2166],[2271,2167],[2272,929],[2273,2168],[2274,2169],[2275,2170],[2276,2171],[2277,2172],[2278,2173],[2279,2174],[2280,2175],[2281,2176],[2282,2177],[2283,2178],[2284,2179],[2285,2180],[2286,2181],[2287,2182],[2288,2183],[2289,2184],[2290,2185],[2291,2186],[2292,2187],[2293,2188],[2294,2189],[2295,2190],[2296,2191],[2297,2192],[2298,2193],[2299,2194],[2300,2195],[2301,2196],[2302,2197],[2303,992],[2304,2198],[2305,2199],[2306,2200],[2307,996],[2308,997],[2309,1658],[2310,1659],[2311,1660],[2312,2201],[2313,2202],[2314,2203],[2315,2204],[2316,2205],[2317,2206],[2318,1020],[2319,2207],[2320,2208],[2321,238],[2322,2209],[2323,2210]],"50":[[2385,2272],[2386,2273],[2387,2274],[2388,612],[2389,2275],[2390,2276],[2391,2277],[2392,2278],[2393,2279],[2394,2280],[2395,2281],[2396,2282],[2397,2283],[2398,2284],[2399,2285],[2400,2286],[2401,2287],[2402,2288],[2403,2289],[2404,2290],[2405,2291],[2406,2292],[2407,2293],[2408,2294],[2409,2295],[2410,2296],[2411,2297],[2412,608],[2413,2298],[2414,2299],[2415,2300],[2416,2301],[2417,2302]],"51":[[2386,2273],[2387,2274],[2388,612],[2389,2275],[2390,2276],[2391,2277],[2392,2278],[2393,2279],[2394,2280],[2395,2281],[2396,2282],[2397,2283],[2398,2284],[2399,2285],[2400,2286],[2401,2287],[2402,2288],[2403,2289],[2404,2290],[2405,2291],[2406,2292],[2407,2293],[2408,2294],[2409,2295],[2410,2296],[2411,2297],[2412,608],[2413,2298],[2414,2299],[2415,2300],[2416,2301],[2417,2302],[2430,2315],[2431,2316],[2432,2317],[2433,2318],[2434,2319],[2435,2320],[2436,2321],[2437,2322],[2438,2322],[2439,2322],[2440,2322],[2441,2322],[2442,2322],[2443,2322],[2444,2322],[2445,2322],[2446,2322],[2447,2322],[2448,2322],[2449,2322],[2450,2323],[2451,2324],[2452,2325],[2453,2326],[2454,2327],[2455,2328],[2456,2329],[2457,2330],[2458,2331],[2459,2332],[2460,2333],[2461,2334],[2462,2335],[2463,2336],[2464,2337],[2465,2338],[2466,2339],[2467,2340],[2468,2341],[2469,2342],[2470,2343],[2471,2344],[2472,2345],[2473,2346],[2474,2347],[2475,2348],[2476,2349],[2477,2350],[2478,2351],[2479,2352],[2480,2353],[2481,2354],[2482,2355],[2483,2356],[2484,2357],[2485,2358],[2486,2359],[2487,2360],[2488,2361],[2489,2362],[2490,2363],[2491,2364],[2492,2365],[2493,2366],[2494,2367],[2495,631],[2496,2368],[2497,2369],[2498,2370],[2499,2371],[2500,2372],[2501,2373],[2502,2374],[2503,2375],[2504,2376],[2505,2377],[2506,2378],[2507,2379],[2508,2380],[2509,2381],[2510,2330],[2511,2382],[2512,2383],[2513,2384],[2514,2385],[2515,831],[2516,2386],[2517,2386],[2518,2387],[2519,2388],[2520,2389],[2521,2390],[2522,822],[2523,2391],[2524,2392],[2525,2393],[2526,2394],[2527,2395],[2528,834],[2529,2396],[2530,2397],[2531,2398],[2532,2399],[2533,835],[2534,2400],[2535,2401],[2536,2402],[2537,740],[2538,2403],[2539,2404],[2540,2405],[2541,2406],[2542,2407],[2543,2408],[2544,2409],[2545,2410],[2546,2411],[2547,2412],[2548,2413],[2549,2414],[2550,2415],[2551,2416],[2552,2417],[2553,2418],[2554,2419],[2555,2420],[2556,2421],[2557,2422],[2558,2423],[2559,2424],[2560,2425],[2561,2426],[2562,2427],[2563,2428],[2564,2429],[2565,2430],[2566,2431],[2567,2432],[2568,2433],[2569,2434],[2570,2435],[2571,2436],[2572,2437],[2573,2438],[2574,2439],[2575,2440],[2576,2441],[2577,2442],[2578,2443],[2579,2444],[2580,2445],[2581,837],[2582,2446],[2583,2447],[2584,2448],[2585,2449],[2586,2450],[2587,2451],[2588,2452],[2589,2453],[2590,2454],[2591,2455],[2592,2456],[2593,2424],[2594,2457],[2595,2458],[2596,2459],[2597,2460],[2598,2461],[2599,2462],[2600,2463],[2601,2464],[2602,2465],[2603,2466],[2604,2467],[2605,2468],[2606,2469],[2607,2470],[2608,2471],[2609,824],[2610,2472],[2611,2473],[2612,2474],[2613,2475],[2614,2476],[2615,2477],[2616,2478],[2617,2479],[2618,2480],[2619,2481],[2620,1659],[2621,1660],[2622,2482],[2623,2483],[2624,2484],[2625,2485],[2626,2486],[2627,2487],[2628,2488],[2629,2489],[2630,2490],[2631,2491],[2632,2492],[2633,2493]],"52":[[1887,1816],[1888,1817],[1889,1818],[1890,1819],[1891,1820],[1892,1821],[1893,1822],[1894,1823],[1895,1824],[1896,1825],[1897,1826],[1898,1827],[1899,1828],[1900,1829],[1901,1830],[1902,1831],[1903,1832]],"53":[[1982,1912],[1983,1913],[1984,1914]],"54":[[2796,2655],[2797,2656],[2798,2657],[2799,2658],[2800,2659],[2801,2660],[2802,2661],[2803,2662],[2804,2663],[2805,2664],[2806,2665],[2807,2666],[2808,2667],[2809,2668],[2810,2669],[2811,2670],[2812,850],[2813,2671],[2814,2672],[2815,2673],[2816,2674],[2817,2675]],"55":[[2839,2697],[2840,2698],[2841,2699],[2842,2700],[2843,2701],[2844,2702],[2845,2703],[2846,2704],[2847,2705],[2848,2706],[2849,2707],[2850,2708]],"56":[[2839,2697],[2840,2698],[2841,2699],[2842,2700],[2843,2701],[2844,2702],[2845,2703],[2846,2704],[2847,2705],[2848,2706],[2849,2707],[2850,2708]],"57":[[2859,2717],[2860,2718],[2861,2719]],"58":[[2863,2721]],"59":[[1919,1848],[2864,2368],[2865,2285],[1933,1862],[2866,2722]],"60":[[2867,2723],[2868,2724],[2869,2725]],"62":[[2871,2727]],"63":[[89,88]],"64":[[2872,2728]],"65":[[2874,2730],[2875,2731],[2876,2042]],"66":[[2877,2732]],"67":[[2879,2734],[2880,2735],[2881,2736],[2882,2737],[2883,2738],[2884,2739],[2885,2740],[2886,2741],[2887,2742],[2888,2743]],"68":[[2893,2748],[2894,2749]],"71":[[2896,2751],[2897,2752]],"72":[[2898,2753]],"74":[[2899,2754],[2900,2755],[2901,2754]],"75":[[2902,2756],[2061,1980]],"76":[[2903,2757]],"77":[[2903,2757]],"78":[[1924,1853]],"79":[[1096,1059]],"80":[[2904,2758],[2905,2759]],"81":[[2906,2760]],"82":[[2906,2760]],"84":[[2908,2762]],"85":[[2908,2762],[2909,2763]],"86":[[2909,2763]],"87":[[2894,2749]],"88":[[1982,1912],[1983,1913],[1984,1914]],"89":[[2910,2764],[2911,2765],[2912,2766]],"90":[[2913,2767]],"91":[[2913,2767]],"92":[[2910,2764],[2911,2765],[2912,2766]],"93":[[2914,2768]],"94":[[2915,2769]],"95":[[2916,2770],[2917,2771]],"96":[[2918,300],[2919,1825],[2920,2772],[2921,311],[2922,2773],[2923,2774],[2924,2775],[2925,2776],[2926,2777],[2927,347],[2928,2778],[2929,349],[2930,350],[2931,351],[2932,352],[2933,353],[2934,354],[2935,355],[2936,356],[2937,357],[2938,361],[2939,2779],[2940,379],[2941,394],[2942,398],[2943,1359],[2944,409],[2945,409],[2946,414],[2947,2780],[2948,2781],[2949,433],[2950,434]],"97":[[2951,2782]],"99":[[2952,2783]],"115":[[2956,2787]],"116":[[2957,2788]],"121":[[2962,2793]],"131":[[2969,2800],[2970,2801],[2971,2802],[2972,2803],[2973,2804],[2974,2805],[2975,2806],[2976,2807],[2977,2808],[2978,2809],[2386,2273],[2387,2274],[2388,612],[2389,2275],[2390,2276],[2391,2277],[2392,2278],[2393,2279],[2394,2280],[2395,2281],[2396,2282],[2397,2283],[2398,2284],[2399,2285],[2400,2286],[2401,2287],[2402,2288],[2403,2289],[2404,2290],[2405,2291],[2406,2292],[2407,2293],[2408,2294],[2409,2295],[2410,2296],[2411,2297],[2412,608],[2413,2298],[2414,2299],[2415,2300],[2416,2301],[2417,2302]],"132":[[2979,2343],[2980,2810],[2981,2811],[2982,2812]],"133":[[2986,2816]],"135":[[2988,2818]],"139":[[89,88]],"143":[[2989,2819]],"147":[[2990,2820],[2991,2821]],"148":[[2993,2823]],"149":[[2994,50]],"150":[[2994,50]],"151":[[2995,2824],[2006,1926],[2014,1934]],"157":[[2999,2827]],"211":[[3000,2828],[3001,2829],[3002,2830],[3003,2831],[3004,2832]],"215":[[3005,2833]],"227":[[3006,2834]],"228":[[3006,2834]],"371":[[2904,2758],[2905,2759]],"403":[[3007,2835],[3008,2836]],"411":[[3010,2838],[3011,2839]],"412":[[3011,2839]],"413":[[3012,2840]],"414":[[3012,2840]],"416":[[3012,2840]],"417":[[3013,2841]],"419":[[3012,2840]],"420":[[3012,2840]],"421":[[2910,2764],[2911,2765],[2912,2766]],"422":[[2913,2767]],"423":[[2910,2764],[2911,2765],[2912,2766]],"424":[[3014,2842]],"425":[[3015,2843]],"426":[[3016,2844],[3017,2845]],"427":[[3018,2846]],"428":[[3018,2846],[3019,2847]],"429":[[3018,2846]],"430":[[3018,2846]],"431":[[3020,2848]],"432":[[3021,2849]],"433":[[2965,2850]],"435":[[3022,2851]],"436":[[3023,2852]],"437":[[3024,2853]],"438":[[3026,2855]],"439":[[3006,2834]],"440":[[3027,2856]],"444":[[3028,2857]],"446":[[3029,2858]],"447":[[3030,2859]],"456":[[2989,2819]],"457":[[3032,2861]],"458":[[3033,2862]],"459":[[3034,2863]],"460":[[3035,2864]],"461":[[3036,2865]],"462":[[3037,2866],[3038,2867]],"463":[[3039,2868]],"466":[[3041,2870]],"467":[[3042,2871]],"468":[[3043,2872]],"469":[[3044,2873]],"470":[[3045,2874],[3046,2875]],"471":[[3045,2874],[3046,2875]],"472":[[3015,2843]],"474":[[3050,2879]],"475":[[3051,2845],[3052,2880]],"481":[[3058,2886],[3059,2887]],"482":[[3061,2889]],"483":[[3062,2890],[3063,2891],[3064,765],[3065,2892],[3066,2893],[3067,2779],[3068,2894],[3069,398],[3070,1359]],"484":[[3071,2895]],"485":[[3072,2896],[3073,2897]],"486":[[3074,2898]],"494":[[3078,2902]],"495":[[3078,2902]],"496":[[3078,2902]],"517":[[3079,2903]],"526":[[3080,2904]],"527":[[3081,2905],[3082,2666],[3083,2667],[3084,2906],[3085,2907],[3086,2674]],"528":[[3087,2908],[3088,2909],[3089,2910],[3090,2911]],"557":[[3091,2912]],"558":[[3091,2912]],"670":[[3093,2914]],"671":[[3094,2915]],"717":[[3095,2916]],"718":[[3095,2916]],"719":[[3095,2916]],"870":[[3096,2917]],"1534":[[3011,2839]],"1535":[[3011,2839]],"1544":[[3097,2918]],"1545":[[3097,2918]],"1733":[[3098,2919]],"1735":[[3099,2920]],"1736":[[3005,2833]],"1737":[[3100,2921]],"1739":[[3101,2922]],"1748":[[3102,2923]],"1777":[[3103,2924]],"1866":[[3104,2925]],"1875":[[3106,2927]],"1876":[[3107,2928]],"1961":[[3108,2929]],"2043":[[3109,2930]],"2363":[[3091,2912]],"2364":[[3091,2912]],"2421":[[3110,2931]],"2422":[[3110,2931]],"2423":[[3110,2931]],"2424":[[3110,2931]],"2528":[[3111,2932]],"2529":[[3111,2932]],"2530":[[3093,2914]],"2531":[[3094,2915]],"2801":[[298,295]],"3318":[[1957,1886]],"3337":[[3007,2835],[3008,2836]],"3386":[[3112,2933]],"3387":[[3112,2933]],"3388":[[3112,2933]],"3389":[[3112,2933]],"3390":[[3112,2933]],"3599":[[3013,2841]],"3600":[[3079,2903]],"3605":[[3013,2841]],"3606":[[3079,2903]],"3607":[[3012,2840]],"3608":[[3012,2840]],"3609":[[2910,2764],[2911,2765],[2912,2766]],"3611":[[3014,2842]],"3612":[[3014,2842]],"3613":[[3014,2842]],"3884":[[3020,2848]],"6163":[[3113,2934]],"6166":[[3114,2935]],"6170":[[3080,2904]],"6171":[[3115,2936]],"6172":[[3116,2937]],"6199":[[3117,2938]],"6226":[[3087,2908],[3088,2909],[3089,2910],[3090,2911]],"6233":[[3118,2939]],"6516":[[3119,2940]],"6517":[[3119,2940]],"6711":[[3120,2941]],"6712":[[3120,2941]],"6739":[[3121,2942]],"6741":[[3014,2842]]},"rle":{"0":[[14,14],[15,15],[16,16],[17,16],[18,17],[19,18],[20,19],[21,20],[22,21],[23,22],[24,23]],"1":[[38,37],[14,14],[39,38],[15,15],[16,16],[17,16]],"2":[[52,51],[53,52],[54,53],[55,54],[56,55]],"3":[[61,60],[62,61],[63,62]],"4":[[75,74]],"5":[[78,77]],"6":[[82,81],[83,82]],"7":[[90,89],[91,90],[92,91]],"8":[[98,97]],"9":[[109,108],[110,109],[111,110],[112,111],[91,90],[113,112],[114,113],[115,114],[116,105],[105,115],[117,116]],"10":[[139,138],[140,139],[141,140],[54,53],[142,141]],"11":[[242,240]],"12":[[289,286]],"13":[[299,296]],"14":[[463,454],[464,455],[465,456],[466,457],[467,458],[468,459],[469,460],[470,461],[471,462],[472,463],[473,464],[474,465]],"15":[[1077,1040]],"16":[[63,62]],"17":[[83,82]],"18":[[1100,1063]],"19":[[16,16],[17,16],[1118,1081],[1119,1082],[116,105],[117,116]],"20":[[1802,1733]],"21":[[1867,1796],[1868,1797],[1869,1798],[1870,1799],[1871,1800],[1872,1801],[1802,1733]],"22":[[1904,1833]],"24":[[1929,1858]],"33":[[2027,1947]],"34":[[1119,1082]],"35":[[2042,1962]],"36":[[2044,1964]],"37":[[83,82]],"41":[[299,296]],"42":[[19,18],[2027,1947],[23,22],[2086,1988]],"43":[[2087,1989]],"47":[[2097,1999]],"61":[[20,19]],"66":[[2878,2733]],"73":[[2097,1999]],"120":[[2961,2792]],"8134":[[3123,2944]]},"rlp":{"0":[[25,24],[26,25],[27,26],[28,27],[29,28],[30,29],[31,30],[32,31],[33,32],[34,33],[35,34]],"1":[[40,39],[25,24],[26,25],[32,31],[41,40],[42,41],[43,42],[44,43],[35,34]],"2":[[57,56],[58,57],[28,27],[29,28],[59,58]],"3":[[64,63],[65,64],[66,65],[67,66],[68,67],[69,68],[70,69],[71,70],[72,71],[73,72]],"4":[[69,68],[70,69]],"5":[[79,78],[80,79]],"6":[[84,83],[85,84],[86,85]],"7":[[93,92],[94,93],[95,94],[96,95],[86,85]],"8":[[99,98],[100,99]],"9":[[118,117],[119,118],[120,119],[121,120],[122,121],[123,122],[124,123],[125,124],[126,125],[127,126],[128,127],[129,128],[130,129],[131,130],[132,131],[133,132],[30,29],[134,133],[135,134],[136,135],[137,136],[59,58],[138,137]],"10":[[143,142],[137,136],[59,58],[138,137]],"11":[[243,241],[244,242],[245,243],[246,244],[247,245],[248,246],[249,247],[250,248],[251,249],[252,250],[253,251],[254,252],[255,253],[256,254],[257,255],[258,256],[259,257],[260,258],[261,259],[262,260],[263,261],[264,262],[265,263],[266,264],[267,265],[268,266],[269,267],[270,268],[271,269],[272,270],[273,271],[274,272],[275,273],[276,274],[277,275]],"12":[[290,287],[291,288],[292,289],[293,290],[294,291],[295,292],[296,293],[297,294]],"13":[[300,297]],"14":[[475,466],[476,467],[477,468],[478,469],[479,470],[480,471],[481,472],[482,473],[483,474],[484,475],[485,476],[486,477],[487,478],[488,479],[489,480],[490,481],[491,482],[492,483],[493,484],[494,485],[495,486],[496,487],[497,488],[498,489],[499,490],[500,491],[501,492],[502,493],[503,494],[504,495],[505,496],[506,497],[507,498],[508,499],[509,500],[510,501],[511,502],[512,503],[513,504],[514,505],[515,506],[516,507],[517,508],[518,509],[519,510],[520,511],[521,512],[522,513],[523,514],[524,515],[525,516],[526,517],[527,518],[528,519],[529,520],[530,521],[531,522],[532,523],[533,524],[534,525],[535,526],[536,527],[537,528],[538,529],[539,530],[540,531],[541,532],[542,533],[543,534],[544,535],[545,536],[546,537],[547,538],[548,539],[549,540],[550,541],[551,542],[552,543],[553,544],[554,545],[555,546],[556,547],[557,548],[558,549],[559,550],[560,551],[561,552],[562,553],[563,554],[564,555],[565,556],[566,557],[567,558],[568,559],[569,560],[570,561],[571,562],[572,563],[573,564],[574,565],[575,566],[576,567],[577,568],[578,569],[579,570],[580,571],[581,572],[582,573],[583,574]],"15":[[1078,1041],[1079,1042],[1080,1043],[1081,1044],[1082,1045],[1083,1046],[1084,1047],[1085,1048],[1086,1049],[1087,1050],[1088,1051],[1089,1052],[1090,1053],[1091,1054],[1092,1055],[1093,1056],[1094,1057],[1095,1058]],"16":[[67,66]],"17":[[1098,1061],[1099,1062],[86,85]],"18":[[1101,1064],[94,93],[1102,1065],[95,94],[96,95]],"19":[[1120,1083],[1121,1084],[1122,1085],[1123,1086]],"20":[[1803,1734],[1804,1735],[1805,1736],[1806,1737],[1807,1738],[1808,1739],[1809,1740],[1810,1741],[1811,1742],[1812,1743],[1813,1744],[1814,1745],[1078,1041],[1815,1746],[1079,1042],[1816,1747],[1817,1748],[1818,1749],[1819,1750],[1820,561],[1080,1043],[1081,1044],[1821,1751],[1822,1752],[1823,1753],[1824,1754],[1825,1755],[1826,1756],[1827,1757],[1828,1758],[1082,1045],[1083,1046],[1084,1047],[1085,1048],[1086,1049],[1087,1050],[1088,1051],[1829,1759],[1089,1052],[1830,1760],[1831,1761],[1832,1762],[1833,1763],[1834,1764],[1835,1765],[1836,1766],[1090,1053],[1091,1054],[1837,1767],[1838,1768],[1839,1769],[1092,1055],[1093,1056],[1094,1057],[1840,1770],[1095,1058],[1841,1771],[1842,1772],[1843,1773]],"21":[[1873,1802],[1874,1803],[1875,1804],[1876,1805],[1877,1806],[1878,1807],[1879,1808],[1880,1809],[1881,1810],[1882,1811],[1883,1812],[1884,1813],[1885,1814],[1886,1815]],"22":[[1905,1834],[1906,1835],[1907,1836],[1908,1837],[1909,1838],[1910,1839],[1911,1840],[1912,1841],[1913,1842]],"23":[[35,34],[1915,1844],[1916,1845]],"25":[[1935,1864],[1936,1865],[1937,1866],[1938,1867],[1939,1868],[1940,1869],[1941,1870],[1942,1871],[1943,1872],[1944,1873],[1945,1874],[1946,1875],[1947,1876],[1948,1877],[1949,1878],[1950,1879],[1951,1880]],"26":[[1953,1882],[1954,1883]],"27":[[1958,1887],[1959,1888],[1956,1889],[100,99],[1960,1890],[1961,1891],[1962,1892],[1963,1893],[1964,1894],[1965,1895]],"28":[[1968,1898],[1969,1899],[1970,1900],[1971,1901],[1972,1902],[1973,1903]],"29":[[1974,1904],[1975,1905]],"30":[[1976,1906],[1977,1907],[1978,1908],[1979,1909]],"31":[[1981,1911],[1123,1086]],"32":[[1985,1915]],"33":[[2028,1948],[2029,1949],[2030,1950],[2031,1951],[2032,1952],[2033,1953],[2034,1954],[2035,1955],[2036,1956],[2037,1957],[2038,1958],[2039,1959]],"34":[[2040,1960]],"37":[[2045,1965]],"38":[[2047,1967],[2048,1968]],"39":[[2058,1977],[2059,1978],[2060,1979]],"40":[[2062,1982]],"41":[[300,297]],"43":[[2088,1990]],"44":[[1098,1061],[2092,1994],[2093,1995],[86,85]],"45":[[2095,1997]],"46":[[86,85]],"48":[[2149,2051],[2150,2052],[1805,1736],[1807,1738],[2151,2053],[2152,2054],[1811,1742],[1813,1744],[1814,1745],[1817,1748],[2153,2055],[2154,2056],[2155,2057],[1839,1769],[2156,2058],[1842,1772],[2157,2059]],"49":[[2324,2211],[2325,2212],[2326,2213],[2327,2214],[2328,2215],[2329,2216],[2330,2217],[2331,2218],[2332,2219],[1803,1734],[2333,2220],[2334,2221],[2335,2222],[2336,2223],[2337,2224],[2338,2225],[2339,2226],[2340,2227],[2341,2228],[2342,2229],[1810,1741],[2343,2230],[2344,2231],[2345,2232],[2346,2233],[2347,2234],[2348,2235],[2349,2236],[2350,2237],[2351,2238],[2352,2239],[2353,2240],[2354,2241],[2355,2242],[2356,2243],[1078,1041],[2357,2244],[2358,2245],[1815,1746],[1079,1042],[1816,1747],[2359,2246],[2360,2247],[2361,2248],[2362,2249],[2363,2250],[2364,2251],[2365,2252],[1824,1754],[1825,1755],[2366,2253],[2367,2254],[2368,2255],[2369,2256],[2370,2257],[2371,2258],[2372,2259],[2373,2260],[1089,1052],[1830,1760],[2374,2261],[1831,1761],[2375,2262],[2376,2263],[2377,2264],[2378,2265],[2379,2266],[2380,2267],[2381,2268],[2382,2269],[2383,2270],[2384,2271]],"50":[[2418,2303],[2419,2304],[2420,2305],[2421,2306],[2422,2307],[1827,1757],[2423,2308],[2424,2309],[2425,2310],[2426,2311],[2427,2312],[2428,2313],[2429,2314]],"51":[[2634,2494],[2418,2303],[2635,2495],[2636,2496],[2637,2497],[2638,2498],[2639,2499],[2640,2500],[2641,2501],[2642,2502],[2643,2503],[2644,2504],[2645,2505],[2646,2506],[2647,2507],[2648,2508],[2649,2509],[2650,2510],[2651,2511],[2652,2512],[2653,2513],[2654,2514],[2655,2515],[2656,2516],[2657,2517],[2658,2518],[2659,2519],[2660,2520],[2661,2521],[2662,2522],[2663,2523],[2664,2524],[2665,2525],[2666,2526],[2667,2527],[2668,2528],[2419,2304],[2669,2529],[2670,2530],[2671,2531],[2672,2532],[2673,2533],[2674,2534],[2675,2535],[2420,2305],[2421,2306],[2676,2536],[2422,2307],[2677,2537],[2678,2538],[2679,2539],[2680,2540],[2681,2541],[2682,2542],[2683,2543],[2684,2544],[2685,2545],[2686,2546],[2687,2547],[2688,2548],[2689,2549],[2690,2550],[2691,2551],[2692,2552],[2693,2553],[2694,2554],[2695,2555],[2696,2556],[2697,2557],[2698,2558],[2699,2559],[2700,2560],[2701,2561],[2702,2562],[2703,2563],[2704,2564],[2705,2565],[2706,2566],[2707,2567],[2708,2568],[2709,2569],[2710,2570],[2711,2571],[2712,2572],[2713,2573],[2714,2574],[2715,2575],[2716,2576],[2717,2577],[2718,2578],[2719,2579],[2720,2580],[2721,2581],[2722,2582],[2723,2583],[2724,2584],[2725,2585],[2726,2586],[2727,2587],[2728,2588],[2729,2589],[2730,2590],[2731,2591],[2732,2592],[2733,2593],[2734,2594],[2735,2595],[2736,2596],[2737,2597],[2738,2598],[2739,2599],[2740,2600],[2741,2601],[2742,2602],[2743,2603],[2744,2604],[2745,2605],[2746,2606],[2747,2607],[2748,2608],[2749,2609],[2750,2610],[2751,2611],[2752,2612],[2753,2613],[1829,1759],[2754,2614],[2755,2615],[2756,2616],[2757,2617],[2758,2618],[2759,2619],[2760,2620],[2761,2621],[2762,2622],[2763,2623],[2764,2624],[2765,2625],[2766,2626],[2767,2627],[2768,2628],[2769,2627],[2770,2629],[2771,2630],[2772,2631],[2773,2632],[2774,2633],[2775,2634],[2776,2635],[1835,1765],[2777,2636],[2424,2309],[2778,2637],[2779,2638],[2780,2639],[2781,2640],[2782,2641],[2783,2642],[2784,2643],[2785,2644],[2786,2645],[2787,2646],[2788,2647],[2789,2648],[2790,2649],[2791,2650],[2792,2651],[2793,2652],[2794,2653],[2427,2312],[2428,2313],[2429,2314]],"52":[[1905,1834],[1906,1835],[1907,1836],[1908,1837],[1909,1838],[1910,1839],[1911,1840],[1912,1841],[1913,1842]],"53":[[2795,2654]],"54":[[2818,2676],[249,247],[2819,2677],[2820,2678],[2821,2679],[2822,2680],[2823,2681],[2824,2682],[2825,2683],[2826,2684],[2827,2685],[2828,2686],[2829,2687],[2830,2688],[2831,2689],[2832,2690],[2833,2691],[2834,2692],[2835,2693],[2836,2694],[2837,2695],[2838,2696]],"55":[[2851,2709],[2852,2710],[2853,2711],[2854,2712],[2855,2713],[2856,2714],[2857,2715],[2858,2716]],"56":[[2851,2709],[2852,2710],[2853,2711],[2854,2712],[2855,2713],[2857,2715],[2858,2716]],"57":[[2862,2720]],"61":[[2870,2726],[86,85]],"64":[[2873,2729]],"67":[[2889,2744],[2890,2745],[2891,2746],[2892,2747]],"69":[[2895,2750]],"70":[[1944,1873]],"83":[[2907,2761]],"98":[[69,68],[70,69]],"100":[[86,85]],"101":[[86,85]],"102":[[2953,2784],[86,85]],"103":[[2092,1994],[2954,2785],[86,85]],"104":[[2095,1997],[2045,1965],[1944,1873]],"105":[[2045,1965],[1944,1873]],"106":[[86,85]],"107":[[1944,1873]],"108":[[1944,1873]],"109":[[2095,1997]],"110":[[2045,1965]],"111":[[2045,1965]],"112":[[1944,1873]],"113":[[86,85]],"114":[[2955,2786]],"117":[[2958,2789],[2959,2790]],"118":[[2958,2789],[1963,1893],[2960,2791]],"119":[[143,142]],"122":[[2963,2794],[2964,2795]],"123":[[2965,2796],[2966,2797]],"126":[[2967,2798]],"127":[[2968,2799]],"131":[[2756,2616]],"132":[[2983,2813],[2984,2814],[2985,2815]],"133":[[2987,2817]],"147":[[2992,2822]],"151":[[2996,2825],[2997,2826],[2998,2826]],"410":[[3009,2837]],"437":[[3025,2854]],"450":[[3031,2860]],"452":[[2045,1965]],"453":[[2045,1965]],"454":[[2045,1965]],"455":[[2045,1965]],"464":[[3040,2869]],"465":[[3040,2869]],"473":[[3047,2876],[3048,2877],[3049,2878]],"476":[[3053,2881]],"477":[[3054,2882]],"478":[[3055,2883]],"479":[[3056,2884]],"480":[[3057,2885]],"481":[[3060,2888],[2985,2815]],"487":[[3075,2899],[3076,2900],[3077,2901]],"659":[[3092,2913]],"1867":[[3105,2926],[2985,2815]],"1868":[[3105,2926],[2985,2815]],"1869":[[3105,2926],[3060,2888],[2985,2815]],"1870":[[3060,2888],[2985,2815]],"1871":[[3060,2888],[2985,2815]],"1872":[[3105,2926],[2985,2815]],"1873":[[3060,2888],[2985,2815]],"1874":[[3105,2926],[2985,2815]],"7936":[[3031,2860]],"7937":[[3122,2943]],"8243":[[3124,2945]]},"ret":{"0":"Microsoft-Windows-Security-Auditing 4611 Both appear in 2 Elastic detection rules (inferred) | Microsoft-Windows-Security-Auditing 4625 Inferred from 11 detection rules within ~1m | Microsoft-Windows-Security-Auditing 4625 Logon success / failure | Microsoft-Windows-Security-Auditing 4627 Group membership information logged alongside the logon event | Microsoft-Windows-Security-Auditing 4634 Logon session creation followed by logoff | Microsoft-Windows-Security-Auditing 4648 Explicit credential logon (runas) generates both 4648 and 4624 | Microsoft-Windows-Security-Auditing 4648 Inferred from 4 detection rules | Microsoft-Windows-Security-Auditing 4649 Both appear in 2 Elastic detection rules (inferred) | Microsoft-Windows-Security-Auditing 4672 Special privileges assigned during logon | Microsoft-Windows-Security-Auditing 4697 Logon followed by service install (~1m, same logon ID) — service-creation chains follow a fresh logon in Kerberos-relay and remote-service-install patterns | Microsoft-Windows-Security-Auditing 4719 Audit policy change (4719) affects which logon events are generated | Microsoft-Windows-Security-Auditing 4776 NTLM credential validation followed by logon session creation | Microsoft-Windows-Security-Auditing 4902 Per-user audit policy table created - fine-grained audit control | Microsoft-Windows-Security-Auditing 4964 Special group assigned to new logon | Microsoft-Windows-Security-Auditing 5145 Both appear in 2 Elastic detection rules | Microsoft-Windows-TerminalServices-LocalSessionManager 21 RDP local session event correlates with Security logon (type 10) | Defender-DeviceLogonEvents 9003001 Appear together in 2 Kusto detection rules | Defender-DeviceLogonEvents 9003002 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4647 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4656 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4662 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4675 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4698 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4699 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4700 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4701 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4702 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4724 Appear together in 1 Elastic detection rule (temporal sequence) | Microsoft-Windows-Sysmon 1 Appear together in 1 Kusto detection rule | Microsoft-Windows-Sysmon 19 Appear together in 1 Kusto detection rule | Microsoft-Windows-Sysmon 20 Appear together in 1 Kusto detection rule | Microsoft-Windows-Sysmon 21 Appear together in 1 Kusto detection rule","1":"Microsoft-Windows-Security-Auditing 4624 Inferred from 11 detection rules within ~1m | Microsoft-Windows-Security-Auditing 4624 Logon success / failure | Microsoft-Windows-Security-Auditing 4648 Inferred from 4 detection rules | Microsoft-Windows-Security-Auditing 4776 Both appear in 3 Sigma detection rules | Microsoft-Windows-Security-Auditing 5145 Both appear in 2 Elastic detection rules | Defender-DeviceLogonEvents 9003001 Appear together in 1 Kusto detection rule | Defender-DeviceLogonEvents 9003002 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4634 Appear together in 5 Kusto detection rules | Microsoft-Windows-Security-Auditing 4647 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4675 Appear together in 1 Kusto detection rule","2":"Microsoft-Windows-Security-Auditing 4661 Both appear in 4 Elastic detection rules (inferred) | Microsoft-Windows-Security-Auditing 5136 Both appear in 1 Sigma detection rule | Microsoft-Windows-Security-Auditing 5137 Both appear in 1 Sigma detection rule | Microsoft-Windows-Security-Auditing 4624 Appear together in 1 Kusto detection rule","3":"Microsoft-Windows-Security-Auditing 4699 Inferred from 5 detection rules (typically precedes) within ~5m | Microsoft-Windows-Security-Auditing 4699 Scheduled task created / deleted | Microsoft-Windows-Security-Auditing 4700 Both appear in 2 Splunk detection rules | Microsoft-Windows-Security-Auditing 4702 Both appear in 2 Splunk detection rules | Microsoft-Windows-Security-Auditing 4624 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4697 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4701 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 5145 Appear together in 1 Kusto detection rule","4":"Microsoft-Windows-Security-Auditing 4698 Both appear in 2 Splunk detection rules | Microsoft-Windows-Security-Auditing 4700 Both appear in 2 Splunk detection rules | Microsoft-Windows-Security-Auditing 4624 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4697 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4699 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4701 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 5145 Appear together in 1 Kusto detection rule","5":"Microsoft-Windows-Security-Auditing 4624 Audit policy change (4719) affects which logon events are generated","6":"Microsoft-Windows-Security-Auditing 4729 Member added to / removed from global security group | Microsoft-Windows-Security-Auditing 4732 User added to security-enabled group (global vs local) — privileged-group-membership rules typically OR these together; the elevation action is parallel, only group scope differs | Microsoft-Windows-Security-Auditing 632 Appear together in 1 Sigma detection rule | Microsoft-Windows-Security-Auditing 4720 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4722 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4723 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4724 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4725 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4726 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4733 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4738 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4743 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4756 Appear together in 1 Elastic + 1 Kusto detection rules | Microsoft-Windows-Security-Auditing 4780 Appear together in 1 Splunk detection rule","7":"Microsoft-Windows-Security-Auditing 4720 Both appear in 1 Elastic detection rule (inferred) | Microsoft-Windows-Security-Auditing 4741 Both appear in 1 Elastic detection rule (inferred) | Microsoft-Windows-Security-Auditing 4742 Both appear in 3 Splunk detection rules | Microsoft-Windows-Security-Auditing 4765 Both appear in 1 Sigma detection rule | Microsoft-Windows-Security-Auditing 4766 Both appear in 1 Sigma detection rule | Microsoft-Windows-Security-Auditing 5136 Both appear in 1 Sigma detection rule | Microsoft-Windows-Security-Auditing 4722 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4723 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4724 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4725 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4726 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4728 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4732 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4733 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4743 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4780 Appear together in 1 Splunk detection rule","8":"Microsoft-Windows-Security-Auditing 4720 Both appear in 1 Sigma detection rule | Microsoft-Windows-Security-Auditing 4768 Events occur in sequence in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4768 Inferred from 4 detection rules","9":"Microsoft-Windows-Security-Auditing 4657 Both appear in 2 Elastic detection rules (inferred) | Microsoft-Windows-Security-Auditing 4662 Both appear in 1 Sigma detection rule | Microsoft-Windows-Security-Auditing 4738 Both appear in 1 Sigma detection rule | Microsoft-Windows-Security-Auditing 4742 Both appear in 1 Sigma detection rule | Microsoft-Windows-Security-Auditing 5137 Both appear in 1 Sigma detection rule | Microsoft-Windows-Security-Auditing 5145 Both appear in 2 Sigma detection rules | Microsoft-Windows-Security-Auditing 5169 Both appear in 7 Elastic detection rules (inferred) | Microsoft-Windows-Security-Auditing 5170 Both appear in 7 Elastic detection rules (inferred)","10":"Microsoft-Windows-Security-Auditing 4662 Both appear in 1 Sigma detection rule | Microsoft-Windows-Security-Auditing 5136 Both appear in 1 Sigma detection rule | Microsoft-Windows-Security-Auditing 5141 Events occur in sequence in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 5141 Inferred from 4 detection rules","11":"Microsoft-Windows-Sysmon 1 Process creation typically followed by DLL image loads | Microsoft-Windows-Sysmon 3 Both appear in 2 Elastic detection rules (inferred) | Microsoft-Windows-Sysmon 5 Both appear in 2 Elastic detection rules (inferred) | Microsoft-Windows-Sysmon 22 Both appear in 1 Splunk detection rule | Defender-DeviceImageLoadEvents 9006000 Appear together in 2 Kusto detection rules","12":"Microsoft-Windows-Sysmon 1 Both appear in 5 Elastic detection rules (inferred) | Microsoft-Windows-Sysmon 5 Both appear in 5 Elastic detection rules (inferred) | Microsoft-Windows-Sysmon 10 Both appear in 5 Elastic detection rules (inferred) | Defender-DeviceEvents 9007004 Appear together in 1 Kusto detection rule","13":"Microsoft-Windows-Eventlog 104 Appear together in 1 Elastic + 1 Splunk detection rules | Microsoft-Windows-Eventlog 517 Appear together in 1 Sigma detection rule","14":"Microsoft-Windows-PowerShell 4103 Script block logging (4104) with module logging detail (4103) | Defender-DeviceEvents 9007001 Appear together in 1 Kusto detection rule","15":"Microsoft-Windows-Security-Auditing 4689 Process creation followed by process termination | Microsoft-Windows-Sysmon 1 Process creation from Sysmon vs Security Auditing | Microsoft-Windows-Sysmon 11 Events occur in sequence in 3 Splunk detection rules","16":"Microsoft-Windows-Security-Auditing 4698 Inferred from 5 detection rules (typically precedes) within ~5m | Microsoft-Windows-Security-Auditing 4698 Scheduled task created / deleted | Microsoft-Windows-Security-Auditing 4701 Both appear in 1 Sigma detection rule | Microsoft-Windows-Security-Auditing 4624 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4697 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4700 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4702 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 5145 Appear together in 1 Kusto detection rule","17":"Microsoft-Windows-Security-Auditing 4720 Events occur in sequence (within 180m) in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4728 User added to security-enabled group (global vs local) — privileged-group-membership rules typically OR these together; the elevation action is parallel, only group scope differs | Microsoft-Windows-Security-Auditing 4733 Member added to / removed from local security group | Defender-DeviceEvents 9007007 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4722 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4723 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4724 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4725 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4726 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4738 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4743 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4756 Appear together in 1 Elastic + 1 Kusto detection rules | Microsoft-Windows-Security-Auditing 4780 Appear together in 1 Splunk detection rule","18":"Microsoft-Windows-Security-Auditing 4720 Both appear in 1 Elastic detection rule (inferred) | Microsoft-Windows-Security-Auditing 4738 Both appear in 3 Splunk detection rules | Microsoft-Windows-Security-Auditing 4741 Both appear in 1 Elastic detection rule (inferred) | Microsoft-Windows-Security-Auditing 5136 Both appear in 1 Sigma detection rule","19":"Microsoft-Windows-Security-Auditing 4624 Both appear in 2 Elastic detection rules | Microsoft-Windows-Security-Auditing 4625 Both appear in 2 Elastic detection rules | Microsoft-Windows-Security-Auditing 5136 Both appear in 2 Sigma detection rules | Microsoft-Windows-Security-Auditing 5140 Network share access (5140) with per-file detail (5145) | Microsoft-Windows-Security-Auditing 4672 Appear together in 1 Elastic detection rule (temporal sequence) | Microsoft-Windows-Security-Auditing 4697 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4698 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4699 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4700 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4701 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4702 Appear together in 1 Kusto detection rule | Microsoft-Windows-Sysmon 17 Appear together in 1 Kusto detection rule | Microsoft-Windows-Sysmon 18 Appear together in 1 Kusto detection rule","20":"Microsoft-Windows-Security-Auditing 4688 Process creation from Sysmon vs Security Auditing | Microsoft-Windows-Security-Auditing 4697 Both appear in 1 Elastic detection rule (inferred) | Microsoft-Windows-Security-Auditing 4700 Both appear in 1 Elastic detection rule (inferred) | Microsoft-Windows-Security-Auditing 4701 Both appear in 1 Elastic detection rule (inferred) | Microsoft-Windows-Sysmon 3 Process creation may be followed by network connections | Microsoft-Windows-Sysmon 5 Process creation followed by process termination | Microsoft-Windows-Sysmon 7 Process creation typically followed by DLL image loads | Microsoft-Windows-Sysmon 8 Both appear in 5 Elastic detection rules (inferred) | Microsoft-Windows-Sysmon 10 Both appear in 1 Elastic detection rule | Microsoft-Windows-Sysmon 11 Events occur in sequence in 11 Splunk detection rules | Microsoft-Windows-Sysmon 12 Events occur in sequence in 1 Splunk detection rule | Microsoft-Windows-Sysmon 13 Events occur in sequence in 2 Splunk detection rules | Defender-DeviceProcessEvents 9001000 Appear together in 32 Kusto detection rules | Microsoft-Windows-Security-Auditing 4624 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4689 Appear together in 9 Kusto detection rules | Microsoft-Windows-Sysmon 19 Appear together in 1 Kusto detection rule | Microsoft-Windows-Sysmon 20 Appear together in 1 Kusto detection rule | Microsoft-Windows-Sysmon 21 Appear together in 1 Kusto detection rule","21":"Microsoft-Windows-Security-Auditing 4663 Both can describe one process accessing another (Sysmon 10 always-on; 4663 only when a Process SACL is configured) | Microsoft-Windows-Sysmon 1 Both appear in 1 Elastic detection rule | Microsoft-Windows-Sysmon 5 Both appear in 6 Elastic detection rules (inferred) | Microsoft-Windows-Sysmon 8 Both appear in 5 Elastic detection rules (inferred)","22":"Microsoft-Windows-Sysmon 18 Both appear in 17 Sigma detection rules | Defender-DeviceEvents 9007006 Appear together in 2 Kusto detection rules | Microsoft-Windows-Security-Auditing 5145 Appear together in 1 Kusto detection rule","23":"Microsoft-Windows-Security-Auditing 4624 Explicit credential logon (runas) generates both 4648 and 4624 | Microsoft-Windows-Security-Auditing 4624 Inferred from 4 detection rules | Microsoft-Windows-Security-Auditing 4625 Inferred from 4 detection rules | Microsoft-Windows-Security-Auditing 4634 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4647 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4675 Appear together in 1 Kusto detection rule","24":"Microsoft-Windows-Security-Auditing 4657 Both appear in 1 Sigma detection rule | Microsoft-Windows-Security-Auditing 4658 Both appear in 1 Sigma detection rule | Microsoft-Windows-Security-Auditing 4663 Handle requested (4656) followed by object access attempts (4663) | Microsoft-Windows-Security-Auditing 4663 Inferred from 9 detection rules | Microsoft-Windows-Security-Auditing 4624 Appear together in 1 Kusto detection rule","25":"Microsoft-Windows-Security-Auditing 4656 Handle requested (4656) followed by object access attempts (4663) | Microsoft-Windows-Security-Auditing 4656 Inferred from 9 detection rules | Microsoft-Windows-Security-Auditing 4657 Both appear in 2 Sigma detection rules | Microsoft-Windows-Security-Auditing 4658 Object access (4663) followed by handle close (4658) | Microsoft-Windows-Sysmon 10 Both can describe one process accessing another (Sysmon 10 always-on; 4663 only when a Process SACL is configured) | Microsoft-Windows-Sysmon 11 Both can describe file activity (Sysmon 11 on file create; 4663 only when a File SACL is configured) | Defender-DeviceFileEvents 9002000 Appear together in 3 Kusto detection rules | Defender-DeviceFileEvents 9002001 Appear together in 2 Kusto detection rules | Defender-DeviceRegistryEvents 9005000 Appear together in 1 Kusto detection rule | Defender-DeviceRegistryEvents 9005002 Appear together in 1 Kusto detection rule | Defender-DeviceRegistryEvents 9005003 Appear together in 1 Kusto detection rule | Defender-DeviceRegistryEvents 9005004 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4660 Appear together in 1 Kusto detection rule | Microsoft-Windows-Sysmon 12 Appear together in 1 Kusto detection rule | Microsoft-Windows-Sysmon 13 Appear together in 1 Kusto detection rule | Microsoft-Windows-Sysmon 14 Appear together in 1 Kusto detection rule | Microsoft-Windows-Sysmon 23 Appear together in 3 Kusto detection rules | Microsoft-Windows-Sysmon 26 Appear together in 3 Kusto detection rules","26":"Microsoft-Windows-Security-Auditing 4720 Both appear in 1 Elastic detection rule (inferred) | Microsoft-Windows-Security-Auditing 4738 Both appear in 1 Elastic detection rule (inferred) | Microsoft-Windows-Security-Auditing 4742 Both appear in 1 Elastic detection rule (inferred) | Microsoft-Windows-Security-Auditing 4743 Both appear in 1 Sigma detection rule","27":"Microsoft-Windows-Security-Auditing 4769 Kerberos TGT request followed by TGS request | Microsoft-Windows-Security-Auditing 4770 | Microsoft-Windows-Security-Auditing 4771 Kerberos TGT request success / failure | Microsoft-Windows-Security-Auditing 4781 Events occur in sequence in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4781 Inferred from 4 detection rules | Microsoft-Windows-Security-Auditing 4887 Events occur in sequence in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 675 Appear together in 1 Sigma detection rule","28":"Microsoft-Windows-Security-Auditing 4768 Kerberos TGT request followed by TGS request | Microsoft-Windows-Security-Auditing 4770 Kerberos TGS request followed by TGT renewal | Microsoft-Windows-Security-Auditing 4771 Both appear in 1 Sigma detection rule | Microsoft-Windows-Security-Auditing 4772 Kerberos TGS request success / failure | Microsoft-Windows-Security-Auditing 675 Appear together in 1 Sigma detection rule","29":"Microsoft-Windows-Security-Auditing 4768 Kerberos TGT request success / failure | Microsoft-Windows-Security-Auditing 4769 Both appear in 1 Sigma detection rule | Microsoft-Windows-Security-Auditing 675 Appear together in 1 Sigma detection rule","30":"Microsoft-Windows-Security-Auditing 4624 NTLM credential validation followed by logon session creation | Microsoft-Windows-Security-Auditing 4625 Both appear in 3 Sigma detection rules","31":"Microsoft-Windows-Security-Auditing 5145 Network share access (5140) with per-file detail (5145)","32":"Microsoft-Windows-Sysmon 19 Both appear in 3 Sigma detection rules | Microsoft-Windows-Sysmon 20 Both appear in 3 Sigma detection rules | Microsoft-Windows-Security-Auditing 4624 Appear together in 1 Kusto detection rule | Microsoft-Windows-Sysmon 1 Appear together in 1 Kusto detection rule","33":"Microsoft-Windows-Security-Auditing 4697 Service installation from SCM vs Security Auditing | Microsoft-Windows-Security-Auditing 4697 Both appear in 1 Elastic detection rule (inferred) | Service-Control-Manager 7036 Both appear in 2 Sigma detection rules","34":"Microsoft-Windows-Security-Auditing 4624 Special privileges assigned during logon | Microsoft-Windows-Security-Auditing 5145 Appear together in 1 Elastic detection rule (temporal sequence)","37":"Microsoft-Windows-Security-Auditing 4757 Member added to / removed from universal security group | Microsoft-Windows-Security-Auditing 4727 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4728 Appear together in 1 Elastic + 1 Kusto detection rules | Microsoft-Windows-Security-Auditing 4731 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4732 Appear together in 1 Elastic + 1 Kusto detection rules | Microsoft-Windows-Security-Auditing 4744 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4749 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4754 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4759 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4783 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4790 Appear together in 1 Splunk detection rule","40":"Microsoft-Windows-AppXDeployment-Server 401 Both appear in 1 Sigma detection rule","41":"Microsoft-Windows-Eventlog 1102 Appear together in 1 Elastic + 1 Splunk detection rules","42":"Microsoft-Windows-Security-Auditing 4624 Logon followed by service install (~1m, same logon ID) — service-creation chains follow a fresh logon in Kerberos-relay and remote-service-install patterns | Microsoft-Windows-Security-Auditing 4700 Both appear in 1 Elastic detection rule (inferred) | Microsoft-Windows-Security-Auditing 4701 Both appear in 1 Elastic detection rule (inferred) | Microsoft-Windows-Sysmon 1 Both appear in 1 Elastic detection rule (inferred) | Service Control Manager 7045 Service installation from SCM vs Security Auditing | Service-Control-Manager 7045 Both appear in 1 Elastic detection rule (inferred) | Microsoft-Windows-Security-Auditing 4698 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4699 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4702 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 5145 Appear together in 1 Kusto detection rule","44":"Microsoft-Windows-Security-Auditing 4722 User account created, then enabled | Microsoft-Windows-Security-Auditing 4726 User account created / deleted | Microsoft-Windows-Security-Auditing 4732 Events occur in sequence (within 180m) in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4738 Both appear in 1 Elastic detection rule (inferred) | Microsoft-Windows-Security-Auditing 4741 Both appear in 1 Elastic detection rule (inferred) | Microsoft-Windows-Security-Auditing 4742 Both appear in 1 Elastic detection rule (inferred) | Microsoft-Windows-Security-Auditing 4781 Both appear in 1 Sigma detection rule | Microsoft-Windows-Security-Auditing 4723 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4724 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4725 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4728 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4733 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4743 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4780 Appear together in 1 Splunk detection rule","45":"Microsoft-Windows-Security-Auditing 4727 Both appear in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4737 Both appear in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 634 Appear together in 1 Sigma detection rule","46":"Microsoft-Windows-Security-Auditing 4741 Both appear in 1 Sigma detection rule | Microsoft-Windows-Security-Auditing 4720 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4722 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4723 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4724 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4725 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4726 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4728 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4732 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4733 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4738 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4780 Appear together in 1 Splunk detection rule","47":"Microsoft-Windows-Security-Auditing 5152 Appear together in 1 Elastic + 7 Kusto detection rules | Microsoft-Windows-Security-Auditing 5154 Appear together in 7 Kusto detection rules | Microsoft-Windows-Security-Auditing 5155 Appear together in 7 Kusto detection rules | Microsoft-Windows-Security-Auditing 5156 Appear together in 7 Kusto detection rules | Microsoft-Windows-Security-Auditing 5158 Appear together in 7 Kusto detection rules | Microsoft-Windows-Security-Auditing 5159 Appear together in 7 Kusto detection rules | Microsoft-Windows-Sysmon 3 Appear together in 7 Kusto detection rules","48":"Microsoft-Windows-Security-Auditing 5156 Both log allowed network connections; Sysmon 3 captures process-initiated TCP/UDP, 5156 captures Windows Filtering Platform allow decisions | Microsoft-Windows-Sysmon 1 Process creation may be followed by network connections | Microsoft-Windows-Sysmon 5 Both appear in 2 Elastic detection rules (inferred) | Microsoft-Windows-Sysmon 7 Both appear in 2 Elastic detection rules (inferred) | Microsoft-Windows-Sysmon 11 Both appear in 2 Elastic detection rules (inferred) | Microsoft-Windows-Sysmon 12 Both appear in 1 Elastic detection rule (inferred) | Microsoft-Windows-Sysmon 13 Both appear in 1 Elastic detection rule (inferred) | Microsoft-Windows-Sysmon 14 Both appear in 1 Elastic detection rule (inferred) | Defender-DeviceNetworkEvents 9004001 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 5152 Appear together in 7 Kusto detection rules | Microsoft-Windows-Security-Auditing 5154 Appear together in 7 Kusto detection rules | Microsoft-Windows-Security-Auditing 5155 Appear together in 7 Kusto detection rules | Microsoft-Windows-Security-Auditing 5157 Appear together in 7 Kusto detection rules | Microsoft-Windows-Security-Auditing 5158 Appear together in 7 Kusto detection rules | Microsoft-Windows-Security-Auditing 5159 Appear together in 7 Kusto detection rules | Microsoft-Windows-Sysmon 18 Appear together in 1 Kusto detection rule","49":"Microsoft-Windows-Security-Auditing 4663 Both can describe file activity (Sysmon 11 on file create; 4663 only when a File SACL is configured) | Microsoft-Windows-Security-Auditing 4688 Events occur in sequence in 3 Splunk detection rules | Microsoft-Windows-Sysmon 1 Events occur in sequence in 11 Splunk detection rules | Microsoft-Windows-Sysmon 3 Both appear in 2 Elastic detection rules (inferred) | Defender-DeviceFileEvents 9002000 Appear together in 3 Kusto detection rules | Defender-DeviceFileEvents 9002001 Appear together in 2 Kusto detection rules | Microsoft-Windows-Sysmon 23 Appear together in 3 Kusto detection rules | Microsoft-Windows-Sysmon 26 Appear together in 3 Kusto detection rules","50":"Microsoft-Windows-Sysmon 1 Events occur in sequence in 1 Splunk detection rule | Microsoft-Windows-Sysmon 3 Both appear in 1 Elastic detection rule (inferred) | Microsoft-Windows-Sysmon 13 Both appear in 32 Sigma detection rules | Microsoft-Windows-Sysmon 14 Both appear in 32 Sigma detection rules | Defender-DeviceRegistryEvents 9005000 Appear together in 1 Kusto detection rule | Defender-DeviceRegistryEvents 9005002 Appear together in 1 Kusto detection rule | Defender-DeviceRegistryEvents 9005003 Appear together in 1 Kusto detection rule | Defender-DeviceRegistryEvents 9005004 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4657 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4660 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4663 Appear together in 1 Kusto detection rule","51":"Microsoft-Windows-Security-Auditing 4657 Registry value set from Sysmon vs registry modification auditing | Microsoft-Windows-Sysmon 1 Events occur in sequence in 2 Splunk detection rules | Microsoft-Windows-Sysmon 3 Both appear in 1 Elastic detection rule (inferred) | Microsoft-Windows-Sysmon 12 Both appear in 32 Sigma detection rules | Microsoft-Windows-Sysmon 14 Both appear in 32 Sigma detection rules | Defender-DeviceRegistryEvents 9005000 Appear together in 1 Kusto detection rule | Defender-DeviceRegistryEvents 9005002 Appear together in 1 Kusto detection rule | Defender-DeviceRegistryEvents 9005003 Appear together in 3 Kusto detection rules | Defender-DeviceRegistryEvents 9005004 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4660 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4663 Appear together in 1 Kusto detection rule","52":"Microsoft-Windows-Sysmon 17 Both appear in 17 Sigma detection rules | Defender-DeviceEvents 9007006 Appear together in 2 Kusto detection rules | Microsoft-Windows-Security-Auditing 5145 Appear together in 1 Kusto detection rule | Microsoft-Windows-Sysmon 3 Appear together in 1 Kusto detection rule","53":"Microsoft-Windows-Sysmon 19 Both appear in 3 Sigma detection rules | Microsoft-Windows-Sysmon 21 Both appear in 3 Sigma detection rules | Microsoft-Windows-Security-Auditing 4624 Appear together in 1 Kusto detection rule | Microsoft-Windows-Sysmon 1 Appear together in 1 Kusto detection rule","54":"Microsoft-Windows-DNS-Client 3006 DNS query logging from Sysmon vs DNS Client ETW | Microsoft-Windows-Sysmon 7 Both appear in 1 Splunk detection rule","55":"Microsoft-Windows-Sysmon 26 Both appear in 12 Sigma detection rules | Microsoft-Windows-Security-Auditing 4663 Appear together in 3 Kusto detection rules | Microsoft-Windows-Sysmon 11 Appear together in 3 Kusto detection rules","56":"Microsoft-Windows-Sysmon 23 Both appear in 12 Sigma detection rules | Microsoft-Windows-Security-Auditing 4663 Appear together in 3 Kusto detection rules | Microsoft-Windows-Sysmon 11 Appear together in 3 Kusto detection rules","58":"Microsoft-Windows-Security-Auditing 4624 Both appear in 2 Elastic detection rules (inferred) | Microsoft-Windows-Security-Auditing 4649 Both appear in 2 Elastic detection rules (inferred)","59":"Microsoft-Windows-Security-Auditing 4656 Both appear in 1 Sigma detection rule | Microsoft-Windows-Security-Auditing 4663 Both appear in 2 Sigma detection rules | Microsoft-Windows-Security-Auditing 5136 Both appear in 2 Elastic detection rules (inferred) | Microsoft-Windows-Security-Auditing 5169 Both appear in 2 Elastic detection rules (inferred) | Microsoft-Windows-Security-Auditing 5170 Both appear in 2 Elastic detection rules (inferred) | Microsoft-Windows-Sysmon 13 Registry value set from Sysmon vs registry modification auditing | Defender-DeviceRegistryEvents 9005000 Appear together in 1 Kusto detection rule | Defender-DeviceRegistryEvents 9005002 Appear together in 1 Kusto detection rule | Defender-DeviceRegistryEvents 9005003 Appear together in 3 Kusto detection rules | Defender-DeviceRegistryEvents 9005004 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4660 Appear together in 1 Kusto detection rule | Microsoft-Windows-Sysmon 12 Appear together in 1 Kusto detection rule | Microsoft-Windows-Sysmon 14 Appear together in 1 Kusto detection rule","60":"Microsoft-Windows-Security-Auditing 4662 Both appear in 4 Elastic detection rules (inferred)","61":"Microsoft-Windows-Security-Auditing 4723 Password change attempt by user (4723) vs reset by admin (4724) | Microsoft-Windows-Security-Auditing 4624 Appear together in 1 Elastic detection rule (temporal sequence) | Microsoft-Windows-Security-Auditing 4720 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4722 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4725 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4726 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4728 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4732 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4733 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4738 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4743 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4780 Appear together in 1 Splunk detection rule","62":"Microsoft-Windows-Security-Auditing 4728 Member added to / removed from global security group | Microsoft-Windows-Security-Auditing 633 Appear together in 1 Sigma detection rule","63":"Microsoft-Windows-Security-Auditing 4738 Both appear in 1 Sigma detection rule | Microsoft-Windows-Security-Auditing 4766 Both appear in 1 Sigma detection rule","65":"Microsoft-Windows-Sysmon 3 Both log allowed network connections; Sysmon 3 captures process-initiated TCP/UDP, 5156 captures Windows Filtering Platform allow decisions | Defender-DeviceNetworkEvents 9004001 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 412 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 501 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 5152 Appear together in 7 Kusto detection rules | Microsoft-Windows-Security-Auditing 5154 Appear together in 7 Kusto detection rules | Microsoft-Windows-Security-Auditing 5155 Appear together in 7 Kusto detection rules | Microsoft-Windows-Security-Auditing 5157 Appear together in 7 Kusto detection rules | Microsoft-Windows-Security-Auditing 5158 Appear together in 7 Kusto detection rules | Microsoft-Windows-Security-Auditing 5159 Appear together in 7 Kusto detection rules","68":"Microsoft-Windows-Sysmon 4 Both appear in 1 Sigma detection rule","69":"Microsoft-Windows-Security-Auditing 4624 Group membership information logged alongside the logon event","70":"Microsoft-Windows-Security-Auditing 4727 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4731 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4734 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4735 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4764 Appear together in 1 Splunk detection rule","73":"Microsoft-Windows-Security-Auditing 5154 Appear together in 7 Kusto detection rules | Microsoft-Windows-Security-Auditing 5155 Appear together in 7 Kusto detection rules | Microsoft-Windows-Security-Auditing 5156 Appear together in 7 Kusto detection rules | Microsoft-Windows-Security-Auditing 5157 Appear together in 1 Elastic + 7 Kusto detection rules | Microsoft-Windows-Security-Auditing 5158 Appear together in 7 Kusto detection rules | Microsoft-Windows-Security-Auditing 5159 Appear together in 7 Kusto detection rules | Microsoft-Windows-Sysmon 3 Appear together in 7 Kusto detection rules","75":"Microsoft-Windows-AppXDeployment-Server 400 Both appear in 1 Sigma detection rule","76":"Microsoft-Windows-Security-Auditing 4624 Logon session creation followed by logoff | Microsoft-Windows-Security-Auditing 4647 Both appear in 1 Sigma detection rule | Microsoft-Windows-Security-Auditing 4625 Appear together in 5 Kusto detection rules | Microsoft-Windows-Security-Auditing 4648 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4675 Appear together in 1 Kusto detection rule","77":"Microsoft-Windows-Security-Auditing 4634 Both appear in 1 Sigma detection rule | Microsoft-Windows-Security-Auditing 4624 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4625 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4648 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4675 Appear together in 1 Kusto detection rule","78":"Microsoft-Windows-Security-Auditing 4656 Both appear in 1 Sigma detection rule | Microsoft-Windows-Security-Auditing 4663 Object access (4663) followed by handle close (4658)","79":"Microsoft-Windows-Security-Auditing 4697 Both appear in 1 Elastic detection rule (inferred) | Microsoft-Windows-Security-Auditing 4699 Both appear in 1 Sigma detection rule | Microsoft-Windows-Security-Auditing 4700 Scheduled task enabled / disabled | Microsoft-Windows-Sysmon 1 Both appear in 1 Elastic detection rule (inferred) | Microsoft-Windows-Security-Auditing 4624 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4698 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4702 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 5145 Appear together in 1 Kusto detection rule","80":"Microsoft-Windows-Security-Auditing 4899 Both appear in 2 Sigma detection rules","81":"Microsoft-Windows-Security-Auditing 4905 Both appear in 1 Sigma detection rule","82":"Microsoft-Windows-Security-Auditing 4904 Both appear in 1 Sigma detection rule","84":"Microsoft-Windows-Security-Auditing 5447 Both appear in 1 Sigma detection rule","85":"Microsoft-Windows-Security-Auditing 5441 Both appear in 1 Sigma detection rule | Microsoft-Windows-Security-Auditing 5449 Both appear in 1 Sigma detection rule","86":"Microsoft-Windows-Security-Auditing 5447 Both appear in 1 Sigma detection rule","87":"Microsoft-Windows-Sysmon 16 Both appear in 1 Sigma detection rule","88":"Microsoft-Windows-Sysmon 20 Both appear in 3 Sigma detection rules | Microsoft-Windows-Sysmon 21 Both appear in 3 Sigma detection rules | Microsoft-Windows-Security-Auditing 4624 Appear together in 1 Kusto detection rule | Microsoft-Windows-Sysmon 1 Appear together in 1 Kusto detection rule","89":"Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2071 Both appear in 3 Sigma detection rules | Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2097 Both appear in 3 Sigma detection rules","90":"Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2052 Both appear in 1 Sigma detection rule","91":"Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2006 Both appear in 1 Sigma detection rule","92":"Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2004 Both appear in 3 Sigma detection rules | Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2097 Both appear in 3 Sigma detection rules","96":"Microsoft-Windows-PowerShell 4104 Script block logging (4104) with module logging detail (4103)","98":"Microsoft-Windows-Security-Auditing 4697 Both appear in 1 Elastic detection rule (inferred) | Microsoft-Windows-Security-Auditing 4698 Both appear in 2 Splunk detection rules | Microsoft-Windows-Security-Auditing 4701 Scheduled task enabled / disabled | Microsoft-Windows-Security-Auditing 4702 Both appear in 2 Splunk detection rules | Microsoft-Windows-Sysmon 1 Both appear in 1 Elastic detection rule (inferred) | Microsoft-Windows-Security-Auditing 4624 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4699 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 5145 Appear together in 1 Kusto detection rule","100":"Microsoft-Windows-Security-Auditing 4720 User account created, then enabled | Microsoft-Windows-Security-Auditing 4723 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4724 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4725 Appear together in 1 Kusto + 1 Splunk detection rules | Microsoft-Windows-Security-Auditing 4726 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4728 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4732 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4733 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4738 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4743 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4780 Appear together in 1 Splunk detection rule","101":"Microsoft-Windows-Security-Auditing 4724 Password change attempt by user (4723) vs reset by admin (4724) | Microsoft-Windows-Security-Auditing 4720 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4722 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4725 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4726 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4728 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4732 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4733 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4738 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4743 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4780 Appear together in 1 Splunk detection rule","102":"Microsoft-Windows-Security-Auditing 4720 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4722 Appear together in 1 Kusto + 1 Splunk detection rules | Microsoft-Windows-Security-Auditing 4723 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4724 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4726 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4728 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4732 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4733 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4738 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4743 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4780 Appear together in 1 Splunk detection rule","103":"Microsoft-Windows-Security-Auditing 4720 User account created / deleted | Microsoft-Windows-Security-Auditing 4722 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4723 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4724 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4725 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4728 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4732 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4733 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4738 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4743 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4780 Appear together in 1 Splunk detection rule","104":"Microsoft-Windows-Security-Auditing 4730 Both appear in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4731 Security-group creation (global vs local) — privileged-group-modification rules watch both as parallel events covering different group scopes | Microsoft-Windows-Security-Auditing 4737 Both appear in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4670 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4734 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4735 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4744 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4749 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4754 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4756 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4759 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4764 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4783 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4790 Appear together in 1 Splunk detection rule","105":"Microsoft-Windows-Security-Auditing 4727 Security-group creation (global vs local) — privileged-group-modification rules watch both as parallel events covering different group scopes | Microsoft-Windows-Security-Auditing 4670 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4734 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4735 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4744 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4749 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4754 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4756 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4759 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4764 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4783 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4790 Appear together in 1 Splunk detection rule","106":"Microsoft-Windows-Security-Auditing 4732 Member added to / removed from local security group | Microsoft-Windows-Security-Auditing 4720 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4722 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4723 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4724 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4725 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4726 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4728 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4738 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4743 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4780 Appear together in 1 Splunk detection rule","107":"Microsoft-Windows-Security-Auditing 4670 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4727 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4731 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4735 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4764 Appear together in 1 Splunk detection rule","108":"Microsoft-Windows-Security-Auditing 4670 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4727 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4731 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4734 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4764 Appear together in 1 Splunk detection rule","109":"Microsoft-Windows-Security-Auditing 4727 Both appear in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4730 Both appear in 1 Splunk detection rule","110":"Microsoft-Windows-Security-Auditing 4727 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4731 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4744 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4754 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4756 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4759 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4783 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4790 Appear together in 1 Splunk detection rule","111":"Microsoft-Windows-Security-Auditing 4727 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4731 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4744 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4749 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4756 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4759 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4783 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4790 Appear together in 1 Splunk detection rule","112":"Microsoft-Windows-Security-Auditing 4670 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4727 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4731 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4734 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4735 Appear together in 1 Splunk detection rule","113":"Microsoft-Windows-Security-Auditing 4720 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4722 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4723 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4724 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4725 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4726 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4728 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4732 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4733 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4738 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4743 Appear together in 1 Splunk detection rule","114":"Microsoft-Windows-Security-Auditing 4799 Both appear in 1 Elastic detection rule (inferred) | Microsoft-Windows-Security-Auditing 5050 Both appear in 1 Elastic detection rule (inferred)","117":"Microsoft-Windows-Security-Auditing 4887 Both appear in 1 Splunk detection rule","118":"Microsoft-Windows-Security-Auditing 4768 Events occur in sequence in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4886 Both appear in 1 Splunk detection rule","119":"Microsoft-Windows-Security-Auditing 5137 Events occur in sequence in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 5137 Inferred from 4 detection rules","120":"Microsoft-Windows-Security-Auditing 5380 Both appear in 1 Elastic detection rule (inferred)","122":"Microsoft-Windows-Security-Auditing 4689 Process termination from Sysmon vs Security Auditing | Microsoft-Windows-Sysmon 1 Process creation followed by process termination | Microsoft-Windows-Sysmon 3 Both appear in 2 Elastic detection rules (inferred) | Microsoft-Windows-Sysmon 7 Both appear in 2 Elastic detection rules (inferred) | Microsoft-Windows-Sysmon 8 Both appear in 5 Elastic detection rules (inferred) | Microsoft-Windows-Sysmon 10 Both appear in 6 Elastic detection rules (inferred)","124":"Defender-DeviceRegistryEvents 9005000 Appear together in 1 Kusto detection rule | Defender-DeviceRegistryEvents 9005002 Appear together in 1 Kusto detection rule | Defender-DeviceRegistryEvents 9005003 Appear together in 1 Kusto detection rule | Defender-DeviceRegistryEvents 9005004 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4657 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4663 Appear together in 1 Kusto detection rule | Microsoft-Windows-Sysmon 12 Appear together in 1 Kusto detection rule | Microsoft-Windows-Sysmon 13 Appear together in 1 Kusto detection rule | Microsoft-Windows-Sysmon 14 Appear together in 1 Kusto detection rule","125":"Microsoft-Windows-Security-Auditing 4767 Account unlocked / account locked out","128":"Microsoft-Windows-Security-Auditing 4624 Special group assigned to new logon","129":"Microsoft-Windows-Security-Auditing 5152 Appear together in 7 Kusto detection rules | Microsoft-Windows-Security-Auditing 5155 Appear together in 7 Kusto detection rules | Microsoft-Windows-Security-Auditing 5156 Appear together in 7 Kusto detection rules | Microsoft-Windows-Security-Auditing 5157 Appear together in 7 Kusto detection rules | Microsoft-Windows-Security-Auditing 5158 Appear together in 7 Kusto detection rules | Microsoft-Windows-Security-Auditing 5159 Appear together in 7 Kusto detection rules | Microsoft-Windows-Sysmon 3 Appear together in 7 Kusto detection rules","130":"Microsoft-Windows-Security-Auditing 5152 Appear together in 7 Kusto detection rules | Microsoft-Windows-Security-Auditing 5154 Appear together in 7 Kusto detection rules | Microsoft-Windows-Security-Auditing 5155 Appear together in 7 Kusto detection rules | Microsoft-Windows-Security-Auditing 5156 Appear together in 7 Kusto detection rules | Microsoft-Windows-Security-Auditing 5157 Appear together in 7 Kusto detection rules | Microsoft-Windows-Security-Auditing 5159 Appear together in 7 Kusto detection rules | Microsoft-Windows-Sysmon 3 Appear together in 7 Kusto detection rules","131":"Microsoft-Windows-Sysmon 3 Both appear in 1 Elastic detection rule (inferred) | Microsoft-Windows-Sysmon 12 Both appear in 32 Sigma detection rules | Microsoft-Windows-Sysmon 13 Both appear in 32 Sigma detection rules | Defender-DeviceRegistryEvents 9005000 Appear together in 1 Kusto detection rule | Defender-DeviceRegistryEvents 9005002 Appear together in 1 Kusto detection rule | Defender-DeviceRegistryEvents 9005003 Appear together in 1 Kusto detection rule | Defender-DeviceRegistryEvents 9005004 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4657 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4660 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4663 Appear together in 1 Kusto detection rule","132":"Microsoft-Windows-Windows-Defender 1121 Appear together in 1 Splunk detection rule | Microsoft-Windows-Windows-Defender 1122 Appear together in 1 Splunk detection rule | Microsoft-Windows-Windows-Defender 1125 Appear together in 1 Splunk detection rule | Microsoft-Windows-Windows-Defender 1126 Appear together in 1 Splunk detection rule | Microsoft-Windows-Windows-Defender 1129 Appear together in 1 Splunk detection rule | Microsoft-Windows-Windows-Defender 1131 Appear together in 1 Splunk detection rule | Microsoft-Windows-Windows-Defender 1132 Appear together in 1 Splunk detection rule | Microsoft-Windows-Windows-Defender 1133 Appear together in 1 Splunk detection rule | Microsoft-Windows-Windows-Defender 1134 Appear together in 1 Splunk detection rule","135":"Microsoft-Windows-Security-Auditing 4611 Both appear in 2 Elastic detection rules (inferred) | Microsoft-Windows-Security-Auditing 4624 Both appear in 2 Elastic detection rules (inferred)","139":"Microsoft-Windows-Security-Auditing 4738 Both appear in 1 Sigma detection rule | Microsoft-Windows-Security-Auditing 4765 Both appear in 1 Sigma detection rule","143":"Microsoft-Windows-Security-Auditing 6281 Both appear in 1 Sigma detection rule","148":"Microsoft-Windows-Security-Auditing 4624 RDP local session event correlates with Security logon (type 10) | Microsoft-Windows-TerminalServices-LocalSessionManager 23 RDP session logon (21) followed by logoff (23) | Microsoft-Windows-TerminalServices-LocalSessionManager 24 RDP session logon (21) followed by disconnect (24) | Microsoft-Windows-TerminalServices-LocalSessionManager 25 RDP session reconnect (25) follows prior session","149":"Microsoft-Windows-WMI-Activity 5860 WMI subscription creation followed by consumer binding | Microsoft-Windows-WMI-Activity 5861 Permanent WMI event details supplement subscription events","150":"Microsoft-Windows-WMI-Activity 5859 Permanent WMI event details supplement subscription events","151":"Service Control Manager 7040 Service state change (7036) with start type change detail (7040) | Service-Control-Manager 7045 Both appear in 2 Sigma detection rules","152":"Microsoft-Windows-Security-Auditing 4688 Process creation followed by process termination | Microsoft-Windows-Sysmon 5 Process termination from Sysmon vs Security Auditing | Microsoft-Windows-Sysmon 1 Appear together in 9 Kusto detection rules","153":"Microsoft-Windows-Security-Auditing 4740 Account unlocked / account locked out","154":"Microsoft-Windows-Security-Auditing 4768 | Microsoft-Windows-Security-Auditing 4769 Kerberos TGS request followed by TGT renewal","155":"Microsoft-Windows-Security-Auditing 4798 Both appear in 1 Elastic detection rule (inferred) | Microsoft-Windows-Security-Auditing 5050 Both appear in 1 Elastic detection rule (inferred)","156":"Microsoft-Windows-Security-Auditing 4624 Per-user audit policy table created - fine-grained audit control","215":"Microsoft-Windows-CodeIntegrity 3034 Both appear in 1 Sigma detection rule","227":"Microsoft-Windows-DNS-Server-Service 150 Both appear in 1 Sigma detection rule | Microsoft-Windows-DNS-Server-Service 771 Both appear in 1 Sigma detection rule","228":"Microsoft-Windows-DNS-Server-Service 150 Both appear in 1 Sigma detection rule | Microsoft-Windows-DNS-Server-Service 770 Both appear in 1 Sigma detection rule","371":"Microsoft-Windows-Security-Auditing 4898 Both appear in 2 Sigma detection rules","403":"Microsoft-Windows-Security-Mitigations 11 Both appear in 2 Sigma detection rules","411":"Microsoft-Windows-Windows-Defender 1006 Both appear in 1 Sigma detection rule | Microsoft-Windows-Windows-Defender 1015 Both appear in 1 Sigma detection rule | Microsoft-Windows-Windows-Defender 1117 Both appear in 1 Sigma detection rule","412":"Microsoft-Windows-Windows-Defender 1006 Both appear in 1 Sigma detection rule | Microsoft-Windows-Windows-Defender 1015 Both appear in 1 Sigma detection rule | Microsoft-Windows-Windows-Defender 1116 Both appear in 1 Sigma detection rule","413":"Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2003 Both appear in 1 Sigma detection rule | Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2008 Both appear in 1 Sigma detection rule | Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2082 Both appear in 1 Sigma detection rule | Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2083 Both appear in 1 Sigma detection rule","414":"Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2002 Both appear in 1 Sigma detection rule | Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2008 Both appear in 1 Sigma detection rule | Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2082 Both appear in 1 Sigma detection rule | Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2083 Both appear in 1 Sigma detection rule","416":"Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2002 Both appear in 1 Sigma detection rule | Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2003 Both appear in 1 Sigma detection rule | Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2082 Both appear in 1 Sigma detection rule | Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2083 Both appear in 1 Sigma detection rule","417":"Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2033 Both appear in 1 Sigma detection rule","419":"Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2002 Both appear in 1 Sigma detection rule | Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2003 Both appear in 1 Sigma detection rule | Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2008 Both appear in 1 Sigma detection rule | Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2083 Both appear in 1 Sigma detection rule","420":"Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2002 Both appear in 1 Sigma detection rule | Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2003 Both appear in 1 Sigma detection rule | Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2008 Both appear in 1 Sigma detection rule | Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2082 Both appear in 1 Sigma detection rule","421":"Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2004 Both appear in 3 Sigma detection rules | Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2071 Both appear in 3 Sigma detection rules","422":"Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2006 Both appear in 1 Sigma detection rule","423":"Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2004 Both appear in 3 Sigma detection rules | Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2097 Both appear in 3 Sigma detection rules","424":"Microsoft-Windows-WindowsUpdateClient 16 Both appear in 1 Sigma detection rule | Microsoft-Windows-WindowsUpdateClient 24 Both appear in 1 Sigma detection rule | Microsoft-Windows-WindowsUpdateClient 213 Both appear in 1 Sigma detection rule | Microsoft-Windows-WindowsUpdateClient 217 Both appear in 1 Sigma detection rule","425":"MsiInstaller 11724 Both appear in 1 Sigma detection rule","427":"ESENT 325 Both appear in 1 Sigma detection rule | ESENT 326 Both appear in 1 Sigma detection rule | ESENT 327 Both appear in 1 Sigma detection rule","428":"ESENT 216 Both appear in 1 Sigma detection rule | ESENT 326 Both appear in 1 Sigma detection rule | ESENT 327 Both appear in 1 Sigma detection rule","429":"ESENT 216 Both appear in 1 Sigma detection rule | ESENT 325 Both appear in 1 Sigma detection rule | ESENT 327 Both appear in 1 Sigma detection rule","430":"ESENT 216 Both appear in 1 Sigma detection rule | ESENT 325 Both appear in 1 Sigma detection rule | ESENT 326 Both appear in 1 Sigma detection rule","431":"LsaSrv 6039 Both appear in 1 Sigma detection rule","439":"Microsoft-Windows-DNS-Server-Service 770 Both appear in 1 Sigma detection rule | Microsoft-Windows-DNS-Server-Service 771 Both appear in 1 Sigma detection rule","450":"Microsoft-Windows-PrintService 4909 Appear together in 1 Splunk detection rule","452":"Microsoft-Windows-Security-Auditing 4727 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4731 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4749 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4754 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4756 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4759 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4783 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4790 Appear together in 1 Splunk detection rule","453":"Microsoft-Windows-Security-Auditing 4727 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4731 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4744 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4749 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4754 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4756 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4783 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4790 Appear together in 1 Splunk detection rule","454":"Microsoft-Windows-Security-Auditing 4727 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4731 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4744 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4749 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4754 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4756 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4759 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4790 Appear together in 1 Splunk detection rule","455":"Microsoft-Windows-Security-Auditing 4727 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4731 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4744 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4749 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4754 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4756 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4759 Appear together in 1 Splunk detection rule | Microsoft-Windows-Security-Auditing 4783 Appear together in 1 Splunk detection rule","456":"Microsoft-Windows-Security-Auditing 5038 Both appear in 1 Sigma detection rule","464":"Microsoft-Windows-TaskScheduler 201 Both appear in 1 Splunk detection rule","465":"Microsoft-Windows-TaskScheduler 200 Both appear in 1 Splunk detection rule","470":"MsiInstaller 1042 Both appear in 2 Sigma detection rules","471":"MsiInstaller 1040 Both appear in 2 Sigma detection rules","472":"MsiInstaller 1034 Both appear in 1 Sigma detection rule","481":"Microsoft-Windows-Windows-Defender 1122 Appear together in 1 Splunk detection rule | Microsoft-Windows-Windows-Defender 1125 Appear together in 1 Splunk detection rule | Microsoft-Windows-Windows-Defender 1126 Appear together in 2 Splunk detection rules | Microsoft-Windows-Windows-Defender 1129 Appear together in 2 Splunk detection rules | Microsoft-Windows-Windows-Defender 1131 Appear together in 2 Splunk detection rules | Microsoft-Windows-Windows-Defender 1132 Appear together in 1 Splunk detection rule | Microsoft-Windows-Windows-Defender 1133 Appear together in 2 Splunk detection rules | Microsoft-Windows-Windows-Defender 1134 Appear together in 1 Splunk detection rule | Microsoft-Windows-Windows-Defender 5007 Appear together in 1 Splunk detection rule","487":"Service Control Manager 7036 Service state change (7036) with start type change detail (7040)","494":"Microsoft-Windows-DriverFrameworks-UserMode 2100 Both appear in 1 Sigma detection rule | Microsoft-Windows-DriverFrameworks-UserMode 2102 Both appear in 1 Sigma detection rule","495":"Microsoft-Windows-DriverFrameworks-UserMode 2003 Both appear in 1 Sigma detection rule | Microsoft-Windows-DriverFrameworks-UserMode 2102 Both appear in 1 Sigma detection rule","496":"Microsoft-Windows-DriverFrameworks-UserMode 2003 Both appear in 1 Sigma detection rule | Microsoft-Windows-DriverFrameworks-UserMode 2100 Both appear in 1 Sigma detection rule","517":"Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2060 Both appear in 1 Sigma detection rule","529":"Microsoft-Windows-PowerShell 40962 PowerShell console startup followed by ready state","530":"Microsoft-Windows-PowerShell 40961 PowerShell console startup followed by ready state","531":"Microsoft-Windows-Security-Auditing 4624 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4625 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4634 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4647 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4648 Appear together in 1 Kusto detection rule","532":"Microsoft-Windows-Security-Auditing 4756 Member added to / removed from universal security group","533":"Microsoft-Windows-Security-Auditing 4769 Kerberos TGS request success / failure","534":"Microsoft-Windows-Security-Auditing 5152 Appear together in 7 Kusto detection rules | Microsoft-Windows-Security-Auditing 5154 Appear together in 7 Kusto detection rules | Microsoft-Windows-Security-Auditing 5156 Appear together in 7 Kusto detection rules | Microsoft-Windows-Security-Auditing 5157 Appear together in 7 Kusto detection rules | Microsoft-Windows-Security-Auditing 5158 Appear together in 7 Kusto detection rules | Microsoft-Windows-Security-Auditing 5159 Appear together in 7 Kusto detection rules | Microsoft-Windows-Sysmon 3 Appear together in 7 Kusto detection rules","535":"Microsoft-Windows-Security-Auditing 5152 Appear together in 7 Kusto detection rules | Microsoft-Windows-Security-Auditing 5154 Appear together in 7 Kusto detection rules | Microsoft-Windows-Security-Auditing 5155 Appear together in 7 Kusto detection rules | Microsoft-Windows-Security-Auditing 5156 Appear together in 7 Kusto detection rules | Microsoft-Windows-Security-Auditing 5157 Appear together in 7 Kusto detection rules | Microsoft-Windows-Security-Auditing 5158 Appear together in 7 Kusto detection rules | Microsoft-Windows-Sysmon 3 Appear together in 7 Kusto detection rules","536":"Microsoft-Windows-TerminalServices-LocalSessionManager 21 RDP session logon (21) followed by logoff (23)","537":"Microsoft-Windows-TerminalServices-LocalSessionManager 21 RDP session logon (21) followed by disconnect (24)","538":"Microsoft-Windows-TerminalServices-LocalSessionManager 21 RDP session reconnect (25) follows prior session","539":"Microsoft-Windows-WMI-Activity 5858 WMI provider load followed by query execution","540":"Microsoft-Windows-WMI-Activity 5857 WMI provider load followed by query execution","541":"Microsoft-Windows-WMI-Activity 5859 WMI subscription creation followed by consumer binding","557":"Microsoft-Windows-AppLocker 8007 Both appear in 1 Sigma detection rule | Microsoft-Windows-AppLocker 8022 Both appear in 1 Sigma detection rule | Microsoft-Windows-AppLocker 8025 Both appear in 1 Sigma detection rule","558":"Microsoft-Windows-AppLocker 8004 Both appear in 1 Sigma detection rule | Microsoft-Windows-AppLocker 8022 Both appear in 1 Sigma detection rule | Microsoft-Windows-AppLocker 8025 Both appear in 1 Sigma detection rule","670":"Microsoft-Windows-CodeIntegrity 3035 Both appear in 1 Sigma detection rule","671":"Microsoft-Windows-CodeIntegrity 3083 Both appear in 1 Sigma detection rule","717":"Microsoft-Windows-DHCP-Server 1032 Both appear in 1 Sigma detection rule | Microsoft-Windows-DHCP-Server 1034 Both appear in 1 Sigma detection rule","718":"Microsoft-Windows-DHCP-Server 1031 Both appear in 1 Sigma detection rule | Microsoft-Windows-DHCP-Server 1034 Both appear in 1 Sigma detection rule","719":"Microsoft-Windows-DHCP-Server 1031 Both appear in 1 Sigma detection rule | Microsoft-Windows-DHCP-Server 1032 Both appear in 1 Sigma detection rule","1099":"Microsoft-Windows-Security-Auditing 4798 Both appear in 1 Elastic detection rule (inferred) | Microsoft-Windows-Security-Auditing 4799 Both appear in 1 Elastic detection rule (inferred)","1534":"Microsoft-Windows-Windows-Defender 1015 Both appear in 1 Sigma detection rule | Microsoft-Windows-Windows-Defender 1116 Both appear in 1 Sigma detection rule | Microsoft-Windows-Windows-Defender 1117 Both appear in 1 Sigma detection rule","1535":"Microsoft-Windows-Windows-Defender 1006 Both appear in 1 Sigma detection rule | Microsoft-Windows-Windows-Defender 1116 Both appear in 1 Sigma detection rule | Microsoft-Windows-Windows-Defender 1117 Both appear in 1 Sigma detection rule","1544":"Microsoft-Windows-Windows-Defender 3007 Both appear in 1 Sigma detection rule","1545":"Microsoft-Windows-Windows-Defender 3002 Both appear in 1 Sigma detection rule","1736":"Microsoft-Windows-CodeIntegrity 3033 Both appear in 1 Sigma detection rule","1867":"Microsoft-Windows-Windows-Defender 1121 Appear together in 1 Splunk detection rule | Microsoft-Windows-Windows-Defender 1125 Appear together in 2 Splunk detection rules | Microsoft-Windows-Windows-Defender 1126 Appear together in 2 Splunk detection rules | Microsoft-Windows-Windows-Defender 1129 Appear together in 1 Splunk detection rule | Microsoft-Windows-Windows-Defender 1131 Appear together in 1 Splunk detection rule | Microsoft-Windows-Windows-Defender 1132 Appear together in 2 Splunk detection rules | Microsoft-Windows-Windows-Defender 1133 Appear together in 1 Splunk detection rule | Microsoft-Windows-Windows-Defender 1134 Appear together in 2 Splunk detection rules | Microsoft-Windows-Windows-Defender 5007 Appear together in 1 Splunk detection rule","1868":"Microsoft-Windows-Windows-Defender 1121 Appear together in 1 Splunk detection rule | Microsoft-Windows-Windows-Defender 1122 Appear together in 2 Splunk detection rules | Microsoft-Windows-Windows-Defender 1126 Appear together in 2 Splunk detection rules | Microsoft-Windows-Windows-Defender 1129 Appear together in 1 Splunk detection rule | Microsoft-Windows-Windows-Defender 1131 Appear together in 1 Splunk detection rule | Microsoft-Windows-Windows-Defender 1132 Appear together in 2 Splunk detection rules | Microsoft-Windows-Windows-Defender 1133 Appear together in 1 Splunk detection rule | Microsoft-Windows-Windows-Defender 1134 Appear together in 2 Splunk detection rules | Microsoft-Windows-Windows-Defender 5007 Appear together in 1 Splunk detection rule","1869":"Microsoft-Windows-Windows-Defender 1121 Appear together in 2 Splunk detection rules | Microsoft-Windows-Windows-Defender 1122 Appear together in 2 Splunk detection rules | Microsoft-Windows-Windows-Defender 1125 Appear together in 2 Splunk detection rules | Microsoft-Windows-Windows-Defender 1129 Appear together in 2 Splunk detection rules | Microsoft-Windows-Windows-Defender 1131 Appear together in 2 Splunk detection rules | Microsoft-Windows-Windows-Defender 1132 Appear together in 2 Splunk detection rules | Microsoft-Windows-Windows-Defender 1133 Appear together in 2 Splunk detection rules | Microsoft-Windows-Windows-Defender 1134 Appear together in 2 Splunk detection rules | Microsoft-Windows-Windows-Defender 5007 Appear together in 1 Splunk detection rule","1870":"Microsoft-Windows-Windows-Defender 1121 Appear together in 2 Splunk detection rules | Microsoft-Windows-Windows-Defender 1122 Appear together in 1 Splunk detection rule | Microsoft-Windows-Windows-Defender 1125 Appear together in 1 Splunk detection rule | Microsoft-Windows-Windows-Defender 1126 Appear together in 2 Splunk detection rules | Microsoft-Windows-Windows-Defender 1131 Appear together in 2 Splunk detection rules | Microsoft-Windows-Windows-Defender 1132 Appear together in 1 Splunk detection rule | Microsoft-Windows-Windows-Defender 1133 Appear together in 2 Splunk detection rules | Microsoft-Windows-Windows-Defender 1134 Appear together in 1 Splunk detection rule | Microsoft-Windows-Windows-Defender 5007 Appear together in 1 Splunk detection rule","1871":"Microsoft-Windows-Windows-Defender 1121 Appear together in 2 Splunk detection rules | Microsoft-Windows-Windows-Defender 1122 Appear together in 1 Splunk detection rule | Microsoft-Windows-Windows-Defender 1125 Appear together in 1 Splunk detection rule | Microsoft-Windows-Windows-Defender 1126 Appear together in 2 Splunk detection rules | Microsoft-Windows-Windows-Defender 1129 Appear together in 2 Splunk detection rules | Microsoft-Windows-Windows-Defender 1132 Appear together in 1 Splunk detection rule | Microsoft-Windows-Windows-Defender 1133 Appear together in 2 Splunk detection rules | Microsoft-Windows-Windows-Defender 1134 Appear together in 1 Splunk detection rule | Microsoft-Windows-Windows-Defender 5007 Appear together in 1 Splunk detection rule","1872":"Microsoft-Windows-Windows-Defender 1121 Appear together in 1 Splunk detection rule | Microsoft-Windows-Windows-Defender 1122 Appear together in 2 Splunk detection rules | Microsoft-Windows-Windows-Defender 1125 Appear together in 2 Splunk detection rules | Microsoft-Windows-Windows-Defender 1126 Appear together in 2 Splunk detection rules | Microsoft-Windows-Windows-Defender 1129 Appear together in 1 Splunk detection rule | Microsoft-Windows-Windows-Defender 1131 Appear together in 1 Splunk detection rule | Microsoft-Windows-Windows-Defender 1133 Appear together in 1 Splunk detection rule | Microsoft-Windows-Windows-Defender 1134 Appear together in 2 Splunk detection rules | Microsoft-Windows-Windows-Defender 5007 Appear together in 1 Splunk detection rule","1873":"Microsoft-Windows-Windows-Defender 1121 Appear together in 2 Splunk detection rules | Microsoft-Windows-Windows-Defender 1122 Appear together in 1 Splunk detection rule | Microsoft-Windows-Windows-Defender 1125 Appear together in 1 Splunk detection rule | Microsoft-Windows-Windows-Defender 1126 Appear together in 2 Splunk detection rules | Microsoft-Windows-Windows-Defender 1129 Appear together in 2 Splunk detection rules | Microsoft-Windows-Windows-Defender 1131 Appear together in 2 Splunk detection rules | Microsoft-Windows-Windows-Defender 1132 Appear together in 1 Splunk detection rule | Microsoft-Windows-Windows-Defender 1134 Appear together in 1 Splunk detection rule | Microsoft-Windows-Windows-Defender 5007 Appear together in 1 Splunk detection rule","1874":"Microsoft-Windows-Windows-Defender 1121 Appear together in 1 Splunk detection rule | Microsoft-Windows-Windows-Defender 1122 Appear together in 2 Splunk detection rules | Microsoft-Windows-Windows-Defender 1125 Appear together in 2 Splunk detection rules | Microsoft-Windows-Windows-Defender 1126 Appear together in 2 Splunk detection rules | Microsoft-Windows-Windows-Defender 1129 Appear together in 1 Splunk detection rule | Microsoft-Windows-Windows-Defender 1131 Appear together in 1 Splunk detection rule | Microsoft-Windows-Windows-Defender 1132 Appear together in 2 Splunk detection rules | Microsoft-Windows-Windows-Defender 1133 Appear together in 1 Splunk detection rule | Microsoft-Windows-Windows-Defender 5007 Appear together in 1 Splunk detection rule","2027":"Intel-iaLPSS2-I2C 1026 Shared schema (4 fields) | Intel-iaLPSS2-I2C 1027 Shared schema (4 fields)","2028":"Intel-iaLPSS2-I2C 1026 Shared schema (4 fields) | Intel-iaLPSS2-I2C 1027 Shared schema (4 fields)","2029":"Intel-iaLPSS2-I2C 1043 Shared schema (4 fields)","2030":"Intel-iaLPSS2-I2C 1045 Shared schema (4 fields)","2031":"Intel-iaLPSS2-GPIO2 1026 Shared schema (4 fields) | Intel-iaLPSS2-GPIO2 1027 Shared schema (4 fields)","2032":"Intel-iaLPSS2-GPIO2 1026 Shared schema (4 fields) | Intel-iaLPSS2-GPIO2 1027 Shared schema (4 fields)","2033":"Intel-iaLPSS2-GPIO2 1111 Shared schema (4 fields)","2034":"Intel-iaLPSS2-GPIO2 1112 Shared schema (4 fields) | Intel-iaLPSS2-GPIO2 1113 Shared schema (4 fields)","2035":"Microsoft-Windows-AuthenticationProvider 304 Shared schema (4 fields)","2036":"Microsoft-Windows-Crypto-CNG 1 Shared schema (5 fields)","2037":"Microsoft-Windows-Crypto-BCrypt 1 Shared schema (5 fields)","2038":"Microsoft-Windows-Sysmon 22 DNS query logging from Sysmon vs DNS Client ETW","2039":"Microsoft-Windows-COMRuntime 18208 Shared schema (11 fields)","2040":"Microsoft-Windows-Security-Auditing 4657 Both appear in 2 Elastic detection rules (inferred) | Microsoft-Windows-Security-Auditing 5136 Both appear in 7 Elastic detection rules (inferred) | Microsoft-Windows-Security-Auditing 5170 Both appear in 7 Elastic detection rules (inferred)","2041":"Microsoft-Windows-Security-Auditing 4657 Both appear in 2 Elastic detection rules (inferred) | Microsoft-Windows-Security-Auditing 5136 Both appear in 7 Elastic detection rules (inferred) | Microsoft-Windows-Security-Auditing 5169 Both appear in 7 Elastic detection rules (inferred)","2042":"Microsoft-Windows-Security-Auditing 5382 Both appear in 1 Elastic detection rule (inferred)","2363":"Microsoft-Windows-AppLocker 8004 Both appear in 1 Sigma detection rule | Microsoft-Windows-AppLocker 8007 Both appear in 1 Sigma detection rule | Microsoft-Windows-AppLocker 8022 Both appear in 1 Sigma detection rule","2364":"Microsoft-Windows-AppLocker 8004 Both appear in 1 Sigma detection rule | Microsoft-Windows-AppLocker 8007 Both appear in 1 Sigma detection rule | Microsoft-Windows-AppLocker 8025 Both appear in 1 Sigma detection rule","2421":"Microsoft-Windows-AppXDeployment-Server 442 Both appear in 1 Sigma detection rule | Microsoft-Windows-AppXDeployment-Server 453 Both appear in 1 Sigma detection rule | Microsoft-Windows-AppXDeployment-Server 454 Both appear in 1 Sigma detection rule","2422":"Microsoft-Windows-AppXDeployment-Server 441 Both appear in 1 Sigma detection rule | Microsoft-Windows-AppXDeployment-Server 453 Both appear in 1 Sigma detection rule | Microsoft-Windows-AppXDeployment-Server 454 Both appear in 1 Sigma detection rule","2423":"Microsoft-Windows-AppXDeployment-Server 441 Both appear in 1 Sigma detection rule | Microsoft-Windows-AppXDeployment-Server 442 Both appear in 1 Sigma detection rule | Microsoft-Windows-AppXDeployment-Server 454 Both appear in 1 Sigma detection rule","2424":"Microsoft-Windows-AppXDeployment-Server 441 Both appear in 1 Sigma detection rule | Microsoft-Windows-AppXDeployment-Server 442 Both appear in 1 Sigma detection rule | Microsoft-Windows-AppXDeployment-Server 453 Both appear in 1 Sigma detection rule","2528":"Microsoft-Windows-CodeIntegrity 3022 Both appear in 1 Sigma detection rule","2529":"Microsoft-Windows-CodeIntegrity 3021 Both appear in 1 Sigma detection rule","2530":"Microsoft-Windows-CodeIntegrity 3032 Both appear in 1 Sigma detection rule","2531":"Microsoft-Windows-CodeIntegrity 3082 Both appear in 1 Sigma detection rule","2801":"Microsoft-Windows-Eventlog 1102 Appear together in 1 Sigma detection rule","3318":"Microsoft-Windows-Security-Auditing 4768 Appear together in 1 Sigma detection rule | Microsoft-Windows-Security-Auditing 4769 Appear together in 1 Sigma detection rule | Microsoft-Windows-Security-Auditing 4771 Appear together in 1 Sigma detection rule","3337":"Microsoft-Windows-Security-Mitigations 12 Both appear in 2 Sigma detection rules","3386":"Microsoft-Windows-SoftwareRestrictionPolicies 866 Both appear in 1 Sigma detection rule | Microsoft-Windows-SoftwareRestrictionPolicies 867 Both appear in 1 Sigma detection rule | Microsoft-Windows-SoftwareRestrictionPolicies 868 Both appear in 1 Sigma detection rule | Microsoft-Windows-SoftwareRestrictionPolicies 882 Both appear in 1 Sigma detection rule","3387":"Microsoft-Windows-SoftwareRestrictionPolicies 865 Both appear in 1 Sigma detection rule | Microsoft-Windows-SoftwareRestrictionPolicies 867 Both appear in 1 Sigma detection rule | Microsoft-Windows-SoftwareRestrictionPolicies 868 Both appear in 1 Sigma detection rule | Microsoft-Windows-SoftwareRestrictionPolicies 882 Both appear in 1 Sigma detection rule","3388":"Microsoft-Windows-SoftwareRestrictionPolicies 865 Both appear in 1 Sigma detection rule | Microsoft-Windows-SoftwareRestrictionPolicies 866 Both appear in 1 Sigma detection rule | Microsoft-Windows-SoftwareRestrictionPolicies 868 Both appear in 1 Sigma detection rule | Microsoft-Windows-SoftwareRestrictionPolicies 882 Both appear in 1 Sigma detection rule","3389":"Microsoft-Windows-SoftwareRestrictionPolicies 865 Both appear in 1 Sigma detection rule | Microsoft-Windows-SoftwareRestrictionPolicies 866 Both appear in 1 Sigma detection rule | Microsoft-Windows-SoftwareRestrictionPolicies 867 Both appear in 1 Sigma detection rule | Microsoft-Windows-SoftwareRestrictionPolicies 882 Both appear in 1 Sigma detection rule","3390":"Microsoft-Windows-SoftwareRestrictionPolicies 865 Both appear in 1 Sigma detection rule | Microsoft-Windows-SoftwareRestrictionPolicies 866 Both appear in 1 Sigma detection rule | Microsoft-Windows-SoftwareRestrictionPolicies 867 Both appear in 1 Sigma detection rule | Microsoft-Windows-SoftwareRestrictionPolicies 868 Both appear in 1 Sigma detection rule","3599":"Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2059 Both appear in 1 Sigma detection rule","3600":"Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2032 Both appear in 1 Sigma detection rule","3605":"Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2033 Both appear in 1 Sigma detection rule","3606":"Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2032 Both appear in 1 Sigma detection rule","3607":"Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2002 Both appear in 1 Sigma detection rule | Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2003 Both appear in 1 Sigma detection rule | Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2008 Both appear in 1 Sigma detection rule | Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2083 Both appear in 1 Sigma detection rule","3608":"Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2002 Both appear in 1 Sigma detection rule | Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2003 Both appear in 1 Sigma detection rule | Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2008 Both appear in 1 Sigma detection rule | Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2082 Both appear in 1 Sigma detection rule","3609":"Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2004 Both appear in 3 Sigma detection rules | Microsoft-Windows-Windows-Firewall-With-Advanced-Security 2071 Both appear in 3 Sigma detection rules","3611":"Microsoft-Windows-WindowsUpdateClient 16 Both appear in 1 Sigma detection rule | Microsoft-Windows-WindowsUpdateClient 20 Both appear in 1 Sigma detection rule | Microsoft-Windows-WindowsUpdateClient 213 Both appear in 1 Sigma detection rule | Microsoft-Windows-WindowsUpdateClient 217 Both appear in 1 Sigma detection rule","3612":"Microsoft-Windows-WindowsUpdateClient 16 Both appear in 1 Sigma detection rule | Microsoft-Windows-WindowsUpdateClient 20 Both appear in 1 Sigma detection rule | Microsoft-Windows-WindowsUpdateClient 24 Both appear in 1 Sigma detection rule | Microsoft-Windows-WindowsUpdateClient 217 Both appear in 1 Sigma detection rule","3613":"Microsoft-Windows-WindowsUpdateClient 16 Both appear in 1 Sigma detection rule | Microsoft-Windows-WindowsUpdateClient 20 Both appear in 1 Sigma detection rule | Microsoft-Windows-WindowsUpdateClient 24 Both appear in 1 Sigma detection rule | Microsoft-Windows-WindowsUpdateClient 213 Both appear in 1 Sigma detection rule","3840":"Microsoft-Windows-PowerShell 4104 Appear together in 1 Kusto detection rule","3841":"Microsoft-Windows-Sysmon 8 Appear together in 1 Kusto detection rule","3842":"Microsoft-Windows-Sysmon 17 Appear together in 2 Kusto detection rules | Microsoft-Windows-Sysmon 18 Appear together in 2 Kusto detection rules","3843":"Microsoft-Windows-Security-Auditing 4732 Appear together in 1 Kusto detection rule","3844":"Microsoft-Windows-Security-Auditing 4663 Appear together in 3 Kusto detection rules | Microsoft-Windows-Sysmon 11 Appear together in 3 Kusto detection rules","3845":"Microsoft-Windows-Security-Auditing 4663 Appear together in 2 Kusto detection rules | Microsoft-Windows-Sysmon 11 Appear together in 2 Kusto detection rules","3846":"Microsoft-Windows-Sysmon 7 Appear together in 2 Kusto detection rules","3847":"Defender-DeviceLogonEvents 9003002 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4624 Appear together in 2 Kusto detection rules | Microsoft-Windows-Security-Auditing 4625 Appear together in 1 Kusto detection rule","3848":"Defender-DeviceLogonEvents 9003001 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4624 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4625 Appear together in 1 Kusto detection rule","3849":"Microsoft-Windows-Security-Auditing 5156 Appear together in 1 Kusto detection rule | Microsoft-Windows-Sysmon 3 Appear together in 1 Kusto detection rule","3850":"Microsoft-Windows-Sysmon 1 Appear together in 32 Kusto detection rules","3851":"Defender-DeviceRegistryEvents 9005002 Appear together in 1 Kusto detection rule | Defender-DeviceRegistryEvents 9005003 Appear together in 1 Kusto detection rule | Defender-DeviceRegistryEvents 9005004 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4657 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4660 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4663 Appear together in 1 Kusto detection rule | Microsoft-Windows-Sysmon 12 Appear together in 1 Kusto detection rule | Microsoft-Windows-Sysmon 13 Appear together in 1 Kusto detection rule | Microsoft-Windows-Sysmon 14 Appear together in 1 Kusto detection rule","3852":"Defender-DeviceRegistryEvents 9005000 Appear together in 1 Kusto detection rule | Defender-DeviceRegistryEvents 9005003 Appear together in 1 Kusto detection rule | Defender-DeviceRegistryEvents 9005004 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4657 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4660 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4663 Appear together in 1 Kusto detection rule | Microsoft-Windows-Sysmon 12 Appear together in 1 Kusto detection rule | Microsoft-Windows-Sysmon 13 Appear together in 1 Kusto detection rule | Microsoft-Windows-Sysmon 14 Appear together in 1 Kusto detection rule","3853":"Defender-DeviceRegistryEvents 9005000 Appear together in 1 Kusto detection rule | Defender-DeviceRegistryEvents 9005002 Appear together in 1 Kusto detection rule | Defender-DeviceRegistryEvents 9005004 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4657 Appear together in 3 Kusto detection rules | Microsoft-Windows-Security-Auditing 4660 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4663 Appear together in 1 Kusto detection rule | Microsoft-Windows-Sysmon 12 Appear together in 1 Kusto detection rule | Microsoft-Windows-Sysmon 13 Appear together in 3 Kusto detection rules | Microsoft-Windows-Sysmon 14 Appear together in 1 Kusto detection rule","3854":"Defender-DeviceRegistryEvents 9005000 Appear together in 1 Kusto detection rule | Defender-DeviceRegistryEvents 9005002 Appear together in 1 Kusto detection rule | Defender-DeviceRegistryEvents 9005003 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4657 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4660 Appear together in 1 Kusto detection rule | Microsoft-Windows-Security-Auditing 4663 Appear together in 1 Kusto detection rule | Microsoft-Windows-Sysmon 12 Appear together in 1 Kusto detection rule | Microsoft-Windows-Sysmon 13 Appear together in 1 Kusto detection rule | Microsoft-Windows-Sysmon 14 Appear together in 1 Kusto detection rule","3884":"LsaSrv 6038 Both appear in 1 Sigma detection rule","6513":"Microsoft-Windows-COMRuntime 18219 Shared schema (8 fields)","6516":"Microsoft-Windows-Security-Kerberos 16 Both appear in 1 Sigma detection rule","6517":"Microsoft-Windows-Security-Kerberos 27 Both appear in 1 Sigma detection rule","6741":"Microsoft-Windows-WindowsUpdateClient 20 Both appear in 1 Sigma detection rule | Microsoft-Windows-WindowsUpdateClient 24 Both appear in 1 Sigma detection rule | Microsoft-Windows-WindowsUpdateClient 213 Both appear in 1 Sigma detection rule | Microsoft-Windows-WindowsUpdateClient 217 Both appear in 1 Sigma detection rule","7936":"Microsoft-Windows-PrintService 808 Appear together in 1 Splunk detection rule","8290":"Intel-iaLPSS-I2C 1003 Shared schema (3 fields)","8291":"Intel-iaLPSS-GPIO 1003 Shared schema (3 fields)","8292":"Intel-iaLPSS2-I2C 1045 Shared schema (4 fields)"},"rf":{"0":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logon"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"Windows Forensic Artifacts","u":"https://github.com/Psmths/windows-forensic-artifacts/blob/main/account/evtx-4624-successful-logon.md"}],"1":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logon"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4625"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"},{"d":"Windows Forensic Artifacts","u":"https://github.com/Psmths/windows-forensic-artifacts/blob/main/account/evtx-4625-failed-logon.md"}],"2":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-directory-service-access"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4662"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"3":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4698"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"4":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4702"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4702"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"5":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4719"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4719"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"6":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4728"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4728"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"7":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4738"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"8":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4781"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4781"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"9":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5136"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-directory-service-changes"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"10":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5137"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-directory-service-changes"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"11":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-7-image-loaded"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"OSSEM-DD","u":"https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-7.yml"},{"d":"NSA/CISA - Best Practices for Event Logging","u":"https://www.cisa.gov/resources-tools/resources/best-practices-event-logging-and-threat-detection"}],"12":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-8-createremotethread"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"OSSEM-DD","u":"https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-8.yml"}],"13":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1102"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1102"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"NSA/CISA - Best Practices for Event Logging","u":"https://www.cisa.gov/resources-tools/resources/best-practices-event-logging-and-threat-detection"}],"14":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"Windows Forensic Artifacts","u":"https://github.com/Psmths/windows-forensic-artifacts/blob/main/execution/evtx-4104-script-block-logging.md"}],"15":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-process-creation"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4688"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"Windows Forensic Artifacts","u":"https://github.com/Psmths/windows-forensic-artifacts/blob/main/execution/evtx-4688-process-created.md"}],"16":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4699"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"17":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4732"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"18":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4742"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-computer-account-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4742"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"19":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-file-share"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5145"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"20":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-1-process-creation"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"OSSEM-DD","u":"https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-1.yml"}],"21":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-10-processaccess"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"OSSEM-DD","u":"https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-10.yml"},{"d":"NSA/CISA - Best Practices for Event Logging","u":"https://www.cisa.gov/resources-tools/resources/best-practices-event-logging-and-threat-detection"}],"22":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-17-pipeevent-pipe-created"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"OSSEM-DD","u":"https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-17.yml"}],"23":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4648"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logon"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4648"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"Windows Forensic Artifacts","u":"https://github.com/Psmths/windows-forensic-artifacts/blob/main/account/evtx-4648-explicit-credentials.md"}],"24":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-system"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4656"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"25":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-system"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4663"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"26":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-computer-account-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4741"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"27":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kerberos-authentication-service"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4768"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"28":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4769"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"29":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kerberos-authentication-service"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4771"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"30":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4776"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"31":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5140"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-share"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5140"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"32":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-21-wmievent-wmieventconsumertofilter-activity-detected"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"OSSEM-DD","u":"https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-21.yml"}],"33":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/troubleshoot-unexpected-reboots-system-event-logs"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"},{"d":"Windows Forensic Artifacts","u":"https://github.com/Psmths/windows-forensic-artifacts/blob/main/persistence/evtx-7045-service-install.md"}],"34":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-special-logon"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4672"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"35":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4674"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-sensitive-privilege-use"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4674"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"36":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4704"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authorization-policy-change"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4704"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"37":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4756"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4756"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"38":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-9-rawaccessread"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"OSSEM-DD","u":"https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-9.yml"}],"39":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-15-filecreatestreamhash"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"OSSEM-DD","u":"https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-15.yml"}],"40":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"41":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"42":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-system-extension"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4697"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"43":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-token-right-adjusted"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4703"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"44":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4720"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"Windows Forensic Artifacts","u":"https://github.com/Psmths/windows-forensic-artifacts/blob/main/account/evtx-4720-account-created.md"}],"45":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4730"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4730"}],"46":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-computer-account-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4743"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"47":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-connection"}],"48":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-3-network-connection"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"OSSEM-DD","u":"https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-3.yml"},{"d":"NSA/CISA - Best Practices for Event Logging","u":"https://www.cisa.gov/resources-tools/resources/best-practices-event-logging-and-threat-detection"}],"49":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-11-filecreate"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"OSSEM-DD","u":"https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-11.yml"}],"50":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-12-registryevent-object-create-and-delete"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"OSSEM-DD","u":"https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-12.yml"}],"51":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-13-registryevent-value-set"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"OSSEM-DD","u":"https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-13.yml"}],"52":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-18-pipeevent-pipe-connected"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"OSSEM-DD","u":"https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-18.yml"}],"53":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-20-wmievent-wmieventconsumer-activity-detected"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"OSSEM-DD","u":"https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-20.yml"}],"54":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-22-dnsevent-dns-query"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"OSSEM-DD","u":"https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-22.yml"},{"d":"NSA/CISA - Best Practices for Event Logging","u":"https://www.cisa.gov/resources-tools/resources/best-practices-event-logging-and-threat-detection"}],"55":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-23-filedelete-file-delete-archived"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"},{"d":"OSSEM-DD","u":"https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-23.yml"}],"56":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-26-filedeletedetected-file-delete-logged"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"OSSEM-DD","u":"https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-26.yml"}],"57":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"58":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4611"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-system-extension"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4611"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"59":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4657"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-registry"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4657"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"60":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4661"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-sam"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4661"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"61":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4724"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"62":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4729"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4729"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"63":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4765"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4765"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"64":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4794"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4794"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"65":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5156"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-connection"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"},{"d":"Windows Forensic Artifacts","u":"https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-5156-wfp-permitted.md"}],"66":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-2-a-process-changed-a-file-creation-time"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"OSSEM-DD","u":"https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-2.yml"}],"67":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-6-driver-loaded"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"OSSEM-DD","u":"https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-6.yml"}],"68":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-16-serviceconfigurationchange"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"OSSEM-DD","u":"https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-16.yml"}],"69":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4627"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-group-membership"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4627"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"70":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4670"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4670"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"71":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-sensitive-privilege-use"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4673"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"72":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4692"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-dpapi-activity"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4692"}],"73":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5152"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop"}],"74":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5379"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"75":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"76":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logoff"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4634"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"77":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logoff"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4647"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"78":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4658"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-system"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4658"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"79":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4701"}],"80":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4898"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4898"}],"81":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4904"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4904"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"82":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4905"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4905"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"83":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4946"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change"}],"84":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5441"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5441"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"85":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5447"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5447"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"86":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5449"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5449"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"87":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-4-sysmon-service-state-changed"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"OSSEM-DD","u":"https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-4.yml"}],"88":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-19-wmievent-wmieventfilter-activity-detected"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"OSSEM-DD","u":"https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-19.yml"}],"89":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd364408(v=ws.10)"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"Windows Forensic Artifacts","u":"https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-2004-firewall.md"}],"90":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"Windows Forensic Artifacts","u":"https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-2006-firewall.md"}],"91":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"Windows Forensic Artifacts","u":"https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-2052-firewall-windows-11.md"}],"92":[{"d":"Windows Forensic Artifacts","u":"https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-2071-firewall-windows-11.md"}],"93":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"94":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"95":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"96":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"97":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-state-change"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4616"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"98":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4700"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4700"}],"99":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4706"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"100":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4722"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4722"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"101":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4723"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4723"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"102":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4725"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4725"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"103":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4726"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4726"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"104":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4727"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4727"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"105":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4731"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4731"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"106":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4733"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4733"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"107":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4734"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4734"}],"108":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4735"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4735"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"109":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4737"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4737"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"110":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4749"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4749"}],"111":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4754"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4754"}],"112":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4764"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4764"}],"113":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4780"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4780"}],"114":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4798"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4798"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"115":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4800"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-logonlogoff-events"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4800"}],"116":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-logonlogoff-events"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"117":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4886"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4886"}],"118":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4887"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4887"}],"119":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5141"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-directory-service-changes"}],"120":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"121":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6416"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-pnp-activity"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=6416"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"122":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-5-process-terminated"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"OSSEM-DD","u":"https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-5.yml"}],"123":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"124":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4660"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-system"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4660"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"125":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4740"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4740"}],"126":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change"}],"127":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change"}],"128":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4964"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-special-logon"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"129":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5154"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-connection"}],"130":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-connection"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"131":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-14-registryevent-key-and-value-rename"},{"d":"OSSEM-DD","u":"https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-14.yml"}],"132":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"133":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"134":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"135":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4649"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-logonlogoff-events"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4649"}],"136":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4694"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-dpapi-activity"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4694"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"137":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4695"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-dpapi-activity"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4695"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"138":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4739"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4739"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"139":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4766"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4766"}],"140":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4778"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-logonlogoff-events"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4778"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"},{"d":"Windows Forensic Artifacts","u":"https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-4778-session-reconnected.md"}],"141":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4907"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4907"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"142":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4950"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"143":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity"}],"144":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5142"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-share"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"145":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"146":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-pnp-activity"}],"147":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-29-fileexecutabledetected"}],"148":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-localsessionmanager"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"149":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/win32/wmisdk/tracing-wmi-activity"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"150":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/win32/wmisdk/tracing-wmi-activity"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"Windows Forensic Artifacts","u":"https://github.com/Psmths/windows-forensic-artifacts/blob/main/persistence/evtx-5861-event-consumer-created.md"}],"151":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc756308(v=ws.10)"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"152":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4689"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-process-termination"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4689"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"153":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4767"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4767"}],"154":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4770"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4770"}],"155":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4799"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"156":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4902"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4902"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"157":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-25-processtampering-process-image-change"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"158":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"159":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"160":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"161":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"162":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"163":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"164":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"165":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"166":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"167":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"168":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"169":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"170":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"171":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"172":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"173":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"174":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"175":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"176":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"177":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"178":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"179":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"180":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"181":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"182":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"183":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"184":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"185":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"186":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"187":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"188":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"189":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"190":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"191":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"192":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"193":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"194":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"195":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"196":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"197":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"198":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"199":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"200":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"201":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"202":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"203":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"204":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"205":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"206":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"207":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"208":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"209":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"210":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"211":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"212":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"213":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"214":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"215":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"216":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"217":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"218":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"219":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"220":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"221":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"222":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"223":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"224":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"225":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"226":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"227":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"228":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"229":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"Windows Forensic Artifacts","u":"https://github.com/Psmths/windows-forensic-artifacts/blob/main/group-policy/evtx-4000-computer-boot-gpo-processing-start.md"}],"230":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"Windows Forensic Artifacts","u":"https://github.com/Psmths/windows-forensic-artifacts/blob/main/group-policy/evtx-4001-user-logon-gpo-processing-start.md"}],"231":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"Windows Forensic Artifacts","u":"https://github.com/Psmths/windows-forensic-artifacts/blob/main/group-policy/evtx-4004-computer-manual-gpo-processing-start.md"}],"232":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"Windows Forensic Artifacts","u":"https://github.com/Psmths/windows-forensic-artifacts/blob/main/group-policy/evtx-4005-user-manual-gpo-processing-start.md"}],"233":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"234":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"235":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"236":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"237":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"Windows Forensic Artifacts","u":"https://github.com/Psmths/windows-forensic-artifacts/blob/main/group-policy/evtx-5312-list-of-gpo.md"}],"238":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"239":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"240":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"241":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"Windows Forensic Artifacts","u":"https://github.com/Psmths/windows-forensic-artifacts/blob/main/group-policy/evtx-1502-computer-gpo-success.md"}],"242":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"Windows Forensic Artifacts","u":"https://github.com/Psmths/windows-forensic-artifacts/blob/main/group-policy/evtx-1503-user-gpo-success.md"}],"243":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"244":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"245":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"246":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"247":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"248":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"249":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"250":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"251":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"252":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"253":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"254":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"255":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"256":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"257":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"258":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"259":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"260":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"261":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"262":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"263":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"264":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"265":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"266":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"267":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"268":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"269":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"270":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"271":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"272":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"273":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"274":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"275":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"276":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"277":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"278":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"279":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"280":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"281":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"282":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"283":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"284":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"285":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"286":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"287":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"288":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"289":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"290":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"291":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"292":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"293":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"294":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"295":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"296":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"297":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"298":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"299":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"300":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"301":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"302":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"303":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"304":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"305":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"306":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"307":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"308":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"309":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"310":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"311":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"312":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"313":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"314":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"315":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"316":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"317":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"318":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"319":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"320":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"321":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"322":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"323":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"324":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"325":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"326":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"327":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"328":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"329":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"330":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"331":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"332":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"333":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"334":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"335":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4610"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-system-extension"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4610"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"336":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4614"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-system-extension"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4614"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"337":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4622"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-system-extension"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4622"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"338":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4653"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-main-mode"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4653"}],"339":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4664"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-system"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4664"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"340":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4690"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-handle-manipulation"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4690"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"341":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4696"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-process-creation"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4696"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"342":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4705"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authorization-policy-change"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4705"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"343":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4713"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4713"}],"344":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4717"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4717"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"345":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4718"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4718"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"346":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4750"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4750"}],"347":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4751"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4751"}],"348":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4752"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4752"}],"349":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4753"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4753"}],"350":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4755"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4755"}],"351":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4758"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4758"}],"352":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4779"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-logonlogoff-events"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4779"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"353":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4797"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"354":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4801"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-logonlogoff-events"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4801"}],"355":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4826"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4826"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"356":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4865"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4865"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"357":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4868"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4868"}],"358":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4869"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4869"}],"359":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4870"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4870"}],"360":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4871"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4871"}],"361":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4872"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4872"}],"362":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4873"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4873"}],"363":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4874"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4874"}],"364":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4880"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4880"}],"365":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4881"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4881"}],"366":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4888"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4888"}],"367":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4889"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4889"}],"368":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4892"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4892"}],"369":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4896"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4896"}],"370":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4897"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4897"}],"371":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4899"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4899"}],"372":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4911"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authorization-policy-change"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4911"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"373":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4929"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4929"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"374":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4944"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4944"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"375":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4945"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4945"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"376":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4953"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4953"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"377":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4956"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change"}],"378":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4957"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4957"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"379":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4985"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-system"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4985"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"380":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5031"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-connection"}],"381":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5043"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change"}],"382":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change"}],"383":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5058"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5058"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"384":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5059"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5059"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"385":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5061"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5061"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"386":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5123"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"387":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5124"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"388":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5143"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-share"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"389":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-share"}],"390":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"391":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5442"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5442"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"392":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5443"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5443"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"393":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5444"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5444"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"394":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5446"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5446"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"395":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5448"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change"}],"396":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5450"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5450"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"397":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5888"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events"}],"398":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5889"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5889"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"399":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5890"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5890"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"400":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-pnp-activity"}],"401":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-pnp-activity"}],"402":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-pnp-activity"}],"403":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"404":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"405":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"406":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"407":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"408":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"409":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"Windows Forensic Artifacts","u":"https://github.com/Psmths/windows-forensic-artifacts/blob/main/execution/evtx-9707-shell-core.md"}],"410":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"411":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"},{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"412":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"},{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"413":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"414":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"415":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"Windows Forensic Artifacts","u":"https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-2005-firewall.md"}],"416":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"417":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"418":[{"d":"Windows Forensic Artifacts","u":"https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-2073-firewall-windows-11.md"}],"419":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"420":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"421":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"422":[{"d":"Windows Forensic Artifacts","u":"https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-2052-firewall-windows-11.md"}],"423":[{"d":"Windows Forensic Artifacts","u":"https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-2071-firewall-windows-11.md"}],"424":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"425":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"426":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"427":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"428":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"429":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"430":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"431":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"432":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"433":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"434":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"435":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"436":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"438":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"439":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"440":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"441":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"442":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"443":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"444":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"445":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"446":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"447":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/jj865682(v=ws.10)"}],"448":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"449":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"450":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/troubleshoot/windows-server/printing/event-ids-associated-point-print-restrictions"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"451":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"452":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4744"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4744"}],"453":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4759"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4759"}],"454":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4783"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-group-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4783"}],"455":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4790"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-group-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4790"}],"456":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity"}],"457":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-pnp-activity"}],"458":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"459":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-27-fileblockexecutable"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"460":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-28-fileblockshredding"}],"461":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-255-error"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"OSSEM-DD","u":"https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-255.yml"}],"462":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"463":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348535(v=ws.10)"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"464":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"465":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"466":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"467":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"468":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"469":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"470":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"471":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"472":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"473":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"474":[{"d":"Hunt & Hackett","u":"https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling"},{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Connectwise_Screenconnect"}],"475":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/deployment/upgrade/windows-error-reporting"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"476":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"477":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1100"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1100"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"NSA/CISA - Best Practices for Event Logging","u":"https://www.cisa.gov/resources-tools/resources/best-practices-event-logging-and-threat-detection"}],"478":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"479":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4876"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4876"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"480":[{"d":"Windows Forensic Artifacts","u":"https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-1024-rdp-activex.md"}],"481":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"482":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"483":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"484":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"485":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"486":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd349369(v=ws.10)"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"487":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc756386(v=ws.10)"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"488":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"490":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"497":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"498":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/jj865682(v=ws.10)"}],"500":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4693"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-dpapi-activity"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4693"}],"501":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4777"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4777"}],"502":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4782"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-account-management-events"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4782"}],"503":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4817"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4817"}],"504":[{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4822"}],"505":[{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4823"}],"506":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4885"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4885"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"507":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4890"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4890"}],"508":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4908"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4908"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"509":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4912"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4912"}],"510":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-directory-service-changes"}],"511":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management"}],"512":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6273"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-network-policy-server"}],"518":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"519":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"529":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"530":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"531":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4675"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logon"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4675"}],"532":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4757"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4757"}],"533":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4772"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kerberos-authentication-service"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4772"}],"534":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-connection"}],"535":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-connection"}],"536":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-localsessionmanager"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"537":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"538":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"539":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/win32/wmisdk/tracing-wmi-activity"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"540":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/troubleshoot/windows-client/system-management-components/wmi-activity-event-5858-logged-with-resultcode-0x80041032"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"541":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/win32/wmisdk/tracing-wmi-activity"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"545":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6144"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=6144"}],"546":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"547":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"548":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"549":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"550":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"551":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"552":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/replication-event-id-2108-1084"}],"553":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"554":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"555":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"556":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/applocker/using-event-viewer-with-applocker"}],"557":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/applocker/using-event-viewer-with-applocker"}],"558":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/applocker/using-event-viewer-with-applocker"}],"559":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"560":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"561":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"562":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"563":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"564":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"565":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"566":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"567":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"568":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"569":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"570":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"571":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"572":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"573":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"574":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"575":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"576":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"577":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"578":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"579":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"580":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"581":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"582":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"583":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"584":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"585":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"586":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"587":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"588":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"589":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"590":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"591":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"592":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"593":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"594":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"595":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"596":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"597":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"598":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"599":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"600":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"601":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"602":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"603":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"604":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"605":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"606":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"607":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"608":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"609":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"610":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"611":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"612":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"613":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"614":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"615":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"616":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"617":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"618":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"619":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"620":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"621":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"622":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"623":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"624":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"625":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"626":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"627":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"628":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"629":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"630":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"631":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"632":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"633":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"634":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"635":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"636":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"637":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"638":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"639":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"640":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"641":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"642":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"643":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"644":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"645":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"646":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"647":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"648":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"649":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"650":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"651":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"652":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"653":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"654":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"655":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"656":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"657":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"658":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/event-id-4107-or-event-id-11-is-logged"}],"660":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/archive/technet-wiki/14250.certificate-services-lifecycle-notifications"}],"661":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/archive/technet-wiki/14250.certificate-services-lifecycle-notifications"}],"662":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/archive/technet-wiki/14250.certificate-services-lifecycle-notifications"}],"663":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/archive/technet-wiki/14250.certificate-services-lifecycle-notifications"}],"664":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"665":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"666":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"667":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"668":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"669":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"670":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"671":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"672":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"673":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"674":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"675":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"676":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"677":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"678":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"679":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"680":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"681":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"682":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"683":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"684":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"685":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"686":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"687":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"688":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"689":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"690":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"691":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"692":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"693":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"694":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"695":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"696":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"697":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"698":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"699":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"700":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"701":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"702":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"703":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"704":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"705":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"706":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"707":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"708":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"709":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"710":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"711":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"712":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"713":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"714":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"715":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"716":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"717":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"718":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"719":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"720":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"721":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"722":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"723":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"724":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"725":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"726":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"727":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"728":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"729":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"730":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"731":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"732":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"733":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"734":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"735":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"736":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"737":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"738":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"739":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"740":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"741":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"742":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"743":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"744":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"745":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"746":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"747":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"748":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"749":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"750":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"751":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"752":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"753":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"754":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"755":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"756":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"757":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"758":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"759":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"760":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"761":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"762":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"763":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"764":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"765":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"766":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"767":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"768":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"769":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"770":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"771":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"772":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"773":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"774":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"775":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"776":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"777":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"778":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"779":[{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1101"}],"780":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"781":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1108"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1108"}],"782":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"783":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"784":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"785":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"786":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"787":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"788":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"789":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"790":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"791":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"792":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"793":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"794":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"795":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"796":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"797":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"798":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"799":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"800":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"801":[{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5126"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"802":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"803":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"804":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"805":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"806":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"807":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"808":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"809":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"810":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"811":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"812":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"813":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"814":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"815":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"816":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"817":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"818":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"819":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"820":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"821":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"822":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"823":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"824":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"825":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"826":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"827":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"828":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"829":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"830":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"831":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"832":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"833":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"834":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"835":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"836":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"837":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"838":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"839":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"840":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"841":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"842":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"843":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"844":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"845":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"846":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"847":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"848":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"849":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/troubleshoot-unexpected-reboots-system-event-logs"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"850":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/troubleshoot-unexpected-reboots-system-event-logs"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"851":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"852":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"853":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"854":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"855":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"856":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"857":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/event-id-219-when-device-plugged-in-windows-system"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"858":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"859":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"860":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"861":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"862":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"863":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"864":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"865":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"866":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"867":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"868":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"869":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"871":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"872":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"873":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"874":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"875":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"876":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"877":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"878":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"879":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"880":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"881":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"882":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"883":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"884":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"885":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"886":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"887":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"888":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"889":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"890":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"891":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"892":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"893":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"894":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"895":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"896":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"897":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"898":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"899":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/troubleshoot/windows-server/printing/event-ids-associated-point-print-restrictions"}],"900":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"901":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"902":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"903":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"904":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"905":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"906":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"907":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"908":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"909":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"910":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"911":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"912":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"913":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"914":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"915":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"916":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"917":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"918":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"919":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"920":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"921":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"922":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"923":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"924":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"925":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"926":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"927":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"928":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"929":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"930":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"931":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"932":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"933":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"934":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"935":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"936":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"937":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"938":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"939":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"940":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"941":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"942":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"943":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"944":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"945":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"946":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"947":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"948":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"949":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"950":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"951":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"952":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"953":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"954":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"955":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"956":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"957":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"958":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"959":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"960":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"961":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"962":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"963":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"964":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"965":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"966":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"967":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"968":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"969":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"970":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"971":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"972":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"973":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"974":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"975":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"976":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"977":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"978":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"979":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"980":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"981":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"982":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"983":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"984":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"985":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"986":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"987":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4608"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-state-change"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4608"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"988":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4612"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4612"}],"989":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4615"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4615"}],"990":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4618"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4618"}],"991":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4621"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-state-change"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4621"}],"992":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4626"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-device-claims"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4626"}],"993":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4650"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-main-mode"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4650"}],"994":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4651"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-main-mode"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4651"}],"995":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4652"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-main-mode"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4652"}],"996":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4654"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4654"}],"997":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4655"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-main-mode"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4655"}],"998":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4659"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4659"}],"999":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4665"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-generated"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4665"}],"1000":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4666"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-generated"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4666"}],"1001":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4667"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-generated"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4667"}],"1002":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4668"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-generated"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4668"}],"1003":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4671"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4671"}],"1004":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4691"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4691"}],"1005":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4707"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4707"}],"1006":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4709"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4709"}],"1007":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4714"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4714"}],"1008":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4715"}],"1009":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4716"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4716"}],"1010":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4745"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4745"}],"1011":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4746"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4746"}],"1012":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4747"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4747"}],"1013":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4748"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4748"}],"1014":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4760"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4760"}],"1015":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4761"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4761"}],"1016":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4762"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4762"}],"1017":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4763"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4763"}],"1018":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4773"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4773"}],"1019":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4774"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4774"}],"1020":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4775"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4775"}],"1021":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4784"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-group-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4784"}],"1022":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4785"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-group-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4785"}],"1023":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4786"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-group-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4786"}],"1024":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4787"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-group-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4787"}],"1025":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4788"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-group-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4788"}],"1026":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4789"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-group-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4789"}],"1027":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4791"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-group-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4791"}],"1028":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4792"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-group-management"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4792"}],"1029":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4793"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-account-management-events"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4793"}],"1030":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4802"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-logonlogoff-events"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4802"}],"1031":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4803"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-logonlogoff-events"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4803"}],"1032":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4816"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4816"}],"1033":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4818"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-central-access-policy-staging"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4818"}],"1034":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4819"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4819"}],"1035":[{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4820"}],"1036":[{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4821"}],"1037":[{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4824"}],"1038":[{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4830"}],"1039":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4864"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4864"}],"1040":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4866"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4866"}],"1041":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4867"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4867"}],"1042":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4877"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4877"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1043":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4878"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4878"}],"1044":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4879"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4879"}],"1045":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4883"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4883"}],"1046":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4884"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4884"}],"1047":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4891"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4891"}],"1048":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4893"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4893"}],"1049":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4894"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4894"}],"1050":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4895"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4895"}],"1051":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4900"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4900"}],"1052":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4906"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4906"}],"1053":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4909"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4909"}],"1054":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4910"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4910"}],"1055":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4913"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authorization-policy-change"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4913"}],"1056":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4928"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4928"}],"1057":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4930"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4930"}],"1058":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4931"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4931"}],"1059":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4932"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-directory-service-replication"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4932"}],"1060":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4933"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-directory-service-replication"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4933"}],"1061":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4934"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4934"}],"1062":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4935"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4935"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1063":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4936"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4936"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1064":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4937"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4937"}],"1065":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change"}],"1066":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4951"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change"}],"1067":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change"}],"1068":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change"}],"1069":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4958"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change"}],"1070":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-driver"}],"1071":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-driver"}],"1072":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4976"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-main-mode"}],"1073":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-quick-mode"}],"1074":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-extended-mode"}],"1075":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4979"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-extended-mode"}],"1076":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4980"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-extended-mode"}],"1077":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4981"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-extended-mode"}],"1078":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4982"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-extended-mode"}],"1079":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4983"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-extended-mode"}],"1080":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4984"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-extended-mode"}],"1081":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5024"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5024"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1082":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5027"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events"}],"1083":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events"}],"1084":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events"}],"1085":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events"}],"1086":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events"}],"1087":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5033"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5033"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1088":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events"}],"1089":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events"}],"1090":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5039"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-registry"}],"1091":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5040"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change"}],"1092":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change"}],"1093":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change"}],"1094":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change"}],"1095":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5046"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change"}],"1096":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change"}],"1097":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change"}],"1098":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5049"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-main-mode"}],"1099":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5050"}],"1100":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5051"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-system"}],"1101":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5056"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity"}],"1102":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5057"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity"}],"1103":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5060"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity"}],"1104":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5062"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity"}],"1105":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5063"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events"}],"1106":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5064"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events"}],"1107":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5065"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events"}],"1108":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5066"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events"}],"1109":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5067"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events"}],"1110":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5068"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events"}],"1111":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5069"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events"}],"1112":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5070"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events"}],"1113":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1114":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1115":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5122"}],"1116":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5126"}],"1117":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5127"}],"1118":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5138"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-directory-service-changes"}],"1119":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5148"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events"}],"1120":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5149"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events"}],"1121":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5150"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-connection"}],"1122":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-connection"}],"1123":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop"}],"1124":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5168"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-share"}],"1125":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5378"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-logonlogoff-events"}],"1126":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5440"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change"}],"1127":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5451"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-quick-mode"}],"1128":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5452"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-quick-mode"}],"1129":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5456"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change"}],"1130":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5457"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change"}],"1131":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change"}],"1132":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change"}],"1133":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change"}],"1134":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change"}],"1135":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change"}],"1136":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change"}],"1137":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change"}],"1138":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change"}],"1139":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change"}],"1140":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5477"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change"}],"1141":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5483"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-driver"}],"1142":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5632"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-logonlogoff-events"}],"1143":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5633"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-logonlogoff-events"}],"1144":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5712"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-rpc-events"}],"1145":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6144"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events"}],"1146":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events"}],"1147":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6272"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-network-policy-server"}],"1148":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-network-policy-server"}],"1149":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-network-policy-server"}],"1150":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6276"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-network-policy-server"}],"1151":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6277"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-network-policy-server"}],"1152":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-network-policy-server"}],"1153":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6279"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-network-policy-server"}],"1154":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-network-policy-server"}],"1155":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6400"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events"}],"1156":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events"}],"1157":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events"}],"1158":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6403"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events"}],"1159":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6404"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events"}],"1160":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6405"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events"}],"1161":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events"}],"1162":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events"}],"1163":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity"}],"1164":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-pnp-activity"}],"1165":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1166":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1167":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1168":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1169":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1170":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"1171":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"1172":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"1173":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"1174":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"1175":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"1176":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"1177":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"1178":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"1179":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"1180":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"1181":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"1182":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"1183":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"1184":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"1185":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"1186":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"1187":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"1188":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"1189":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"1190":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"1191":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"1192":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"1193":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"1194":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"1195":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"1196":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"1197":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"1198":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"1199":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"1200":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"1201":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1202":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1203":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1204":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1205":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1206":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1207":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1208":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1209":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1210":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1211":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1212":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1213":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1214":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1215":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1216":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1217":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1218":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1219":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1220":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1221":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1222":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1223":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1224":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1225":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1226":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1227":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1228":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1229":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1230":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1231":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1232":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1233":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1234":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1235":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1236":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1237":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1238":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1239":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1240":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1241":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1242":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1243":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1244":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1245":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1246":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1247":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1248":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1249":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1250":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1251":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1252":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1253":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1254":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1255":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1256":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1257":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1258":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1259":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1260":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1261":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1262":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1263":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1264":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1265":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1266":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1267":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1268":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1269":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1270":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1271":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1272":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1273":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1274":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1275":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1276":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1277":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1278":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1279":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1280":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1281":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1282":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1283":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1284":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1285":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1286":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1287":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1288":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1289":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1290":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1291":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1292":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1293":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1294":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1295":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1296":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1297":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1298":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1299":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1300":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1301":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1302":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1303":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1304":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1305":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1306":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1307":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1308":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1309":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1310":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1311":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1312":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1313":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1314":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1315":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1316":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1317":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1318":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1319":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1320":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1321":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1322":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1323":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1324":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1325":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1326":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1327":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1328":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1329":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1330":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1331":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1332":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1333":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1334":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1335":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1336":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1337":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1338":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1339":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1340":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1341":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1342":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1343":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1344":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1345":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1346":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1347":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1348":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1349":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1350":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1351":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1352":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1353":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1354":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1355":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1356":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1357":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1358":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1359":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1360":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1361":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1362":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1363":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1364":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1365":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1366":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1367":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1368":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1369":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1370":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1371":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1372":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1373":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1374":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1375":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1376":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1377":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1378":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1379":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1380":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1381":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1382":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1383":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1384":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1385":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1386":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1387":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1388":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1389":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1390":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1391":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1392":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1393":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1394":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1395":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1396":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1397":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1398":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-24-clipboardchange-new-content-in-the-clipboard"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1399":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1400":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1401":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1402":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1403":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1404":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1405":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1406":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1407":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1408":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd363640(v=ws.10)"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1409":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1410":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1411":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1412":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd363721(v=ws.10)"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1413":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1414":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1415":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1416":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1417":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1418":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1419":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1420":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1421":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1422":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1423":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1424":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1425":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1426":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1427":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1428":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1429":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1430":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-localsessionmanager"},{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1431":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1432":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1433":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1434":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1435":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1436":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1437":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1438":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1439":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1440":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1441":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1442":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1443":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1444":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1445":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1446":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1447":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1448":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1449":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1450":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1451":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1452":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1453":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1454":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1455":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1456":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1457":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1458":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1459":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1460":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1461":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1462":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1463":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1464":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1465":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1466":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1467":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1468":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1469":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1470":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1471":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1472":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1473":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1474":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1475":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1476":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1477":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1478":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1479":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1480":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1481":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1482":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1483":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1484":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1485":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1486":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1487":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1488":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1489":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1490":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1491":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1492":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1493":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1494":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1495":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1496":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1497":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1498":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1499":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1500":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1501":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1502":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1503":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1504":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1505":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1506":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1507":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1508":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1509":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1510":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1511":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1512":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1513":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1514":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1515":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1516":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1517":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1518":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1519":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1520":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1521":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1522":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1523":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1524":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1525":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1526":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1527":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1528":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1529":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1530":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1531":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"1532":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"1533":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"1534":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"1535":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"1536":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"1537":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"1538":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"1539":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"1540":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"1541":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"1542":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"1543":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"1544":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"1545":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"1546":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"},{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"1547":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"1548":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1549":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1550":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1551":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1552":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1553":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1554":[{"d":"Windows Forensic Artifacts","u":"https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-2073-firewall-windows-11.md"}],"1555":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1556":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1557":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1558":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1559":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1560":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1561":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1562":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1563":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1564":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1565":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1566":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1567":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1568":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1569":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1570":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1571":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1572":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1573":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1574":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1575":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1576":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1577":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1578":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1579":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1580":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1581":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/win32/winrm/events"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1582":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1583":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1584":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1585":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1586":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1587":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1588":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1589":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1590":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1591":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1592":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1593":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1594":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1595":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/win32/winrm/events"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1596":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1597":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1598":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1599":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1600":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1601":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1602":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1603":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1604":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1605":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1606":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1607":[{"d":"Windows Forensic Artifacts","u":"https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-8001-wlan-connect.md"}],"1608":[{"d":"Windows Forensic Artifacts","u":"https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-8003-wlan-disconnect.md"}],"1609":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1610":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1611":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1612":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1613":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1614":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1615":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1616":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1617":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1618":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1619":[{"d":"Hunt & Hackett","u":"https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling"},{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Connectwise_Screenconnect"}],"1620":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1621":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1622":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1623":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1624":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1625":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1626":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1627":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1628":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1629":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1630":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1631":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1632":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1633":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1634":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1635":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1636":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1637":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1638":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1639":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1640":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1641":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1642":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1643":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1644":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1645":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1646":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1647":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1648":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1649":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1650":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1651":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1652":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1653":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1654":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1655":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/archive/technet-wiki/1206.dfsr-event-1202-dfs-replication"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1656":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1657":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1658":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1659":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1660":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1661":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1662":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1663":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1664":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1665":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1666":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1667":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1668":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1669":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1670":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1671":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1672":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1673":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1674":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1675":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1676":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1677":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1678":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1679":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1680":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1681":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1682":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1683":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1684":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1685":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1686":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1687":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1688":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1689":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1690":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1691":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1692":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1693":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1694":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1695":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1696":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1697":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1698":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1699":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1700":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1701":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1702":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1703":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1704":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1705":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1706":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1707":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1708":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1709":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1710":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1711":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1712":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1713":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1714":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1715":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1716":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1717":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1718":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1719":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1720":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1721":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1722":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1723":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1724":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1725":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1726":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1727":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1728":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1729":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1730":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1731":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1732":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1733":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"1734":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1735":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"1736":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"1737":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"1738":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"1739":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"1740":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1741":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1743":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1744":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1745":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1746":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1747":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1748":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"1749":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1750":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1751":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1752":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1753":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1754":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1755":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1756":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1757":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1758":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1759":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1760":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1761":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1762":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1763":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1764":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1765":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1766":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/netlogon-event-id-5719-or-group-policy-event-1129"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1767":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1768":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1769":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1770":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1771":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1772":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1773":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1774":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1775":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1776":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1777":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/jj865682(v=ws.10)"}],"1778":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1779":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/troubleshoot/windows-server/printing/event-ids-associated-point-print-restrictions"}],"1780":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1781":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1782":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1783":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1784":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1785":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1786":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1787":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1788":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1789":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1790":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1791":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1792":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1793":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1794":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4960"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-driver"}],"1795":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-driver"}],"1796":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-driver"}],"1797":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-driver"}],"1798":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1799":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1800":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1801":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1802":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1803":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1804":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1805":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1806":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1807":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1808":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1809":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1810":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1811":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1812":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1813":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1814":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1815":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1816":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1817":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1818":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1819":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1820":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1821":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1822":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1823":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1824":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1825":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1826":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1827":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1828":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1829":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1830":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1831":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1832":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1833":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1834":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1835":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1836":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1837":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1838":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1839":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1840":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1841":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1842":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1843":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1844":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1845":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1846":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1847":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1848":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1849":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1850":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1851":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1852":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1853":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1854":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1855":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1856":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1857":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1858":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1859":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1860":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1861":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1862":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1863":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1864":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1865":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1866":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"1867":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"1868":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"1869":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"1870":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"1871":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"1872":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"1873":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"1874":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"1875":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"1876":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"1877":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1878":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1879":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1880":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1881":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1882":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1883":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1884":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1885":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1886":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1887":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1888":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1889":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1890":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1891":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1892":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1893":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1894":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1895":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1896":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1897":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1898":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1899":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1900":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1901":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1902":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1903":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1904":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1905":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1906":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1907":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1908":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1909":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1910":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1911":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1912":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1913":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1914":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1915":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1916":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1917":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1918":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1919":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1920":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1921":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1922":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1923":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1924":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1925":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1926":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1927":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1928":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1929":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1930":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1931":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1932":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1933":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1934":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1935":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1936":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1937":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1938":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1939":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1940":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1941":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1942":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1943":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1944":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1945":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1946":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1947":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1948":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1949":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1950":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1951":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1952":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1953":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows"},{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1954":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1955":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1956":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1957":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1958":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1959":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1960":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1961":[{"d":"Hunt & Hackett","u":"https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling"},{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Connectwise_Screenconnect"}],"1962":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1963":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1964":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1965":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1966":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1967":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1968":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1969":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1970":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1971":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1972":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1973":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1974":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1975":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1976":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1977":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1978":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1979":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1980":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1981":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1982":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1983":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1984":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1985":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1986":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1987":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1988":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1989":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"1990":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1991":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1992":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1993":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1994":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1995":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1996":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1997":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1998":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"1999":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"2000":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"2001":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"2002":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"2003":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"2004":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"2005":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"2006":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"2007":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"2008":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"2009":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"2010":[{"d":"Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx","u":"https://github.com/Yamato-Security/hayabusa-sample-evtx"}],"2011":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"2012":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"2013":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"2014":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"2015":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"2016":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"2017":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"2018":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"2019":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"2020":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"2021":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"2022":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"2023":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"2024":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"2025":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"2026":[{"d":"Example event sourced from https://github.com/NextronSystems/evtx-baseline","u":"https://github.com/NextronSystems/evtx-baseline"}],"2043":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"3319":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4882"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4882"}],"3720":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3721":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3722":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3723":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3724":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3725":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3726":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3727":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3728":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3729":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3730":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3731":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3732":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3733":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3734":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3735":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3736":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3737":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3738":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3739":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3740":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3741":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3742":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3743":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3744":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3745":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3746":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3747":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3748":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3749":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3750":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3751":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3752":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3753":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3754":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3755":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3756":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3757":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3758":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3759":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3760":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3761":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3762":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3763":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3764":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3765":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3766":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3767":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3768":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3769":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3770":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3771":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3772":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3773":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3774":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3775":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3776":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3777":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3778":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3779":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3780":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3781":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3782":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3783":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3784":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3785":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3786":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3787":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3788":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3789":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3790":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3791":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3792":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3793":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3794":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3795":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3796":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3797":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3798":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3799":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3800":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3801":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop"}],"3840":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table"}],"3841":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table"}],"3842":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table"}],"3843":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table"}],"3844":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicefileevents-table"}],"3845":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicefileevents-table"}],"3846":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceimageloadevents-table"}],"3847":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicelogonevents-table"}],"3848":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicelogonevents-table"}],"3849":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicenetworkevents-table"}],"3850":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceprocessevents-table"}],"3851":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceregistryevents-table"}],"3852":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceregistryevents-table"}],"3853":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceregistryevents-table"}],"3854":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceregistryevents-table"}],"6513":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/troubleshoot/windows-server/printing/event-ids-associated-point-print-restrictions"}],"7324":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table"}],"7325":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table"}],"7326":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table"}],"7327":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table"}],"7328":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table"}],"7329":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table"}],"7330":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table"}],"7331":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table"}],"7332":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table"}],"7333":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table"}],"7334":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table"}],"7335":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table"}],"7336":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicefileevents-table"}],"7337":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicefileevents-table"}],"7338":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicefileevents-table"}],"7339":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceimageloadevents-table"}],"7340":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceinfo-table"}],"7341":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicelogonevents-table"}],"7342":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicelogonevents-table"}],"7343":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicenetworkevents-table"}],"7344":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicenetworkevents-table"}],"7345":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicenetworkevents-table"}],"7346":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicenetworkevents-table"}],"7347":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicenetworkevents-table"}],"7348":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicenetworkevents-table"}],"7349":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicenetworkevents-table"}],"7350":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicenetworkinfo-table"}],"7351":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceprocessevents-table"}],"7352":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceprocessevents-table"}],"7353":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceprocessevents-table"}],"7354":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceregistryevents-table"}],"7355":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicetvmsecureconfigurationassessment-table"}],"7356":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicetvmsoftwareinventory-table"}],"7357":[{"d":"Microsoft Defender XDR — advanced hunting reference","u":"https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicetvmsoftwarevulnerabilities-table"}],"7358":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6145"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=6145"}],"7359":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5141"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5141"}],"7360":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5142"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5142"}],"7361":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5143"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5143"}],"7362":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5144"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5144"}],"7363":[{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5146"}],"7364":[{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5147"}],"7365":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5148"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5148"}],"7366":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5149"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5149"}],"7367":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5158"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5158"}],"7368":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5159"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5159"}],"7369":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"},{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7370":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"},{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7371":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"},{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7372":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7373":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7374":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7375":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7376":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7377":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7378":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7379":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7380":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7381":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7382":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7383":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7384":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7385":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7386":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"},{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/active-directory-replication-event-id-2042"}],"7387":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7388":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7389":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7390":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/troubleshoot-remote-desktop-disconnected-errors"}],"7391":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/ntds-replication-warning-1083-1061-sam-error-12294"}],"7392":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/ntds-replication-warning-event-id-1093"}],"7393":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7394":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7395":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"7396":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/applocker/using-event-viewer-with-applocker"}],"7397":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/applocker/using-event-viewer-with-applocker"}],"7398":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"7399":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"7400":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"7401":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"7402":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7403":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/event-id-4107-or-event-id-11-is-logged"}],"7404":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/archive/technet-wiki/14250.certificate-services-lifecycle-notifications"}],"7405":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"7406":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"7407":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"7408":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"7409":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"7410":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"7411":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"7412":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"7413":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"7414":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"7415":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"7416":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"7417":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"7418":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"7419":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"7420":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"7421":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/troubleshoot/windows-server/events-18210-3041-and-1-hyper-v-replica"}],"7422":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5712"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5712"}],"7423":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/dfsr-event-2212-restart-server"}],"7424":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/dfsr-event-id-2213"}],"7425":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/troubleshoot-event-id-1311-messages"}],"7426":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7427":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7428":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7429":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7430":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7431":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7432":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7433":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7434":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7435":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7436":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7437":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7438":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7439":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7440":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7441":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7442":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7443":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7444":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7445":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7446":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7447":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7448":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7449":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7450":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7451":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7452":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7453":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7454":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7455":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7456":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7457":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7458":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7459":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7460":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7461":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7462":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7463":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7464":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7465":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7466":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7467":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7468":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7469":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7470":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7471":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7472":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7473":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7474":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7475":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7476":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7477":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7478":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7479":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7480":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7481":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7482":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7483":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7484":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7485":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7486":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7487":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7488":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7489":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7490":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7491":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7492":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7493":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7494":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7495":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7496":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7497":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7498":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7499":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7500":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7501":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7502":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7503":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7504":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7505":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7506":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7507":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7508":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7509":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7510":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7511":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7512":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7513":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7514":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7515":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7516":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7517":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7518":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7519":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7520":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7521":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7522":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7523":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7524":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7525":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7526":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7527":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7528":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7529":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7530":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7531":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7532":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7533":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7534":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7535":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7536":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7537":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7538":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7539":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7540":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7541":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7542":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7543":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7544":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7545":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7546":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7547":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7548":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7549":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7550":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7551":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7552":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7553":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7554":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7555":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7556":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7557":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7558":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7559":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7560":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7561":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7562":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7563":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7564":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7565":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7566":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7567":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7568":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7569":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7570":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7571":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7572":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7573":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7574":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7575":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7576":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7577":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7578":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7579":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7580":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7581":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7582":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7583":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7584":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7585":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7586":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7587":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7588":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7589":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7590":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7591":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7592":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7593":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7594":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7595":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7596":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7597":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7598":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7599":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7600":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7601":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7602":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7603":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7604":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7605":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7606":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7607":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7608":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7609":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7610":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7611":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7612":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7613":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7614":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7615":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7616":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7617":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7618":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7619":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7620":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7621":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7622":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7623":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7624":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7625":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7626":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7627":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7628":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7629":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7630":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7631":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7632":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7633":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7634":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7635":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7636":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7637":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7638":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7639":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7640":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7641":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7642":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7643":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7644":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7645":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7646":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7647":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7648":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7649":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7650":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7651":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7652":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7653":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7654":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7655":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7656":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7657":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7658":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7659":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7660":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7661":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7662":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7663":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7664":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7665":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7666":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7667":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7668":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7669":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7670":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7671":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7672":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7673":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7674":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7675":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7676":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7677":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7678":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7679":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7680":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7681":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7682":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7683":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7684":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7685":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7686":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7687":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7688":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7689":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7690":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7691":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7692":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7693":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7694":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7695":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7696":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7697":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7698":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7699":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7700":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7701":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7702":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7703":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7704":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7705":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7706":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7707":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7708":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7709":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7710":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7711":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7712":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7713":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7714":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7715":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7716":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7717":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7718":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7719":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7720":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7721":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7722":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7723":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7724":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7725":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7726":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7727":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7728":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7729":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7730":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7731":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7732":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7733":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7734":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7735":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7736":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7737":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7738":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7739":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7740":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7741":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7742":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7743":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7744":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7745":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7746":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7747":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7748":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7749":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7750":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7751":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7752":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7753":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7754":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7755":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7756":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7757":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7758":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7759":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7760":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7761":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7762":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7763":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7764":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7765":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7766":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7767":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7768":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7769":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7770":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7771":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7772":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7773":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7774":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7775":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7776":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7777":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7778":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7779":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7780":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7781":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7782":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7783":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7784":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7785":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7786":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7787":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7788":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7789":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7790":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7791":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7792":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7793":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7794":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7795":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7796":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7797":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7798":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7799":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7800":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7801":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7802":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7803":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7804":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7805":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7806":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7807":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7808":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7809":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7810":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7811":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7812":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7813":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7814":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7815":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7816":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7817":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7818":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7819":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7820":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7821":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7822":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7823":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7824":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7825":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7826":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7827":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7828":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7829":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7830":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7831":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7832":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7833":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7834":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7835":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7836":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7837":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7838":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7839":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7840":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7841":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7842":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7843":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7844":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7845":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7846":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7847":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7848":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7849":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7850":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7851":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7852":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7853":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7854":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7855":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7856":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7857":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7858":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7859":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7860":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7861":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7862":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7863":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7864":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7865":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7866":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7867":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7868":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7869":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7870":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7871":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7872":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7873":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7874":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7875":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7876":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7877":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7878":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7879":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7880":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7881":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7882":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7883":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7884":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7885":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7886":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7887":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7888":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7889":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7890":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7891":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7892":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7893":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7894":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7895":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"7896":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"7897":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"7898":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"7899":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"},{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7900":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"7901":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7902":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"7903":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/jj865682(v=ws.10)"}],"7904":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"7905":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7906":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/active-directory-replication-event-id-2087"}],"7907":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/ntds-replication-event-2089-backup-latency-interval"}],"7908":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1104"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1104"}],"7909":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1105"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1105"}],"7910":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd392562(v=ws.10)"}],"7911":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5040"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5040"}],"7912":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5045"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5045"}],"7913":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5034"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5034"}],"7914":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7915":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7916":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7917":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7918":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7919":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7920":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5025"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5025"}],"7921":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5027"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5027"}],"7922":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/active-directory-replication-not-work-event-1865"}],"7923":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/ntds-replication-warning-1083-1061-sam-error-12294"}],"7924":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/distributed-file-system-replication-not-replicate-files"}],"7925":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7926":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7927":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7928":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7929":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/dfsr-diagnostics-shows-sharing-violations-events"}],"7930":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7931":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7932":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7933":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7934":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7935":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/troubleshoot/windows-server/printing/event-ids-associated-point-print-restrictions"}],"7938":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7939":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7940":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7941":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7942":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7943":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7944":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7945":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7946":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7947":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"7948":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4609"},{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-state-change"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4609"}],"7949":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4710"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4710"}],"7950":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4712"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4712"}],"7951":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4875"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4875"}],"7952":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events"}],"7953":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events"}],"7954":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-main-mode"}],"7955":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change"}],"7956":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change"}],"7957":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change"}],"7958":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-driver"}],"7959":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-driver"}],"7960":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6406"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events"}],"7961":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-localsessionmanager"}],"7962":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon"},{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-27-fileblockexecutable"}],"7963":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon"},{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-28-fileblockshredding"}],"7964":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon"},{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-29-fileexecutabledetected"}],"7965":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon"},{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-14-registryevent-key-and-value-rename"}],"7966":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon"},{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-19-wmievent-wmieventfilter-activity-detected"}],"7967":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon"},{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-20-wmievent-wmieventconsumer-activity-detected"}],"7968":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon"},{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-21-wmievent-wmieventconsumertofilter-activity-detected"}],"7969":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon"},{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-23-filedelete-file-delete-archived"}],"7970":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-localsessionmanager"}],"7971":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"7972":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"7973":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"7974":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"7975":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"7976":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"7977":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"7978":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"7979":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"7980":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"7981":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"7982":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"7983":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"7984":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"7985":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"7986":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"7987":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"7988":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"7989":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"7990":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"7991":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"7992":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"7993":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"7994":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"7995":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"7996":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"7997":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"7998":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"7999":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8000":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8001":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8002":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8003":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8004":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8005":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8006":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8007":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8008":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8009":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8010":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8011":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8012":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8013":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8014":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8015":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8016":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8017":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8018":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8019":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8020":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8021":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8022":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8023":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8024":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8025":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8026":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8027":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8028":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8029":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8030":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8031":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8032":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8033":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8034":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8035":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8036":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8037":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8038":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8039":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8040":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8041":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8042":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8043":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8044":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8045":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8046":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8047":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8048":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8049":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8050":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8051":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8052":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8053":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8054":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8055":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8056":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8057":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8058":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8059":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8060":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8061":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8062":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8063":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8064":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8065":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8066":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8067":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8068":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8069":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8070":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8071":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8072":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8073":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8074":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8075":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8076":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8077":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8078":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8079":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8080":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8081":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8082":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8083":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8084":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes"}],"8085":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8086":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8087":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8088":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8089":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8090":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8091":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8092":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8093":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8094":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8095":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8096":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8097":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8098":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8099":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8100":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8101":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8102":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8103":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8104":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8105":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8106":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8107":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8108":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8109":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8110":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8111":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8112":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8113":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8114":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8115":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8116":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8117":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8118":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8119":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8120":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8121":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8122":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8123":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8124":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8125":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8126":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8127":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8128":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8129":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8130":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8131":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8132":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8133":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8135":[{"d":"Hunt & Hackett","u":"https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling"},{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Connectwise_Screenconnect"}],"8136":[{"d":"Hunt & Hackett","u":"https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling"},{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Connectwise_Screenconnect"}],"8137":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Sophos/"}],"8138":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Sophos/"}],"8139":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Sophos/"}],"8140":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Sophos/"}],"8141":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Sophos/"}],"8142":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Sophos/"}],"8143":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Sophos/"}],"8144":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Sophos/"}],"8145":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Sophos/"}],"8146":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Sophos/"}],"8147":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Sophos/"}],"8148":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/win32/winrm/events"}],"8149":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/win32/winrm/events"}],"8150":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5168"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5168"}],"8151":[{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5169"}],"8152":[{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5170"}],"8153":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"8154":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"8155":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"8156":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"8157":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"8158":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"8159":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"8160":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"8161":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"8162":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"8163":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"8164":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"8165":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"8166":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"8167":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"8168":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"8169":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"8170":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"8171":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"8172":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"8173":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"8174":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"8175":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"8176":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"8177":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"8178":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"8179":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"8180":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"8181":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"8182":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"8183":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"8184":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"8185":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"8186":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"8187":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"8188":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"8189":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"8190":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"8191":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"8192":[{"d":"Microsoft Learn - DHCP Server Events","u":"https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-server-events"}],"8193":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5376"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5376"}],"8194":[{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5380"}],"8195":[{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5381"}],"8196":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"8197":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/event1644reader-analyze-ldap-query-performance"}],"8198":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5028"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5028"}],"8199":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5029"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5029"}],"8200":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5030"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5030"}],"8201":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5031"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5031"}],"8202":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5032"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5032"}],"8203":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5035"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5035"}],"8204":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5037"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5037"}],"8205":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5038"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5038"}],"8206":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5047"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5047"}],"8207":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5048"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5048"}],"8208":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5049"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5049"}],"8209":[{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5050"}],"8210":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5051"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5051"}],"8211":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5056"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5056"}],"8212":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5057"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5057"}],"8213":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5060"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5060"}],"8214":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5062"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5062"}],"8215":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5063"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5063"}],"8216":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5064"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5064"}],"8217":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5065"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5065"}],"8218":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5066"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5066"}],"8219":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5067"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5067"}],"8220":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5068"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5068"}],"8221":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5069"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5069"}],"8222":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5070"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5070"}],"8223":[{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5071"}],"8224":[{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5120"}],"8225":[{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5121"}],"8226":[{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5122"}],"8227":[{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5123"}],"8228":[{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5124"}],"8229":[{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5125"}],"8230":[{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5127"}],"8231":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5150"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5150"}],"8232":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5151"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5151"}],"8233":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5152"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5152"}],"8234":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5153"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5153"}],"8235":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5154"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5154"}],"8236":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5155"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5155"}],"8237":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5156"}],"8238":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5157"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5157"}],"8239":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6400"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=6400"}],"8240":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc727321(v=ws.10)"}],"8241":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5039"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5039"}],"8242":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5046"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5046"}],"8244":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/replication-event-id-2108-1084"}],"8245":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"8246":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"8247":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"8248":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"8249":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"8250":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"8251":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"8252":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"8253":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations"}],"8254":[{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1100"}],"8255":[{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1101"}],"8256":[{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1102"}],"8257":[{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1104"}],"8258":[{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1105"}],"8259":[{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1108"}],"8260":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"8261":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"}],"8262":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5041"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5041"}],"8263":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5042"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5042"}],"8264":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5043"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5043"}],"8265":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5044"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5044"}],"8266":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5136"}],"8267":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5137"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5137"}],"8268":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5138"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5138"}],"8269":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5139"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5139"}],"8270":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4646"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-main-mode"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4646"}],"8271":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4711"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change"},{"d":"Ultimate Windows Security","u":"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4711"}],"8272":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change"}],"8273":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change"}],"8274":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change"}],"8275":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-driver"}],"8276":[{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-driver"}],"8277":[{"d":"Microsoft Learn","u":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6407"},{"d":"Microsoft Learn Audit Policy","u":"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events"}],"8278":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8279":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8280":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8281":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8282":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8283":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8284":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8285":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8286":[{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/"}],"8287":[{"d":"Hunt & Hackett","u":"https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling"},{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Connectwise_Screenconnect"}],"8288":[{"d":"Hunt & Hackett","u":"https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling"},{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Connectwise_Screenconnect"}],"8289":[{"d":"Hunt & Hackett","u":"https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling"},{"d":"RULER Project","u":"https://ruler-project.github.io/ruler-project/RULER/remote/Connectwise_Screenconnect"}]}}