de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806

Analysis

max time kernel
72s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01/01/2024, 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
Size

4.8MB
MD5

14888882bcf01c20a4a45bb9aa2b35f7
SHA1

50915c9c2855987e1191bbd2c510e067150b2a0f
SHA256

de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806
SHA512

c7ae29fddc996e4172672d8e28466f23e3afdbd458345679b5895b1d94e5cdd8120e51480837929b08d1373690aadecb601b7b0dc08ad47b36338c621a2d7436
SSDEEP

49152:vLiH3r02PBZrb/T5vO90dL3BmAFd4A64nsfJF4QWjmy25yr5nBFwLYgN4Ew5Ew1e:G3BlGy2CGyEkVHBhfwjPTBL5TJhLRp

Score

10^/10

evasion ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\HOW TO RESTORE YOUR TIYWEPXB FILES.TXT

Ransom Note

Dear Management We inform you that your network has undergone a penetration test, during which we encrypted your files and downloaded more than 100 GB of your data (most from your PD), including: Accounting Confidential documents Personal data Copy of some mailboxes Important! Do not try to decrypt the files yourself or using third-party utilities. The only program that can decrypt them is our decryptor, which you can request from the contacts below. Any other program will only damage files in such a way that it will be impossible to restore them. You can get all the necessary evidence, discuss with us possible solutions to this problem and request a decryptor by using the contacts below. Please be advised that if we don't receive a response from you within 3 days, we reserve the right to publish files to the public. Contact us: [email protected] or [email protected]

Emails

[email protected]

Signatures

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal

T1070

pid	Process
1316	Process not Found
4136	Process not Found
6072	Process not Found
3108	Process not Found
424	Process not Found
5904	Process not Found
4588	Process not Found
4748	Process not Found
5400	Process not Found
5900	Process not Found
6016	Process not Found
4972	Process not Found
4568	Process not Found
2652	Process not Found
1088	Process not Found
3764	Process not Found
5588	Process not Found
4716	Process not Found
1652	Process not Found
5716	Process not Found
4896	Process not Found
2396	Process not Found
4412	Process not Found
1148	Process not Found
3520	Process not Found
5864	Process not Found
3560	Process not Found
2236	Process not Found
3276	Process not Found
908	Process not Found
2600	Process not Found
1020	Process not Found
5396	Process not Found
4624	Process not Found
2992	Process not Found
1928	wevtutil.exe
2680	Process not Found
5640	Process not Found
3600	Process not Found
6088	Process not Found
6020	Process not Found
5240	Process not Found
5128	Process not Found
4468	wevtutil.exe
2380	Process not Found
5552	Process not Found
4516	wevtutil.exe
5736	Process not Found
4068	Process not Found
3896	Process not Found
5480	Process not Found
5204	Process not Found
3344	wevtutil.exe
3340	wevtutil.exe
5288	Process not Found
4136	Process not Found
4372	Process not Found
6004	Process not Found
4344	Process not Found
5564	Process not Found
5948	Process not Found
4276	Process not Found
3560	wevtutil.exe
4724	Process not Found

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Drops startup file 4 IoCs

description	ioc	Process
File created	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\HOW TO RESTORE YOUR TIYWEPXB FILES.TXT	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO RESTORE YOUR TIYWEPXB FILES.TXT	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\HOW TO RESTORE YOUR TIYWEPXB FILES.TXT	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File created	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO RESTORE YOUR TIYWEPXB FILES.TXT	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 20 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	vssadmin.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsWideTile.contrast-black_scale-125.png	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\af-ZA\View3d\3DViewerProductDescription-universal.xml	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\tilebg.png	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\es.pak.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ppd.xrm-ms	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-phn.xrm-ms	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageSmallTile.scale-400.png	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-GB\en-GB_female_TTS\ruleset_en-GB_TTS.lua	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\de-de\ui-strings.js.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\rsod\osm.x-none.msi.16.x-none.tree.dat.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\models\Email.ot	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-fr\HOW TO RESTORE YOUR TIYWEPXB FILES.TXT	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_invite_24.svg	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\ui-strings.js	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-140.png.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-24_altform-unplated_contrast-black.png	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\spectrum_spinner_process.svg.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\svgCheckboxUnselected.svg.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nl-nl\ui-strings.js.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\McePerfCtr.man	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\vpaid.js	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Light.scale-400.png	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_TeethSmile.png	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\GlobalMock-A.Tests.ps1	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-up.gif.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\de-de\ui-strings.js	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ca-es\HOW TO RESTORE YOUR TIYWEPXB FILES.TXT	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ja-JP\iexplore.exe.mui.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\lib\security\java.security.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL116.XML.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\README.txt.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner.png.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Media Player\de-DE\HOW TO RESTORE YOUR TIYWEPXB FILES.TXT	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\HOW TO RESTORE YOUR TIYWEPXB FILES.TXT	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\Library\EUROTOOL.XLAM	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\Assets\ValueProp_Ring.png	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sv-se\ui-strings.js.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\uk-ua\ui-strings.js	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ja-jp\HOW TO RESTORE YOUR TIYWEPXB FILES.TXT	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-oob.xrm-ms.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.tlb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-200_contrast-white.png	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.WindowsMaps_2019.716.2316.0_neutral_~_8wekyb3d8bbwe\HOW TO RESTORE YOUR TIYWEPXB FILES.TXT	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\MANIFEST.XML.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-fr\ui-strings.js.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\AccessRuntime2019R_PrepidBypass-ul-oob.xrm-ms.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ul-oob.xrm-ms	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ja-jp\HOW TO RESTORE YOUR TIYWEPXB FILES.TXT	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\ui-strings.js.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\css\HOW TO RESTORE YOUR TIYWEPXB FILES.TXT	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sl-sl\ui-strings.js.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\gu.pak	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\lt.pak.DATA	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-24_altform-lightunplated.png	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-256.png	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\share_icons2x.png	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack2019_eula.txt.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-140.png	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\complete.png	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-gb\HOW TO RESTORE YOUR TIYWEPXB FILES.TXT	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\lib\amd64\jvm.cfg.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\legal\jdk\relaxngom.md.tiywepxb	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\HOW TO RESTORE YOUR TIYWEPXB FILES.TXT	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\MEDIA\EXPLODE.WAV	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2144	Process not Found
4896	Process not Found
4064	Process not Found
4764	Process not Found
4548	Process not Found
5992	Process not Found
3600	Process not Found
4888	Process not Found
1592	Process not Found
5332	Process not Found
4236	Process not Found
2144	Process not Found
5052	Process not Found
4248	Process not Found
5276	Process not Found
6088	Process not Found
724	Process not Found
4968	Process not Found
4136	Process not Found
400	Process not Found
1920	Process not Found
5528	Process not Found
1284	Process not Found
5632	Process not Found
2520	Process not Found
4852	Process not Found
5480	Process not Found
5168	Process not Found
5436	Process not Found
3520	Process not Found
1616	Process not Found
3952	Process not Found
216	Process not Found
3732	Process not Found
3652	Process not Found
996	Process not Found
5324	Process not Found
2212	Process not Found
5440	Process not Found
5904	Process not Found
5388	Process not Found
5740	Process not Found
1456	Process not Found
1676	Process not Found
3248	Process not Found
2268	Process not Found
2248	Process not Found
1308	Process not Found
2236	Process not Found
5988	Process not Found
1460	Process not Found
1920	Process not Found
5760	Process not Found
3472	Process not Found
2608	Process not Found
2060	Process not Found
5132	Process not Found
2360	Process not Found
5428	Process not Found
4932	Process not Found
5724	Process not Found
4400	Process not Found
908	Process not Found
2760	Process not Found

Delays execution with timeout.exe 12 IoCs

evasion

pid	Process
5716	Process not Found
2276	Process not Found
5572	Process not Found
4932	Process not Found
1700	Process not Found
3604	Process not Found
4468	Process not Found
3960	Process not Found
2380	timeout.exe
1456	Process not Found
5216	Process not Found
3560	Process not Found

Interacts with shadow copies 2 TTPs 64 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
4328	vssadmin.exe
5648	Process not Found
5216	Process not Found
5208	Process not Found
5656	Process not Found
396	Process not Found
1916	Process not Found
300	Process not Found
5340	Process not Found
6116	Process not Found
5872	Process not Found
4204	Process not Found
3336	vssadmin.exe
4604	Process not Found
3764	Process not Found
5516	Process not Found
3420	Process not Found
1928	Process not Found
3192	Process not Found
1148	Process not Found
908	Process not Found
6000	Process not Found
4336	Process not Found
3108	vssadmin.exe
1428	Process not Found
3244	Process not Found
5380	Process not Found
5584	Process not Found
5812	Process not Found
1216	Process not Found
5988	Process not Found
3640	Process not Found
1972	Process not Found
3960	Process not Found
4304	Process not Found
228	Process not Found
6040	Process not Found
1832	Process not Found
2948	vssadmin.exe
3736	Process not Found
5088	Process not Found
444	Process not Found
5208	Process not Found
5652	Process not Found
5348	Process not Found
3108	Process not Found
5352	Process not Found
1088	Process not Found
5712	Process not Found
2600	Process not Found
3080	Process not Found
3732	vssadmin.exe
1592	vssadmin.exe
2600	Process not Found
5288	Process not Found
300	Process not Found
996	Process not Found
1696	Process not Found
2440	Process not Found
4560	Process not Found
1300	Process not Found
4996	Process not Found
5988	Process not Found
1936	Process not Found

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3716	de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	4744	vssvc.exe
Token: SeRestorePrivilege	4744	vssvc.exe
Token: SeAuditPrivilege	4744	vssvc.exe
Token: SeSecurityPrivilege	2372	wevtutil.exe
Token: SeBackupPrivilege	2372	wevtutil.exe
Token: SeSecurityPrivilege	4492	wevtutil.exe
Token: SeBackupPrivilege	4492	wevtutil.exe
Token: SeSecurityPrivilege	3720	wevtutil.exe
Token: SeBackupPrivilege	3720	wevtutil.exe
Token: SeSecurityPrivilege	2832	wevtutil.exe
Token: SeBackupPrivilege	2832	wevtutil.exe
Token: SeSecurityPrivilege	3520	wevtutil.exe
Token: SeBackupPrivilege	3520	wevtutil.exe
Token: SeSecurityPrivilege	2056	wevtutil.exe
Token: SeBackupPrivilege	2056	wevtutil.exe
Token: SeSecurityPrivilege	1768	wevtutil.exe
Token: SeBackupPrivilege	1768	wevtutil.exe
Token: SeSecurityPrivilege	2656	wevtutil.exe
Token: SeBackupPrivilege	2656	wevtutil.exe
Token: SeSecurityPrivilege	300	wevtutil.exe
Token: SeBackupPrivilege	300	wevtutil.exe
Token: SeSecurityPrivilege	3496	wevtutil.exe
Token: SeBackupPrivilege	3496	wevtutil.exe
Token: SeSecurityPrivilege	2496	wevtutil.exe
Token: SeBackupPrivilege	2496	wevtutil.exe
Token: SeSecurityPrivilege	544	wevtutil.exe
Token: SeBackupPrivilege	544	wevtutil.exe
Token: SeSecurityPrivilege	2440	wevtutil.exe
Token: SeBackupPrivilege	2440	wevtutil.exe
Token: SeSecurityPrivilege	2340	wevtutil.exe
Token: SeBackupPrivilege	2340	wevtutil.exe
Token: SeSecurityPrivilege	2992	wevtutil.exe
Token: SeBackupPrivilege	2992	wevtutil.exe
Token: SeSecurityPrivilege	3332	wevtutil.exe
Token: SeBackupPrivilege	3332	wevtutil.exe
Token: SeSecurityPrivilege	1456	wevtutil.exe
Token: SeBackupPrivilege	1456	wevtutil.exe
Token: SeSecurityPrivilege	2608	wevtutil.exe
Token: SeBackupPrivilege	2608	wevtutil.exe
Token: SeSecurityPrivilege	1896	wevtutil.exe
Token: SeBackupPrivilege	1896	wevtutil.exe
Token: SeSecurityPrivilege	4016	wevtutil.exe
Token: SeBackupPrivilege	4016	wevtutil.exe
Token: SeSecurityPrivilege	744	wevtutil.exe
Token: SeBackupPrivilege	744	wevtutil.exe
Token: SeSecurityPrivilege	1584	wevtutil.exe
Token: SeBackupPrivilege	1584	wevtutil.exe
Token: SeSecurityPrivilege	2712	wevtutil.exe
Token: SeBackupPrivilege	2712	wevtutil.exe
Token: SeSecurityPrivilege	2340	wevtutil.exe
Token: SeBackupPrivilege	2340	wevtutil.exe
Token: SeSecurityPrivilege	5000	wevtutil.exe
Token: SeBackupPrivilege	5000	wevtutil.exe
Token: SeSecurityPrivilege	1124	wevtutil.exe
Token: SeBackupPrivilege	1124	wevtutil.exe
Token: SeSecurityPrivilege	2876	wevtutil.exe
Token: SeBackupPrivilege	2876	wevtutil.exe
Token: SeSecurityPrivilege	1928	wevtutil.exe
Token: SeBackupPrivilege	1928	wevtutil.exe
Token: SeSecurityPrivilege	3632	wevtutil.exe
Token: SeBackupPrivilege	3632	wevtutil.exe
Token: SeSecurityPrivilege	2360	wevtutil.exe
Token: SeBackupPrivilege	2360	wevtutil.exe
Token: SeSecurityPrivilege	3308	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 4368	1920	cmd.exe	90
PID 1920 wrote to memory of 4368	1920	cmd.exe	90
PID 1920 wrote to memory of 2380	1920	cmd.exe	92
PID 1920 wrote to memory of 2380	1920	cmd.exe	92
PID 1920 wrote to memory of 3732	1920	cmd.exe	96
PID 1920 wrote to memory of 3732	1920	cmd.exe	96
PID 1920 wrote to memory of 4492	1920	cmd.exe	98
PID 1920 wrote to memory of 4492	1920	cmd.exe	98
PID 1920 wrote to memory of 724	1920	cmd.exe	99
PID 1920 wrote to memory of 724	1920	cmd.exe	99
PID 1920 wrote to memory of 2992	1920	cmd.exe	100
PID 1920 wrote to memory of 2992	1920	cmd.exe	100
PID 1920 wrote to memory of 3108	1920	cmd.exe	101
PID 1920 wrote to memory of 3108	1920	cmd.exe	101
PID 1920 wrote to memory of 3336	1920	cmd.exe	102
PID 1920 wrote to memory of 3336	1920	cmd.exe	102
PID 1920 wrote to memory of 892	1920	cmd.exe	103
PID 1920 wrote to memory of 892	1920	cmd.exe	103
PID 1920 wrote to memory of 4328	1920	cmd.exe	104
PID 1920 wrote to memory of 4328	1920	cmd.exe	104
PID 1920 wrote to memory of 2948	1920	cmd.exe	105
PID 1920 wrote to memory of 2948	1920	cmd.exe	105
PID 1920 wrote to memory of 1280	1920	cmd.exe	106
PID 1920 wrote to memory of 1280	1920	cmd.exe	106
PID 1920 wrote to memory of 1592	1920	cmd.exe	107
PID 1920 wrote to memory of 1592	1920	cmd.exe	107
PID 1920 wrote to memory of 3052	1920	cmd.exe	108
PID 1920 wrote to memory of 3052	1920	cmd.exe	108
PID 1920 wrote to memory of 4404	1920	cmd.exe	109
PID 1920 wrote to memory of 4404	1920	cmd.exe	109
PID 1920 wrote to memory of 4636	1920	cmd.exe	110
PID 1920 wrote to memory of 4636	1920	cmd.exe	110
PID 4636 wrote to memory of 2372	4636	cmd.exe	111
PID 4636 wrote to memory of 2372	4636	cmd.exe	111
PID 1920 wrote to memory of 4492	1920	cmd.exe	112
PID 1920 wrote to memory of 4492	1920	cmd.exe	112
PID 1920 wrote to memory of 3720	1920	cmd.exe	113
PID 1920 wrote to memory of 3720	1920	cmd.exe	113
PID 1920 wrote to memory of 2832	1920	cmd.exe	114
PID 1920 wrote to memory of 2832	1920	cmd.exe	114
PID 1920 wrote to memory of 3520	1920	cmd.exe	115
PID 1920 wrote to memory of 3520	1920	cmd.exe	115
PID 1920 wrote to memory of 2056	1920	cmd.exe	116
PID 1920 wrote to memory of 2056	1920	cmd.exe	116
PID 1920 wrote to memory of 1768	1920	cmd.exe	117
PID 1920 wrote to memory of 1768	1920	cmd.exe	117
PID 1920 wrote to memory of 2656	1920	cmd.exe	118
PID 1920 wrote to memory of 2656	1920	cmd.exe	118
PID 1920 wrote to memory of 300	1920	cmd.exe	119
PID 1920 wrote to memory of 300	1920	cmd.exe	119
PID 1920 wrote to memory of 3496	1920	cmd.exe	120
PID 1920 wrote to memory of 3496	1920	cmd.exe	120
PID 1920 wrote to memory of 2496	1920	cmd.exe	121
PID 1920 wrote to memory of 2496	1920	cmd.exe	121
PID 1920 wrote to memory of 544	1920	cmd.exe	122
PID 1920 wrote to memory of 544	1920	cmd.exe	122
PID 1920 wrote to memory of 2440	1920	cmd.exe	123
PID 1920 wrote to memory of 2440	1920	cmd.exe	123
PID 1920 wrote to memory of 2340	1920	cmd.exe	134
PID 1920 wrote to memory of 2340	1920	cmd.exe	134
PID 1920 wrote to memory of 2992	1920	cmd.exe	125
PID 1920 wrote to memory of 2992	1920	cmd.exe	125
PID 1920 wrote to memory of 3332	1920	cmd.exe	126
PID 1920 wrote to memory of 3332	1920	cmd.exe	126

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe
"C:\Users\Admin\AppData\Local\Temp\de10b8454ebb363ab1469cebbd9898b2df591101806aedd9aab0b8b16139c806.exe"
1⤵
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3716

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "c:\windows\temp\ragluoopx.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\system32\sc.exe
  sc start vss
  2⤵
  PID:4368
- C:\Windows\system32\timeout.exe
  timeout /T 5
  2⤵
  - Delays execution with timeout.exe
  PID:2380
- C:\Windows\system32\vssadmin.exe
  vssadmin Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:3732
- C:\Windows\System32\vssadmin.exe
  C:\Windows\System32\vssadmin.exe Delete Shadows /all /quiet
  2⤵
  PID:4492
- C:\Windows\system32\vssadmin.exe
  vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB
  2⤵
  PID:724
- C:\Windows\system32\vssadmin.exe
  vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded
  2⤵
  PID:2992
- C:\Windows\System32\vssadmin.exe
  C:\Windows\System32\vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3108
- C:\Windows\System32\vssadmin.exe
  C:\Windows\System32\vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:3336
- C:\Windows\system32\vssadmin.exe
  vssadmin resize shadowstorage /for=F: /on=F: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  PID:892
- C:\Windows\system32\vssadmin.exe
  vssadmin resize shadowstorage /for=F: /on=F: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:4328
- C:\Windows\System32\vssadmin.exe
  C:\Windows\System32\vssadmin.exe resize shadowstorage /for=F: /on=F: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:2948
- C:\Windows\System32\vssadmin.exe
  C:\Windows\System32\vssadmin.exe resize shadowstorage /for=F: /on=F: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  PID:1280
- C:\Windows\system32\vssadmin.exe
  vssadmin Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1592
- C:\Windows\System32\vssadmin.exe
  C:\Windows\System32\vssadmin.exe Delete Shadows /all /quiet
  2⤵
  PID:3052
- C:\Windows\system32\sc.exe
  sc stop VSS
  2⤵
  PID:4404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c WEVTUTIL EL
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4636
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL EL
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2372
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "AMSI/Debug"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4492
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "AirSpaceChannel"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3720
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Analytic"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2832
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Application"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3520
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "DirectShowFilterGraph"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2056
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "DirectShowPluginControl"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1768
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Els_Hyphenation/Analytic"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "EndpointMapper"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:300
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "FirstUXPerf-Analytic"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3496
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "ForwardedEvents"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2496
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "General Logging"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:544
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "HardwareEvents"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "IHM_DebugChannel"
  2⤵
  PID:2340
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Intel-iaLPSS-GPIO/Analytic"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Intel-iaLPSS-I2C/Analytic"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3332
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Intel-iaLPSS2-GPIO2/Debug"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1456
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Intel-iaLPSS2-GPIO2/Performance"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Intel-iaLPSS2-I2C/Debug"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1896
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Intel-iaLPSS2-I2C/Performance"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4016
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Internet Explorer"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:744
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Key Management Service"
  2⤵
  PID:1584
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "MF_MediaFoundationDeviceMFT"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2712
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "MF_MediaFoundationDeviceProxy"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2340
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "MF_MediaFoundationFrameServer"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5000
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "MedaFoundationVideoProc"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1124
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "MedaFoundationVideoProcD3D"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2876
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "MediaFoundationAsyncWrapper"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1928
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "MediaFoundationContentProtection"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3632
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "MediaFoundationDS"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2360
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "MediaFoundationDeviceProxy"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3308
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "MediaFoundationMP4"
  2⤵
  PID:1168
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "MediaFoundationMediaEngine"
  2⤵
  PID:364
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "MediaFoundationPerformance"
  2⤵
  PID:3764
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "MediaFoundationPerformanceCore"
  2⤵
  PID:4440
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "MediaFoundationPipeline"
  2⤵
  - Clears Windows event logs
  PID:4516
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "MediaFoundationPlatform"
  2⤵
  PID:4372
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "MediaFoundationSrcPrefetch"
  2⤵
  PID:4312
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-AppV-Client-Streamingux/Debug"
  2⤵
  PID:284
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-AppV-Client/Admin"
  2⤵
  PID:4108
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-AppV-Client/Debug"
  2⤵
  PID:3348
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-AppV-Client/Operational"
  2⤵
  PID:5056
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-AppV-Client/Virtual Applications"
  2⤵
  PID:2668
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-AppV-SharedPerformance/Analytic"
  2⤵
  PID:116
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Client-Licensing-Platform/Admin"
  2⤵
  PID:2656
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Client-Licensing-Platform/Debug"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1584
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Client-Licensing-Platform/Diagnostic"
  2⤵
  PID:3244
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-IE/Diagnostic"
  2⤵
  PID:4432
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-IEFRAME/Diagnostic"
  2⤵
  PID:2280
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-JSDumpHeap/Diagnostic"
  2⤵
  PID:1504
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-OneCore-Setup/Analytic"
  2⤵
  PID:4368
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-PerfTrack-IEFRAME/Diagnostic"
  2⤵
  PID:296
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-PerfTrack-MSHTML/Diagnostic"
  2⤵
  PID:2608
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-User Experience Virtualization-Admin/Debug"
  2⤵
  PID:4108
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-User Experience Virtualization-Agent Driver/Debug"
  2⤵
  PID:4236
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-User Experience Virtualization-Agent Driver/Operational"
  2⤵
  PID:2948
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-User Experience Virtualization-App Agent/Analytic"
  2⤵
  PID:1280
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-User Experience Virtualization-App Agent/Debug"
  2⤵
  PID:5076
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-User Experience Virtualization-App Agent/Operational"
  2⤵
  PID:2264
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-User Experience Virtualization-IPC/Operational"
  2⤵
  PID:3336
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
  2⤵
  PID:1040
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
  2⤵
  PID:2688
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
  2⤵
  PID:4436
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AAD/Analytic"
  2⤵
  PID:4800
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AAD/Operational"
  2⤵
  PID:1364
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ADSI/Debug"
  2⤵
  PID:4240
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ASN1/Operational"
  2⤵
  PID:2220
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ATAPort/General"
  2⤵
  PID:1976
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ATAPort/SATA-LPM"
  2⤵
  PID:2264
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ActionQueue/Analytic"
  2⤵
  PID:3596
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-All-User-Install-Agent/Admin"
  2⤵
  PID:308
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AllJoyn/Debug"
  2⤵
  PID:8
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AllJoyn/Operational"
  2⤵
  PID:4328
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppHost/Admin"
  2⤵
  PID:876
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppHost/ApplicationTracing"
  2⤵
  PID:5056
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppHost/Diagnostic"
  2⤵
  PID:2300
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppHost/Internal"
  2⤵
  PID:1460
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppID/Operational"
  2⤵
  PID:2992
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppLocker/EXE and DLL"
  2⤵
  PID:3652
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppLocker/MSI and Script"
  2⤵
  PID:4636
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppLocker/Packaged app-Deployment"
  2⤵
  PID:4212
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppLocker/Packaged app-Execution"
  2⤵
  PID:2656
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppModel-Runtime/Admin"
  2⤵
  PID:2220
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppModel-Runtime/Analytic"
  2⤵
  PID:2264
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppModel-Runtime/Debug"
  2⤵
  PID:1040
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppModel-Runtime/Diagnostics"
  2⤵
  PID:2876
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppModel-State/Debug"
  2⤵
  PID:8
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppModel-State/Diagnostic"
  2⤵
  PID:3232
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppReadiness/Admin"
  2⤵
  PID:4400
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppReadiness/Debug"
  2⤵
  PID:3592
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppReadiness/Operational"
  2⤵
  PID:2736
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppSruProv"
  2⤵
  PID:3340
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppXDeployment/Diagnostic"
  2⤵
  PID:1768
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppXDeployment/Operational"
  2⤵
  PID:3104
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppXDeploymentServer/Debug"
  2⤵
  PID:4016
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppXDeploymentServer/Diagnostic"
  2⤵
  PID:3096
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppXDeploymentServer/Operational"
  2⤵
  PID:2832
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppXDeploymentServer/Restricted"
  2⤵
  PID:3808
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ApplicabilityEngine/Analytic"
  2⤵
  PID:1548
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ApplicabilityEngine/Operational"
  2⤵
  PID:3764
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Admin"
  2⤵
  PID:2212
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Analytic"
  2⤵
  PID:288
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Debug"
  2⤵
  PID:3104
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Operational"
  2⤵
  PID:1284
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"
  2⤵
  PID:2712
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
  2⤵
  PID:4856
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"
  2⤵
  PID:5056
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"
  2⤵
  PID:912
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
  2⤵
  PID:2176
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Inventory"
  2⤵
  PID:3596
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Telemetry"
  2⤵
  PID:4616
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Application-Experience/Steps-Recorder"
  2⤵
  PID:992
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppxPackaging/Debug"
  2⤵
  PID:1364
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppxPackaging/Operational"
  2⤵
  PID:4816
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppxPackaging/Performance"
  2⤵
  PID:4372
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AssignedAccess/Admin"
  2⤵
  PID:880
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AssignedAccess/Operational"
  2⤵
  PID:892
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AssignedAccessBroker/Admin"
  2⤵
  PID:1116
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AssignedAccessBroker/Operational"
  2⤵
  PID:2824
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AsynchronousCausality/Causality"
  2⤵
  PID:3576
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Audio/CaptureMonitor"
  2⤵
  PID:2832
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Audio/GlitchDetection"
  2⤵
  PID:2960
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Audio/Informational"
  2⤵
  - Clears Windows event logs
  PID:4468
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Audio/Operational"
  2⤵
  PID:4312
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Audio/Performance"
  2⤵
  PID:304
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Audio/PlaybackManager"
  2⤵
  PID:288
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Audit/Analytic"
  2⤵
  PID:2884
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Authentication User Interface/Operational"
  2⤵
  PID:2760
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"
  2⤵
  PID:3612
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Authentication/ProtectedUser-Client"
  2⤵
  PID:3280
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"
  2⤵
  PID:4516
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"
  2⤵
  PID:292
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AxInstallService/Log"
  2⤵
  PID:2072
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-BTH-BTHPORT/HCI"
  2⤵
  PID:1776
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-BTH-BTHPORT/L2CAP"
  2⤵
  PID:4728
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-BTH-BTHUSB/Diagnostic"
  2⤵
  PID:1684
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-BTH-BTHUSB/Performance"
  2⤵
  PID:2268
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"
  2⤵
  PID:2064
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"
  2⤵
  PID:1256
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"
  2⤵
  PID:3604
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Backup"
  2⤵
  PID:2992
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"
  2⤵
  PID:4868
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"
  2⤵
  PID:4728
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Battery/Diagnostic"
  2⤵
  PID:4588
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Biometrics/Analytic"
  2⤵
  PID:1364
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Biometrics/Operational"
  2⤵
  PID:3228
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
  2⤵
  PID:3116
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
  2⤵
  PID:1456
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-BitLocker-Driver-Performance/Operational"
  2⤵
  PID:3796
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-BitLocker/BitLocker Management"
  2⤵
  PID:2876
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-BitLocker/BitLocker Operational"
  2⤵
  PID:2416
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-BitLocker/Tracing"
  2⤵
  PID:1972
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Bits-Client/Analytic"
  2⤵
  - Clears Windows event logs
  PID:3344
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Bits-Client/Operational"
  2⤵
  PID:2664
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"
  2⤵
  PID:1976
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Bluetooth-Bthmini/Operational"
  2⤵
  PID:4140
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
  2⤵
  PID:280
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Bluetooth-Policy/Operational"
  2⤵
  PID:2496
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-BranchCache/Operational"
  2⤵
  PID:3720
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
  2⤵
  PID:1472
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
  2⤵
  PID:1684
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-BranchCacheMonitoring/Analytic"
  2⤵
  PID:4584
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-BranchCacheSMB/Analytic"
  2⤵
  PID:3332
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-BranchCacheSMB/Operational"
  2⤵
  PID:3736
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-CAPI2/Catalog Database Debug"
  2⤵
  PID:2484
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-CAPI2/Operational"
  2⤵
  PID:4236
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-CDROM/Operational"
  2⤵
  PID:2992
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-COM/Analytic"
  2⤵
  PID:3720
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-COM/ApartmentInitialize"
  2⤵
  PID:2380
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-COM/ApartmentUninitialize"
  2⤵
  PID:1972
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-COM/Call"
  2⤵
  PID:364
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-COM/CreateInstance"
  2⤵
  PID:4440
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-COM/ExtensionCatalog"
  2⤵
  PID:4304
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-COM/FreeUnusedLibrary"
  2⤵
  PID:2976
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-COM/RundownInstrumentation"
  2⤵
  PID:2668
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-COMRuntime/Activations"
  2⤵
  PID:3196
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-COMRuntime/MessageProcessing"
  2⤵
  PID:5040
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-COMRuntime/Tracing"
  2⤵
  PID:4204
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-CertPoleEng/Operational"
  2⤵
  PID:3632
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
  2⤵
  PID:3420
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"
  2⤵
  PID:992
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"
  2⤵
  PID:1216
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Cleanmgr/Diagnostic"
  2⤵
  PID:620
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
  2⤵
  PID:2300
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-CloudStore/Debug"
  2⤵
  PID:1124
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-CloudStore/Operational"
  2⤵
  PID:5088
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-CmiSetup/Analytic"
  2⤵
  PID:296
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-CodeIntegrity/Operational"
  2⤵
  PID:2788
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-CodeIntegrity/Verbose"
  2⤵
  PID:280
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ComDlg32/Analytic"
  2⤵
  PID:4204
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ComDlg32/Debug"
  2⤵
  PID:744
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Compat-Appraiser/Analytic"
  2⤵
  PID:3052
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Compat-Appraiser/Operational"
  2⤵
  PID:3232
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Containers-BindFlt/Debug"
  2⤵
  PID:2932
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Containers-BindFlt/Operational"
  2⤵
  PID:3576
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Containers-Wcifs/Debug"
  2⤵
  PID:4416
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Containers-Wcifs/Operational"
  2⤵
  PID:3228
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Containers-Wcnfs/Debug"
  2⤵
  PID:1768
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Containers-Wcnfs/Operational"
  2⤵
  PID:3732
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-CoreApplication/Diagnostic"
  2⤵
  PID:5020
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-CoreApplication/Operational"
  2⤵
  PID:3220
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-CoreApplication/Tracing"
  2⤵
  PID:3808
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"
  2⤵
  PID:876
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"
  2⤵
  PID:3804
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-CoreWindow/Analytic"
  2⤵
  PID:2976
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-CoreWindow/Debug"
  2⤵
  PID:912
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
  2⤵
  PID:3796
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
  2⤵
  PID:2360
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Crashdump/Operational"
  2⤵
  PID:4212
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-CredUI/Diagnostic"
  2⤵
  PID:3876
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Crypto-BCRYPT/Analytic"
  2⤵
  PID:2280
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Crypto-CNG/Analytic"
  2⤵
  PID:2144
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"
  2⤵
  PID:4532
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Crypto-DPAPI/Debug"
  2⤵
  PID:2688
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Crypto-DPAPI/Operational"
  2⤵
  PID:3732
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Crypto-DSSEnh/Analytic"
  2⤵
  PID:4636
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Crypto-NCrypt/Operational"
  2⤵
  PID:3596
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Crypto-RNG/Analytic"
  2⤵
  PID:3552
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Crypto-RSAEnh/Analytic"
  2⤵
  PID:4372
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-D3D10Level9/Analytic"
  2⤵
  PID:2300
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-D3D10Level9/PerfTiming"
  2⤵
  PID:1916
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DAL-Provider/Analytic"
  2⤵
  PID:4364
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DAL-Provider/Operational"
  2⤵
  PID:4436
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DAMM/Diagnostic"
  2⤵
  PID:3348
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DCLocator/Debug"
  2⤵
  PID:1888
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DDisplay/Analytic"
  2⤵
  PID:1284
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DDisplay/Logging"
  2⤵
  PID:2624
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DLNA-Namespace/Analytic"
  2⤵
  PID:2664
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DNS-Client/Operational"
  2⤵
  PID:2820
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DSC/Admin"
  2⤵
  PID:1548
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DSC/Analytic"
  2⤵
  PID:296
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DSC/Debug"
  2⤵
  PID:5032
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DSC/Operational"
  2⤵
  PID:304
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DUI/Diagnostic"
  2⤵
  PID:4944
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DUSER/Diagnostic"
  2⤵
  PID:4728
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DXGI/Analytic"
  2⤵
  PID:364
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DXGI/Logging"
  2⤵
  PID:2400
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DXP/Analytic"
  2⤵
  PID:4432
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Data-Pdf/Debug"
  2⤵
  PID:4860
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DataIntegrityScan/Admin"
  2⤵
  PID:3228
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DataIntegrityScan/CrashRecovery"
  2⤵
  PID:8
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DateTimeControlPanel/Analytic"
  2⤵
  PID:2740
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DateTimeControlPanel/Debug"
  2⤵
  PID:3096
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DateTimeControlPanel/Operational"
  2⤵
  PID:1500
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Deduplication/Diagnostic"
  2⤵
  PID:788
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Deduplication/Operational"
  2⤵
  PID:2872
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Deduplication/Performance"
  2⤵
  PID:1772
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Deduplication/Scrubbing"
  2⤵
  PID:300
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Defrag-Core/Debug"
  2⤵
  PID:5032
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Deplorch/Analytic"
  2⤵
  PID:2884
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DesktopActivityModerator/Diagnostic"
  2⤵
  PID:4136
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"
  2⤵
  PID:2852
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DeviceAssociationService/Performance"
  2⤵
  PID:4440
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DeviceConfidence/Analytic"
  2⤵
  PID:3336
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DeviceGuard/Operational"
  2⤵
  PID:2064
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DeviceGuard/Verbose"
  2⤵
  PID:276
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"
  2⤵
  PID:2872
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug"
  2⤵
  PID:4436
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational"
  2⤵
  PID:744
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DeviceSetupManager/Admin"
  2⤵
  PID:3796
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DeviceSetupManager/Analytic"
  2⤵
  PID:8
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DeviceSetupManager/Debug"
  2⤵
  PID:424
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DeviceSetupManager/Operational"
  2⤵
  PID:3952
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DeviceSync/Analytic"
  2⤵
  PID:3340
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DeviceSync/Operational"
  2⤵
  PID:3244
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DeviceUpdateAgent/Operational"
  2⤵
  PID:3280
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DeviceUx/Informational"
  2⤵
  PID:5108
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DeviceUx/Performance"
  2⤵
  PID:3440
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Devices-Background/Operational"
  2⤵
  PID:4108
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Dhcp-Client/Admin"
  2⤵
  PID:892
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Dhcp-Client/Operational"
  2⤵
  PID:8
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Dhcpv6-Client/Admin"
  2⤵
  PID:3612
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Dhcpv6-Client/Operational"
  2⤵
  PID:4468
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DiagCpl/Debug"
  2⤵
  PID:1976
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic"
  2⤵
  PID:4368
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnosis-DPS/Analytic"
  2⤵
  PID:1896
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnosis-DPS/Debug"
  2⤵
  PID:4464
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnosis-DPS/Operational"
  2⤵
  PID:3720
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnosis-MSDE/Debug"
  2⤵
  PID:4328
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnosis-PCW/Analytic"
  2⤵
  PID:2932
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnosis-PCW/Debug"
  2⤵
  PID:8
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnosis-PCW/Operational"
  2⤵
  PID:860
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnosis-PLA/Debug"
  2⤵
  PID:3096
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnosis-PLA/Operational"
  2⤵
  PID:992
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scheduled/Operational"
  2⤵
  PID:4656
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
  2⤵
  PID:3764
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Admin"
  2⤵
  PID:2948
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Analytic"
  2⤵
  PID:3612
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Debug"
  2⤵
  PID:3804
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Operational"
  2⤵
  PID:1124
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
  2⤵
  PID:2820
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
  2⤵
  PID:1504
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnosis-WDC/Analytic"
  2⤵
  PID:3196
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnosis-WDI/Debug"
  2⤵
  PID:288
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnostics-Networking/Debug"
  2⤵
  PID:3420
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnostics-Networking/Operational"
  2⤵
  PID:4016
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
  2⤵
  PID:4336
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
  2⤵
  PID:3096
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
  2⤵
  PID:5048
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
  2⤵
  PID:4468
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnostics-Performance/Operational"
  2⤵
  PID:4312
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Direct3D10/Analytic"
  2⤵
  PID:2416
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Direct3D10_1/Analytic"
  2⤵
  PID:540
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Direct3D11/Analytic"
  2⤵
  PID:4152
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Direct3D11/Logging"
  2⤵
  PID:8
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Direct3D11/PerfTiming"
  2⤵
  PID:620
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Direct3D12/Analytic"
  2⤵
  PID:1040
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Direct3D12/Logging"
  2⤵
  PID:2328
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Direct3D12/PerfTiming"
  2⤵
  PID:4560
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Direct3D9/Analytic"
  2⤵
  PID:1548
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Direct3DShaderCache/Default"
  2⤵
  PID:2280
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DirectComposition/Diagnostic"
  2⤵
  PID:4548
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DirectManipulation/Diagnostic"
  2⤵
  PID:540
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DirectShow-KernelSupport/Performance"
  2⤵
  PID:1972
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DirectSound/Debug"
  2⤵
  PID:3552
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Disk/Operational"
  2⤵
  PID:2144
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DiskDiagnostic/Operational"
  2⤵
  PID:5088
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
  2⤵
  PID:1896
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DiskDiagnosticResolver/Operational"
  2⤵
  PID:3308
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Dism-Api/Analytic"
  2⤵
  PID:1428
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Dism-Api/ExternalAnalytic"
  2⤵
  PID:892
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Dism-Api/InternalAnalytic"
  2⤵
  PID:2268
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Dism-Cli/Analytic"
  2⤵
  PID:3552
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DisplayColorCalibration/Debug"
  2⤵
  PID:1244
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DisplayColorCalibration/Operational"
  2⤵
  PID:1460
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Documents/Performance"
  2⤵
  PID:880
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DisplaySwitch/Diagnostic"
  2⤵
  PID:1304
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Dot3MM/Diagnostic"
  2⤵
  PID:2496
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
  2⤵
  PID:4940
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DucUpdateAgent/Operational"
  2⤵
  PID:2364
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Dwm-API/Diagnostic"
  2⤵
  PID:4908
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Dwm-Core/Diagnostic"
  2⤵
  PID:2712
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Dwm-Dwm/Diagnostic"
  2⤵
  PID:2380
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Dwm-Redir/Diagnostic"
  2⤵
  PID:3488
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Dwm-Udwm/Diagnostic"
  2⤵
  PID:4440
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DxgKrnl-Admin"
  2⤵
  PID:4416
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DxgKrnl-Operational"
  2⤵
  PID:3196
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DxgKrnl/Contention"
  2⤵
  PID:2688
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DxgKrnl/Diagnostic"
  2⤵
  PID:1628
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DxgKrnl/Performance"
  2⤵
  PID:3220
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DxgKrnl/Power"
  2⤵
  PID:4800
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
  2⤵
  PID:2712
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-EDP-Application-Learning/Admin"
  2⤵
  PID:5056
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-EDP-Audit-Regular/Admin"
  2⤵
  PID:2948
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-EDP-Audit-TCB/Admin"
  2⤵
  PID:620
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-EFS/Debug"
  2⤵
  PID:4432
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ESE/IODiagnose"
  2⤵
  PID:1928
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ESE/Operational"
  2⤵
  PID:4436
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-EapHost/Debug"
  2⤵
  PID:3220
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-EapHost/Analytic"
  2⤵
  PID:3632
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-EapHost/Operational"
  2⤵
  PID:3112
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-EapMethods-RasChap/Operational"
  2⤵
  PID:1592
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-EapMethods-RasTls/Operational"
  2⤵
  PID:1768
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-EapMethods-Sim/Operational"
  2⤵
  PID:4204
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-EapMethods-Ttls/Operational"
  2⤵
  PID:3488
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-EaseOfAccess/Diagnostic"
  2⤵
  PID:4584
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Energy-Estimation-Engine/EventLog"
  2⤵
  PID:1124
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Energy-Estimation-Engine/Trace"
  2⤵
  PID:3196
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-EnhancedStorage-EhStorTcgDrv/Analytic"
  2⤵
  PID:1628
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-EventCollector/Debug"
  2⤵
  PID:4328
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-EventCollector/Operational"
  2⤵
  PID:992
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-EventLog-WMIProvider/Debug"
  2⤵
  PID:3764
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-EventLog/Analytic"
  2⤵
  PID:2372
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-EventLog/Debug"
  2⤵
  PID:2824
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-FMS/Analytic"
  2⤵
  PID:4944
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-FMS/Debug"
  2⤵
  PID:3156
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-FMS/Operational"
  2⤵
  PID:748
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
  2⤵
  PID:1592
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
  2⤵
  PID:1504
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-FeatureConfiguration/Analytic"
  2⤵
  PID:2364
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-FeatureConfiguration/Operational"
  2⤵
  PID:3796
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-FileHistory-Catalog/Analytic"
  2⤵
  PID:1916
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-FileHistory-Catalog/Debug"
  2⤵
  PID:2236
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-FileHistory-ConfigManager/Analytic"
  2⤵
  PID:5108
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-FileHistory-ConfigManager/Debug"
  2⤵
  PID:4044
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-FileHistory-Core/Analytic"
  2⤵
  PID:3196
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-FileHistory-Core/Debug"
  2⤵
  PID:2360
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-FileHistory-Core/WHC"
  2⤵
  PID:3156
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-FileHistory-Engine/Analytic"
  2⤵
  PID:2220
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-FileHistory-Engine/BackupLog"
  2⤵
  PID:3224
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-FileHistory-Engine/Debug"
  2⤵
  PID:2496
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-FileHistory-EventListener/Analytic"
  2⤵
  PID:388
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-FileHistory-EventListener/Debug"
  2⤵
  PID:4804
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-FileHistory-Service/Analytic"
  2⤵
  PID:224
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-FileHistory-Service/Debug"
  2⤵
  PID:2388
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-FileHistory-UI-Events/Analytic"
  2⤵
  PID:3896
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-FileHistory-UI-Events/Debug"
  2⤵
  PID:2832
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-FileInfoMinifilter/Operational"
  2⤵
  PID:2328
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Firewall-CPL/Diagnostic"
  2⤵
  PID:3440
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Folder Redirection/Operational"
  2⤵
  PID:4804
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Forwarding/Debug"
  2⤵
  PID:3628
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Forwarding/Operational"
  2⤵
  PID:992
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-GPIO-ClassExtension/Analytic"
  2⤵
  PID:2236
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-GenericRoaming/Admin"
  2⤵
  PID:2096
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-GroupPolicy/Operational"
  2⤵
  PID:228
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-HAL/Debug"
  2⤵
  PID:1244
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-HealthCenter/Debug"
  2⤵
  PID:2536
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-HealthCenter/Performance"
  2⤵
  PID:4416
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-HealthCenterCPL/Performance"
  2⤵
  PID:3356
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-HelloForBusiness/Operational"
  2⤵
  PID:4908
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Help/Operational"
  2⤵
  PID:1088
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
  2⤵
  PID:3244
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-HomeGroup Control Panel/Operational"
  2⤵
  PID:3096
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-HomeGroup Listener Service/Operational"
  2⤵
  PID:2144
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
  2⤵
  PID:1772
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-HomeGroup Provider Service/Operational"
  2⤵
  PID:2932
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-HomeGroup-ListenerService"
  2⤵
  PID:4816
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-HotspotAuth/Analytic"
  2⤵
  PID:2388
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-HotspotAuth/Operational"
  2⤵
  PID:4356
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-HttpService/Log"
  2⤵
  PID:276
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-HttpService/Trace"
  2⤵
  PID:2520
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Hyper-V-Guest-Drivers/Admin"
  2⤵
  PID:4860
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic"
  2⤵
  PID:4436
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Hyper-V-Guest-Drivers/Debug"
  2⤵
  PID:3640
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose"
  2⤵
  PID:2688
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Hyper-V-Guest-Drivers/Operational"
  2⤵
  PID:2992
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Hyper-V-Hypervisor-Admin"
  2⤵
  PID:3308
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Hyper-V-Hypervisor-Analytic"
  2⤵
  PID:4136
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Hyper-V-Hypervisor-Operational"
  2⤵
  PID:2876
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Hyper-V-NETVSC/Diagnostic"
  2⤵
  PID:1632
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Hyper-V-VID-Admin"
  2⤵
  PID:2932
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Hyper-V-VID-Analytic"
  2⤵
  PID:4728
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-IE-SmartScreen"
  2⤵
  PID:3532
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-IKE/Operational"
  2⤵
  PID:364
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-IKEDBG/Debug"
  2⤵
  PID:396
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-IME-Broker/Analytic"
  2⤵
  PID:4336
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-IME-CandidateUI/Analytic"
  2⤵
  PID:4356
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-IME-CustomerFeedbackManager/Debug"
  2⤵
  PID:2608
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-IME-CustomerFeedbackManagerUI/Analytic"
  2⤵
  PID:3764
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-IME-JPAPI/Analytic"
  2⤵
  PID:2520
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-IME-JPLMP/Analytic"
  2⤵
  PID:4856
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-IME-JPPRED/Analytic"
  2⤵
  PID:2236
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-IME-JPSetting/Analytic"
  2⤵
  PID:2144
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-IME-JPTIP/Analytic"
  2⤵
  PID:1768
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-IME-KRAPI/Analytic"
  2⤵
  PID:4240
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-IME-KRTIP/Analytic"
  2⤵
  PID:3440
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-IME-OEDCompiler/Analytic"
  2⤵
  PID:1548
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-IME-TCCORE/Analytic"
  2⤵
  PID:3052
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-IME-TCTIP/Analytic"
  2⤵
  PID:1284
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-IME-TIP/Analytic"
  2⤵
  PID:4944
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-IPNAT/Diagnostic"
  2⤵
  PID:1972
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-IPSEC-SRV/Diagnostic"
  2⤵
  PID:3952
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-IPxlatCfg/Debug"
  2⤵
  PID:3532
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-IPxlatCfg/Operational"
  2⤵
  PID:4816
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-IdCtrls/Analytic"
  2⤵
  PID:3488
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-IdCtrls/Operational"
  2⤵
  PID:3340
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-IndirectDisplays-ClassExtension-Events/Diagnostic"
  2⤵
  PID:724
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Input-HIDCLASS-Analytic"
  2⤵
  PID:4336
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-InputSwitch/Diagnostic"
  2⤵
  PID:3332
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
  2⤵
  PID:3096
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Iphlpsvc/Debug"
  2⤵
  PID:280
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Iphlpsvc/Operational"
  2⤵
  PID:3224
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Iphlpsvc/Trace"
  2⤵
  PID:3560
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-KdsSvc/Operational"
  2⤵
  PID:4896
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kerberos/Operational"
  2⤵
  PID:4532
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-Acpi/Diagnostic"
  2⤵
  PID:4384
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-AppCompat/General"
  2⤵
  PID:3232
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-AppCompat/Performance"
  2⤵
  PID:1168
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-ApphelpCache/Analytic"
  2⤵
  PID:5112
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-ApphelpCache/Debug"
  2⤵
  PID:3052
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-ApphelpCache/Operational"
  2⤵
  PID:3344
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-Boot/Analytic"
  2⤵
  PID:3592
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-Boot/Operational"
  2⤵
  PID:4304
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
  2⤵
  PID:424
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-Disk/Analytic"
  2⤵
  PID:2896
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-EventTracing/Admin"
  2⤵
  PID:2528
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-EventTracing/Analytic"
  2⤵
  PID:3552
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-File/Analytic"
  2⤵
  PID:4336
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-IO/Operational"
  2⤵
  PID:1976
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-Interrupt-Steering/Diagnostic"
  2⤵
  PID:2264
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-IoTrace/Diagnostic"
  2⤵
  PID:4432
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-LiveDump/Analytic"
  2⤵
  PID:2144
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-LiveDump/Operational"
  2⤵
  PID:4416
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-Memory/Analytic"
  2⤵
  PID:1788
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-Network/Analytic"
  2⤵
  PID:4240
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-Pdc/Diagnostic"
  2⤵
  PID:2824
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-Pep/Diagnostic"
  2⤵
  PID:1504
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-PnP/Boot Diagnostic"
  2⤵
  PID:2496
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-PnP/Configuration"
  2⤵
  PID:4868
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-PnP/Configuration Diagnostic"
  2⤵
  PID:5112
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-PnP/Driver Diagnostic"
  2⤵
  PID:2096
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-PnP/Device Enumeration Diagnostic"
  2⤵
  PID:1116
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-PnP/Driver Watchdog"
  2⤵
  PID:224
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-Power/Diagnostic"
  2⤵
  PID:3220
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
  2⤵
  PID:2364
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-Power/Thermal-Operational"
  2⤵
  PID:4212
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
  2⤵
  PID:4804
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-Process/Analytic"
  2⤵
  PID:2724
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
  2⤵
  PID:4976
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-Registry/Analytic"
  2⤵
  PID:2656
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-Registry/Performance"
  2⤵
  PID:3628
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-ShimEngine/Debug"
  2⤵
  PID:5056
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-ShimEngine/Diagnostic"
  2⤵
  PID:3032
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-ShimEngine/Operational"
  2⤵
  PID:2220
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-StoreMgr/Analytic"
  2⤵
  PID:5088
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-StoreMgr/Operational"
  2⤵
  PID:880
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-WDI/Analytic"
  2⤵
  PID:3960
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-WDI/Debug"
  2⤵
  PID:4432
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-WDI/Operational"
  2⤵
  PID:2300
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-WHEA/Errors"
  2⤵
  PID:2280
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-WHEA/Operational"
  2⤵
  PID:2884
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-XDV/Analytic"
  2⤵
  PID:2496
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-KeyboardFilter/Admin"
  2⤵
  PID:2712
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-KeyboardFilter/Operational"
  2⤵
  PID:3052
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-KeyboardFilter/Performance"
  2⤵
  PID:2760
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Known Folders API Service"
  2⤵
  PID:2984
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-L2NA/Diagnostic"
  2⤵
  PID:3340
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-LDAP-Client/Debug"
  2⤵
  PID:5076
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-LSA/Diagnostic"
  2⤵
  - Clears Windows event logs
  PID:1928
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-LSA/Operational"
  2⤵
  PID:2252
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-LSA/Performance"
  2⤵
  PID:4712
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
  2⤵
  PID:2260
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-LanguagePackSetup/Analytic"
  2⤵
  PID:880
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-LanguagePackSetup/Debug"
  2⤵
  PID:304
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-LanguagePackSetup/Operational"
  2⤵
  PID:4416
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-LimitsManagement/Diagnostic"
  2⤵
  PID:4240
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-LinkLayerDiscoveryProtocol/Diagnostic"
  2⤵
  PID:3440
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational"
  2⤵
  PID:2504
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-LiveId/Analytic"
  2⤵
  PID:3052
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-LiveId/Operational"
  2⤵
  PID:4212
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-MPEG2-Video-Encoder-MFT_Analytic"
  2⤵
  PID:4304
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-MPS-CLNT/Diagnostic"
  2⤵
  PID:228
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-MPS-DRV/Diagnostic"
  2⤵
  PID:3032
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-MPS-SRV/Diagnostic"
  2⤵
  PID:2832
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-MSFTEDIT/Diagnostic"
  2⤵
  PID:3096
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-MSPaint/Admin"
  2⤵
  PID:1700
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-MSPaint/Debug"
  2⤵
  PID:3224
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-MSPaint/Diagnostic"
  2⤵
  PID:304
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-MUI/Admin"
  2⤵
  PID:4416
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-MUI/Analytic"
  2⤵
  PID:1772
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-MUI/Debug"
  2⤵
  PID:3652
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-MUI/Operational"
  2⤵
  PID:1504
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Media-Streaming/DMC"
  2⤵
  PID:2876
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Media-Streaming/DMR"
  2⤵
  PID:3344
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Media-Streaming/MDE"
  2⤵
  PID:4560
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-MediaFoundation-MFCaptureEngine/MFCaptureEngine"
  2⤵
  PID:2504
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
  2⤵
  PID:3952
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
  2⤵
  PID:8
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
  2⤵
  PID:4440
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
  2⤵
  PID:4204
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-MediaFoundation-Performance/SARStreamResource"
  2⤵
  PID:1088
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
  2⤵
  PID:5056
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Minstore/Analytic"
  2⤵
  PID:3340
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Minstore/Debug"
  2⤵
  PID:4640
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal/Analytic"
  2⤵
  PID:2260
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Mobile-Broadband-Experience-Api/Analytic"
  2⤵
  PID:2236
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Analytic"
  2⤵
  PID:1788
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational"
  2⤵
  PID:304
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Mobile-Broadband-Experience-SmsApi/Analytic"
  2⤵
  PID:3440
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-MobilityCenter/Performance"
  2⤵
  PID:1548
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Admin"
  2⤵
  PID:1632
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot"
  2⤵
  PID:1116
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Debug"
  2⤵
  PID:3220
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/ManagementService"
  2⤵
  PID:4236
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Mprddm/Operational"
  2⤵
  PID:876
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-NCSI/Analytic"
  2⤵
  PID:2268
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-NCSI/Operational"
  2⤵
  PID:228
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
  2⤵
  PID:2820
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
  2⤵
  PID:2264
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-NDIS/Diagnostic"
  2⤵
  PID:4860
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-NDIS/Operational"
  2⤵
  PID:2144
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-NTLM/Operational"
  2⤵
  PID:3604
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-NWiFi/Diagnostic"
  2⤵
  PID:1300
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Narrator/Diagnostic"
  2⤵
  PID:1772
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Ncasvc/Operational"
  2⤵
  PID:2824
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-NcdAutoSetup/Diagnostic"
  2⤵
  PID:1284
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-NcdAutoSetup/Operational"
  2⤵
  PID:3720
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-NdisImPlatform/Operational"
  2⤵
  PID:4628
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Ndu/Diagnostic"
  2⤵
  PID:4560
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-NetShell/Performance"
  2⤵
  PID:1972
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Network-Connection-Broker"
  2⤵
  PID:1216
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Network-DataUsage/Analytic"
  2⤵
  PID:2984
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Network-Setup/Diagnostic"
  2⤵
  PID:228
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
  2⤵
  - Clears Windows event logs
  PID:3340
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-NetworkBridge/Diagnostic"
  2⤵
  PID:4896
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-NetworkLocationWizard/Operational"
  2⤵
  PID:2264
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-NetworkProfile/Diagnostic"
  2⤵
  PID:4436
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-NetworkProfile/Operational"
  2⤵
  PID:3640
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-NetworkProvider/Operational"
  2⤵
  PID:3632
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-NetworkProvisioning/Analytic"
  2⤵
  PID:1936
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-NetworkProvisioning/Operational"
  2⤵
  PID:1284
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-NetworkSecurity/Debug"
  2⤵
  PID:3952
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-NetworkStatus/Analytic"
  2⤵
  PID:4800
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Networking-Correlation/Diagnostic"
  2⤵
  PID:396
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Networking-RealTimeCommunication/Tracing"
  2⤵
  PID:2984
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-NlaSvc/Diagnostic"
  2⤵
  PID:2220
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-NlaSvc/Operational"
  2⤵
  PID:1928
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Ntfs/Operational"
  2⤵
  PID:4856
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Ntfs/Performance"
  2⤵
  PID:3340
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Ntfs/WHC"
  2⤵
  PID:2144
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-OLE/Clipboard-Performance"
  2⤵
  PID:3104
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-OLEACC/Debug"
  2⤵
  PID:4400
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-OLEACC/Diagnostic"
  2⤵
  PID:3652
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-OOBE-FirstLogonAnim/Diagnostic"
  2⤵
  PID:2496
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-OOBE-Machine-Core/Diagnostic"
  2⤵
  PID:540
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-OOBE-Machine-DUI/Diagnostic"
  2⤵
  PID:4440
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-OOBE-Machine-DUI/Operational"
  2⤵
  PID:4560
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-OOBE-Machine-Plugins-Wireless/Diagnostic"
  2⤵
  PID:3244
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-OcpUpdateAgent/Operational"
  2⤵
  PID:724
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-OfflineFiles/Analytic"
  2⤵
  PID:4800
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-OfflineFiles/Debug"
  2⤵
  PID:3520
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-OfflineFiles/Operational"
  2⤵
  PID:748
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-OfflineFiles/SyncLog"
  2⤵
  PID:1592
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-OneBackup/Debug"
  2⤵
  PID:2656
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-OneX/Diagnostic"
  2⤵
  PID:4888
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-OneX/Operational"
  2⤵
  PID:880
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-OobeLdr/Analytic"
  2⤵
  PID:4436
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-OtpCredentialProvider/Operational"
  2⤵
  PID:3420
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PCI/Diagnostic"
  2⤵
  PID:3108
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PackageStateRoaming/Analytic"
  2⤵
  PID:1632
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PackageStateRoaming/Debug"
  2⤵
  PID:4152
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PackageStateRoaming/Operational"
  2⤵
  PID:4212
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ParentalControls/Operational"
  2⤵
  PID:4204
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Partition/Analytic"
  2⤵
  PID:3520
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Partition/Diagnostic"
  2⤵
  PID:2736
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
  2⤵
  PID:1140
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PerceptionRuntime/Operational"
  2⤵
  PID:2252
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PerceptionSensorDataService/Operational"
  2⤵
  PID:4712
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PersistentMemory-Nvdimm/Analytic"
  2⤵
  PID:3976
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PersistentMemory-Nvdimm/Diagnostic"
  2⤵
  PID:3224
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PersistentMemory-Nvdimm/Operational"
  2⤵
  PID:880
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PersistentMemory-PmemDisk/Analytic"
  2⤵
  PID:2176
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PersistentMemory-PmemDisk/Diagnostic"
  2⤵
  PID:4436
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PersistentMemory-PmemDisk/Operational"
  2⤵
  PID:3308
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PersistentMemory-ScmBus/Analytic"
  2⤵
  PID:304
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PersistentMemory-ScmBus/Certification"
  2⤵
  PID:2364
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PersistentMemory-ScmBus/Diagnose"
  2⤵
  PID:2932
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PersistentMemory-ScmBus/Operational"
  2⤵
  PID:2624
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PhotoAcq/Analytic"
  2⤵
  PID:5108
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PlayToManager/Analytic"
  2⤵
  PID:1140
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Policy/Analytic"
  2⤵
  PID:3032
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Policy/Operational"
  2⤵
  PID:1700
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
  2⤵
  PID:1064
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
  2⤵
  PID:4432
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Power-Meter-Polling/Diagnostic"
  2⤵
  PID:4980
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PowerCfg/Diagnostic"
  2⤵
  PID:2280
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PowerCpl/Diagnostic"
  2⤵
  PID:2372
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
  2⤵
  PID:4416
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Analytic"
  2⤵
  PID:5032
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Debug"
  2⤵
  PID:3212
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational"
  2⤵
  PID:2740
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PowerShell/Admin"
  2⤵
  PID:2824
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PowerShell/Analytic"
  2⤵
  PID:3108
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PowerShell/Debug"
  2⤵
  PID:4408
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PowerShell/Operational"
  2⤵
  PID:1632
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PrimaryNetworkIcon/Performance"
  2⤵
  PID:2504
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PrintBRM/Admin"
  2⤵
  PID:3592
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PrintService-USBMon/Debug"
  2⤵
  PID:1972
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PrintService/Admin"
  2⤵
  PID:2932
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PrintService/Debug"
  2⤵
  PID:724
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PrintService/Operational"
  2⤵
  PID:5108
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Privacy-Auditing/Operational"
  2⤵
  PID:3032
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ProcessStateManager/Diagnostic"
  2⤵
  PID:292
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Program-Compatibility-Assistant/Analytic"
  2⤵
  PID:4548
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade"
  2⤵
  PID:388
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin"
  2⤵
  PID:1772
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Provisioning-Diagnostics-Provider/AutoPilot"
  2⤵
  PID:2176
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Provisioning-Diagnostics-Provider/Debug"
  2⤵
  PID:2872
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Provisioning-Diagnostics-Provider/ManagementService"
  2⤵
  PID:1428
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Proximity-Common/Diagnostic"
  2⤵
  PID:3632
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Proximity-Common/Informational"
  2⤵
  PID:992
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Proximity-Common/Performance"
  2⤵
  PID:3108
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PushNotification-Developer/Debug"
  2⤵
  PID:4220
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PushNotification-InProc/Debug"
  2⤵
  PID:1504
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PushNotification-Platform/Admin"
  2⤵
  PID:3344
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PushNotification-Platform/Debug"
  2⤵
  PID:4584
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PushNotification-Platform/Operational"
  2⤵
  PID:2528
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-QoS-Pacer/Diagnostic"
  2⤵
  PID:3096
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-QoS-qWAVE/Debug"
  2⤵
  PID:3740
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-RPC-Proxy/Debug"
  2⤵
  PID:4432
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-RPC/Debug"
  2⤵
  PID:4940
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-RPC/EEInfo"
  2⤵
  PID:1772
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-RRAS/Debug"
  2⤵
  PID:912
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-RRAS/Operational"
  2⤵
  PID:5032
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-RadioManager/Analytic"
  2⤵
  PID:3356
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Ras-NdisWanPacketCapture/Diagnostic"
  2⤵
  PID:2960
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-RasAgileVpn/Debug"
  2⤵
  PID:3652
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-RasAgileVpn/Operational"
  2⤵
  PID:2712
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ReFS/Operational"
  2⤵
  PID:4124
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ReadyBoost/Analytic"
  2⤵
  PID:4628
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ReadyBoost/Operational"
  2⤵
  PID:4728
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ReadyBoostDriver/Analytic"
  2⤵
  PID:1972
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ReadyBoostDriver/Operational"
  2⤵
  PID:2760
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Regsvr32/Operational"
  2⤵
  PID:2212
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
  2⤵
  PID:724
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-RemoteApp and Desktop Connections/Operational"
  2⤵
  PID:3032
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-RemoteAssistance/Admin"
  2⤵
  PID:4640
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-RemoteAssistance/Operational"
  2⤵
  PID:3224
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-RemoteAssistance/Tracing"
  2⤵
  PID:1300
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
  2⤵
  PID:880
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Debug"
  2⤵
  PID:2788
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
  2⤵
  PID:3356
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin"
  2⤵
  PID:2740
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-Kernel-Mode-Transport/Debug"
  2⤵
  PID:2360
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-User-Mode-Transport/Debug"
  2⤵
  PID:2496
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational"
  2⤵
  PID:3576
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Remotefs-Rdbss/Diagnostic"
  2⤵
  PID:1684
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Remotefs-Rdbss/Operational"
  2⤵
  PID:4560
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ResetEng-Trace/Diagnostic"
  2⤵
  PID:3520
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
  2⤵
  PID:4276
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
  2⤵
  PID:5088
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ResourcePublication/Tracing"
  2⤵
  PID:1064
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-RestartManager/Operational"
  2⤵
  PID:4888
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-RetailDemo/Admin"
  2⤵
  PID:3600
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-RetailDemo/Operational"
  2⤵
  PID:2144
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Runtime-Graphics/Analytic"
  2⤵
  PID:2372
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Runtime-Networking-BackgroundTransfer/Tracing"
  2⤵
  PID:880
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Runtime-Networking/Tracing"
  2⤵
  PID:300
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Runtime-Web-Http/Tracing"
  2⤵
  PID:3356
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Runtime-WebAPI/Tracing"
  2⤵
  PID:3652
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Runtime-Windows-Media/WinRTAdaptiveMediaSource"
  2⤵
  PID:304
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Runtime-Windows-Media/WinRTCaptureEngine"
  2⤵
  PID:3244
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Runtime-Windows-Media/WinRTMediaStreamSource"
  2⤵
  PID:3488
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Runtime-Windows-Media/WinRTTranscode"
  2⤵
  PID:4584
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Runtime/CreateInstance"
  2⤵
  PID:1916
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Runtime/Error"
  2⤵
  PID:4356
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SMBClient/Analytic"
  2⤵
  PID:2820
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SMBClient/HelperClassDiagnostic"
  2⤵
  PID:1456
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SMBClient/ObjectStateDiagnostic"
  2⤵
  PID:2388
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SMBClient/Operational"
  2⤵
  PID:2300
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SMBDirect/Admin"
  2⤵
  PID:3340
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SMBDirect/Debug"
  2⤵
  PID:3976
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SMBDirect/Netmon"
  2⤵
  PID:3596
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SMBServer/Analytic"
  2⤵
  PID:3640
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SMBServer/Audit"
  2⤵
  PID:1300
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SMBServer/Connectivity"
  2⤵
  PID:1888
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SMBServer/Diagnostic"
  2⤵
  PID:2176
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SMBServer/Operational"
  2⤵
  PID:3212
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SMBServer/Performance"
  2⤵
  PID:3420
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SMBServer/Security"
  2⤵
  PID:3220
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SMBWitnessClient/Admin"
  2⤵
  PID:540
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SMBWitnessClient/Informational"
  2⤵
  PID:2996
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SPB-ClassExtension/Analytic"
  2⤵
  PID:4628
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SPB-HIDI2C/Analytic"
  2⤵
  PID:4236
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Schannel-Events/Perf"
  2⤵
  PID:2932
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Sdbus/Analytic"
  2⤵
  PID:3496
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Sdbus/Debug"
  2⤵
  PID:3520
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Sdstor/Analytic"
  2⤵
  PID:2536
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Search-Core/Diagnostic"
  2⤵
  PID:3960
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
  2⤵
  PID:3332
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SearchUI/Diagnostic"
  2⤵
  PID:1064
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SearchUI/Operational"
  2⤵
  PID:2300
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SecureAssessment/Operational"
  2⤵
  PID:2260
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Security-Adminless/Operational"
  2⤵
  PID:3976
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
  2⤵
  PID:388
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
  2⤵
  PID:1772
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational"
  2⤵
  PID:3736
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational"
  2⤵
  PID:3440
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Performance"
  2⤵
  PID:1168
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Security-IdentityListener/Operational"
  2⤵
  PID:2740
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Security-IdentityStore/Performance"
  2⤵
  PID:2496
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Security-LessPrivilegedAppContainer/Operational"
  2⤵
  PID:2364
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Security-Mitigations/KernelMode"
  2⤵
  PID:4628
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Security-Mitigations/UserMode"
  2⤵
  PID:4152
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Security-Netlogon/Operational"
  2⤵
  PID:748
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Security-SPP-UX-GC/Analytic"
  2⤵
  PID:2212
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational"
  2⤵
  PID:1916
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter"
  2⤵
  PID:5076
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Security-SPP-UX/Analytic"
  2⤵
  PID:2264
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Security-SPP/Perf"
  2⤵
  PID:4432
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Security-UserConsentVerifier/Audit"
  2⤵
  PID:4548
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Security-Vault/Performance"
  2⤵
  PID:3104
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SecurityMitigationsBroker/Admin"
  2⤵
  PID:4856
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SecurityMitigationsBroker/Operational"
  2⤵
  PID:2960
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SecurityMitigationsBroker/Perf"
  2⤵
  PID:2992
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SendTo/Diagnostic"
  2⤵
  PID:3808
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Sens/Debug"
  2⤵
  PID:4220
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Sensors/Debug"
  2⤵
  PID:2760
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Sensors/Performance"
  2⤵
  PID:1460
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Serial-ClassExtension-V2/Analytic"
  2⤵
  PID:748
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Serial-ClassExtension/Analytic"
  2⤵
  PID:3992
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ServiceReportingApi/Debug"
  2⤵
  PID:4976
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Services-Svchost/Diagnostic"
  2⤵
  PID:1124
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Services/Diagnostic"
  2⤵
  PID:1140
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Servicing/Debug"
  2⤵
  PID:3032
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SettingSync-Azure/Debug"
  2⤵
  PID:3560
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SettingSync-Azure/Operational"
  2⤵
  PID:2144
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SettingSync-OneDrive/Analytic"
  2⤵
  PID:4240
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SettingSync-OneDrive/Debug"
  2⤵
  PID:1888
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SettingSync-OneDrive/Operational"
  2⤵
  PID:3736
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SettingSync/Analytic"
  2⤵
  PID:3420
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SettingSync/Debug"
  2⤵
  PID:1308
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SettingSync/Operational"
  2⤵
  PID:2992
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SettingSync/VerboseDebug"
  2⤵
  PID:4192
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Setup/Analytic"
  2⤵
  PID:2364
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SetupCl/Analytic"
  2⤵
  PID:1216
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SetupPlatform/Analytic"
  2⤵
  PID:3344
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SetupQueue/Analytic"
  2⤵
  PID:2760
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SetupUGC/Analytic"
  2⤵
  PID:4356
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
  2⤵
  PID:1456
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Shell-AppWizCpl/Diagnostic"
  2⤵
  PID:5096
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
  2⤵
  PID:5076
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
  2⤵
  PID:4896
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
  2⤵
  PID:2264
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-CredentialProviderUser/Diagnostic"
  2⤵
  PID:2144
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
  2⤵
  PID:3348
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-LogonUI/Diagnostic"
  2⤵
  PID:912
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
  2⤵
  PID:3212
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter"
  2⤵
  PID:3900
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Shell-Core/ActionCenter"
  2⤵
  PID:3420
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Shell-Core/AppDefaults"
  2⤵
  PID:2380
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Shell-Core/Diagnostic"
  2⤵
  PID:3440
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Shell-Core/LogonTasksChannel"
  2⤵
  PID:2992
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Shell-Core/Operational"
  2⤵
  PID:2360
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
  2⤵
  PID:4800
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Shell-LockScreenContent/Diagnostic"
  2⤵
  PID:5056
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Shell-OpenWith/Diagnostic"
  2⤵
  PID:1460
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Shell-Shwebsvc"
  2⤵
  PID:1592
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
  2⤵
  PID:2528
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Diagnostic"
  2⤵
  PID:4356
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Operational"
  2⤵
  PID:892
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Shsvcs/Diagnostic"
  2⤵
  PID:5096
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SleepStudy/Diagnostic"
  2⤵
  PID:5076
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SmartCard-Audit/Authentication"
  2⤵
  PID:4548
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SmartCard-DeviceEnum/Operational"
  2⤵
  PID:4368
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin"
  2⤵
  PID:3104
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational"
  2⤵
  PID:4400
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SmartScreen/Debug"
  2⤵
  PID:2824
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SmbClient/Audit"
  2⤵
  PID:3808
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SmbClient/Connectivity"
  2⤵
  PID:4236
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SmbClient/Diagnostic"
  2⤵
  PID:2364
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SmbClient/Security"
  2⤵
  PID:1216
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Speech-UserExperience/Diagnostic"
  2⤵
  PID:5056
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Spell-Checking/Analytic"
  2⤵
  PID:228
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SpellChecker/Analytic"
  2⤵
  PID:4044
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Spellchecking-Host/Analytic"
  2⤵
  PID:3596
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SruMon/Diagnostic"
  2⤵
  PID:3740
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SrumTelemetry"
  2⤵
  PID:4368
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-StateRepository/Debug"
  2⤵
  PID:2872
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-StateRepository/Diagnostic"
  2⤵
  PID:300
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-StateRepository/Operational"
  2⤵
  PID:3356
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-StateRepository/Restricted"
  2⤵
  PID:1376
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-StorDiag/Operational"
  2⤵
  PID:4236
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-StorPort/Operational"
  2⤵
  PID:2208
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Storage-ATAPort/Admin"
  2⤵
  PID:1284
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Storage-ATAPort/Analytic"
  2⤵
  PID:4204
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Storage-ATAPort/Debug"
  2⤵
  PID:2832
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Storage-ATAPort/Diagnose"
  2⤵
  PID:216
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Storage-ATAPort/Operational"
  2⤵
  PID:4852
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Storage-ClassPnP/Admin"
  2⤵
  PID:724
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Storage-ClassPnP/Analytic"
  2⤵
  PID:1456
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Storage-ClassPnP/Debug"
  2⤵
  PID:280
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Storage-ClassPnP/Diagnose"
  2⤵
  PID:1700
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Storage-ClassPnP/Operational"
  2⤵
  PID:2260
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Storage-Disk/Admin"
  2⤵
  PID:1280
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Storage-Disk/Analytic"
  2⤵
  PID:4940
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Storage-Disk/Debug"
  2⤵
  PID:3472
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Storage-Disk/Diagnose"
  2⤵
  PID:5032
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Storage-Disk/Operational"
  2⤵
  PID:1888
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Storage-Storport/Admin"
  2⤵
  PID:4308
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Storage-Storport/Analytic"
  2⤵
  PID:2380
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Storage-Storport/Debug"
  2⤵
  PID:4192
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Storage-Storport/Diagnose"
  2⤵
  PID:2364
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Storage-Storport/Health"
  2⤵
  PID:4584
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Storage-Storport/Operational"
  2⤵
  PID:4152
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Storage-Tiering-IoHeat/Heat"
  2⤵
  PID:2536
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Storage-Tiering/Admin"
  2⤵
  PID:3332
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-StorageManagement/Debug"
  2⤵
  PID:4276
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-StorageManagement/Operational"
  2⤵
  PID:3600
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-StorageSettings/Diagnostic"
  2⤵
  PID:4640
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-StorageSpaces-Driver/Diagnostic"
  2⤵
  PID:4240
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-StorageSpaces-Driver/Operational"
  2⤵
  PID:4548
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-StorageSpaces-Driver/Performance"
  2⤵
  PID:2284
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-StorageSpaces-ManagementAgent/WHC"
  2⤵
  PID:1696
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic"
  2⤵
  PID:4712
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-StorageSpaces-SpaceManager/Operational"
  2⤵
  PID:972
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Store/Operational"
  2⤵
  PID:2712
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Storsvc/Diagnostic"
  2⤵
  PID:3420
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Subsys-Csr/Operational"
  2⤵
  PID:4944
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Subsys-SMSS/Operational"
  2⤵
  PID:1168
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Superfetch/Main"
  2⤵
  PID:2096
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Superfetch/PfApLog"
  2⤵
  PID:3440
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Superfetch/StoreLog"
  2⤵
  PID:2496
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Sysmon/Operational"
  2⤵
  PID:4192
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Sysprep/Analytic"
  2⤵
  PID:3344
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-System-Profile-HardwareId/Diagnostic"
  2⤵
  PID:3552
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SystemSettingsHandlers/Debug"
  2⤵
  PID:1460
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SystemSettingsThreshold/Debug"
  2⤵
  PID:2212
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SystemSettingsThreshold/Diagnostic"
  2⤵
  PID:724
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SystemSettingsThreshold/Operational"
  2⤵
  PID:1064
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TCPIP/Diagnostic"
  2⤵
  PID:3600
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TCPIP/Operational"
  2⤵
  PID:4548
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TSF-msctf/Debug"
  2⤵
  PID:2680
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TSF-msctf/Diagnostic"
  2⤵
  PID:2712
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TSF-msutb/Debug"
  2⤵
  PID:4944
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TSF-msutb/Diagnostic"
  2⤵
  PID:3592
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TTS/Diagnostic"
  2⤵
  PID:1504
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TWinAPI/Diagnostic"
  2⤵
  PID:1948
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TWinUI/Diagnostic"
  2⤵
  PID:3628
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TWinUI/Operational"
  2⤵
  PID:4172
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TZSync/Analytic"
  2⤵
  PID:2220
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TZSync/Operational"
  2⤵
  PID:4976
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TZUtil/Operational"
  2⤵
  PID:4152
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TaskScheduler/Debug"
  2⤵
  PID:2536
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TaskScheduler/Diagnostic"
  2⤵
  PID:2760
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TaskScheduler/Maintenance"
  2⤵
  PID:3520
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TaskScheduler/Operational"
  2⤵
  PID:2236
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TaskbarCPL/Diagnostic"
  2⤵
  PID:4888
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
  2⤵
  PID:2300
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
  2⤵
  PID:3740
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
  2⤵
  PID:3348
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
  2⤵
  PID:4400
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
  2⤵
  PID:300
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
  2⤵
  PID:2680
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
  2⤵
  PID:992
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
  2⤵
  PID:3108
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
  2⤵
  PID:4512
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
  2⤵
  PID:2360
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
  2⤵
  PID:3488
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
  2⤵
  PID:2268
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
  2⤵
  PID:1768
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-Printers/Admin"
  2⤵
  PID:3096
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-Printers/Analytic"
  2⤵
  PID:2264
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-Printers/Debug"
  2⤵
  PID:2688
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-Printers/Operational"
  2⤵
  PID:3472
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
  2⤵
  PID:300
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-RDPClient/Debug"
  2⤵
  PID:3356
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-RDPClient/Operational"
  2⤵
  PID:2736
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
  2⤵
  PID:5088
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"
  2⤵
  PID:4896
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
  2⤵
  PID:4240
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"
  2⤵
  PID:2960
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"
  2⤵
  PID:2096
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
  2⤵
  PID:1088
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"
  2⤵
  PID:4192
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"
  2⤵
  PID:216
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"
  2⤵
  PID:2820
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"
  2⤵
  PID:1928
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Tethering-Manager/Analytic"
  2⤵
  PID:2252
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Tethering-Station/Analytic"
  2⤵
  PID:2760
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ThemeCPL/Diagnostic"
  2⤵
  PID:3096
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ThemeUI/Diagnostic"
  2⤵
  PID:1064
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Threat-Intelligence/Analytic"
  2⤵
  PID:2236
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Time-Service-PTP-Provider/PTP-Operational"
  2⤵
  PID:2144
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Time-Service/Operational"
  2⤵
  PID:2176
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Troubleshooting-Recommended/Admin"
  2⤵
  PID:3348
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Troubleshooting-Recommended/Operational"
  2⤵
  PID:1696
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TunnelDriver"
  2⤵
  PID:3632
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-UAC-FileVirtualization/Operational"
  2⤵
  PID:2712
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-UAC/Operational"
  2⤵
  PID:2504
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-UI-Shell/Diagnostic"
  2⤵
  PID:4944
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-UIAnimation/Diagnostic"
  2⤵
  PID:2624
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-UIAutomationCore/Debug"
  2⤵
  PID:4544
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-UIAutomationCore/Diagnostic"
  2⤵
  PID:2360
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-UIAutomationCore/Perf"
  2⤵
  PID:1948
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-UIRibbon/Diagnostic"
  2⤵
  PID:1684
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-USB-MAUSBHOST-Analytic"
  2⤵
  PID:3552
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-USB-UCX-Analytic"
  2⤵
  PID:3488
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-USB-USBHUB/Diagnostic"
  2⤵
  PID:216
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-USB-USBHUB3-Analytic"
  2⤵
  PID:2268
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-USB-USBPORT/Diagnostic"
  2⤵
  PID:1124
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-USB-USBXHCI-Analytic"
  2⤵
  PID:4152
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-USB-USBXHCI-Trustlet-Analytic"
  2⤵
  PID:5096
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-UniversalTelemetryClient/Operational"
  2⤵
  PID:2760
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-User Control Panel Performance/Diagnostic"
  2⤵
  PID:1700
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-User Control Panel Usage/Diagnostic"
  2⤵
  PID:292
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-User Control Panel/Diagnostic"
  2⤵
  PID:2372
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-User Control Panel/Operational"
  2⤵
  PID:3104
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-User Device Registration/Admin"
  2⤵
  PID:5032
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-User Device Registration/Debug"
  2⤵
  PID:2176
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-User Profile Service/Diagnostic"
  2⤵
  PID:3736
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-User Profile Service/Operational"
  2⤵
  PID:4400
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-User-Loader/Analytic"
  2⤵
  PID:4436
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-User-Loader/Operational"
  2⤵
  PID:1696
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-UserAccountControl/Diagnostic"
  2⤵
  PID:4856
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-UserModePowerService/Diagnostic"
  2⤵
  PID:2380
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-UserPnp/ActionCenter"
  2⤵
  PID:300
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-UserPnp/DeviceInstall"
  2⤵
  PID:2096
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"
  2⤵
  PID:2496
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-UserPnp/Performance"
  2⤵
  PID:1216
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-UserPnp/SchedulerOperations"
  2⤵
  PID:4304
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-UxInit/Diagnostic"
  2⤵
  PID:3552
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-UxTheme/Diagnostic"
  2⤵
  PID:2528
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-VAN/Diagnostic"
  2⤵
  PID:2820
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-VDRVROOT/Operational"
  2⤵
  PID:3960
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-VHDMP-Analytic"
  2⤵
  PID:2260
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-VHDMP-Operational"
  2⤵
  - Clears Windows event logs
  PID:3560
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-VIRTDISK-Analytic"
  2⤵
  PID:2284
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-VPN-Client/Operational"
  2⤵
  PID:2176
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-VPN/Operational"
  2⤵
  PID:3308
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-VWiFi/Diagnostic"
  2⤵
  PID:1428
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-VerifyHardwareSecurity/Admin"
  2⤵
  PID:3652
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-VerifyHardwareSecurity/Operational"
  2⤵
  PID:2960
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Volume/Diagnostic"
  2⤵
  PID:2712
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-VolumeControl/Performance"
  2⤵
  PID:4944
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-VolumeSnapshot-Driver/Analytic"
  2⤵
  PID:2624
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-VolumeSnapshot-Driver/Operational"
  2⤵
  PID:1232
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-WABSyncProvider/Analytic"
  2⤵
  PID:1216
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"
  2⤵
  PID:4304
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-WCNWiz/Analytic"
  2⤵
  PID:1976
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-WEPHOSTSVC/Operational"
  2⤵
  PID:3552
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-WER-PayloadHealth/Operational"
  2⤵
  PID:1124
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-WFP/Analytic"
  2⤵
  PID:2536
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-WFP/Operational"
  2⤵
  PID:3032
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-WLAN-AutoConfig/Operational"
  2⤵
  PID:1456
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"
  2⤵
  PID:5088
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-WLAN-Driver/Analytic"
  2⤵
  PID:3520
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-WLAN-MediaManager/Diagnostic"
  2⤵
  PID:2760

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4744

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe a19d6df273c0e921c7a1f2521001d6fb 8BwmdaOuQ0mbHL9mGo7PcQ.0.1.0.0.0
1⤵
PID:2872
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4312

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3336

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:1500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:3796

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:4328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\HOW TO RESTORE YOUR TIYWEPXB FILES.TXT

Filesize
922B

MD5
6fa42be5e99f714ae3efe70db3ad340d

SHA1
49f045ffc35a666ca4339fd1b7407909f5131130

SHA256
5fe79f12ae2f96a65414d1cdd1c70f3e3eb7eff3de173e3c60a1c5e67fb2de3f

SHA512
e87e8959b41a224e12dc7693ebef4821007b6ff285d10ca6ac09c6ecadccf74d5212aab5a7acf93c27af64f70616b79bd3484623bf5eab66d6d43a25a5bd321d

Download Submit
\??\c:\windows\temp\ragluoopx.bat

Filesize
11KB

MD5
9ef680eda0e357dfcdfe9a7ddcd33514

SHA1
33a5a77eb9bb3be27b37fb8645fbe946b3f5f4ed

SHA256
dc98394f1189fd8ae45eec6e7302993b0cc2da4ab8855503ca6d76ed59b17692

SHA512
e3b3e595d760c13d5509ca8e621dc8bec36d705199effcc60b1c854d0f6ce17bc1eab26ea5704dba1d34a4e35c401cf22917deb088fce1e32403878ebc690293

Download Submit