Analysis Overview
SHA256
401790095e2544ea86840db790d63ae541bce50f0bc8baa7822e31ecbbb5a3b7
Threat Level: Known bad
The file 401790095e2544ea86840db790d63ae541bce50f0bc8baa7822e31ecbbb5a3b7 was found to be: Known bad.
Malicious Activity Summary
Gh0strat
Gh0st RAT payload
Clears Windows event logs
Blocklisted process makes network request
Possible privilege escalation attempt
UPX packed file
Loads dropped DLL
Modifies file permissions
Checks computer location settings
Executes dropped EXE
AutoIT Executable
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Program crash
Unsigned PE
Modifies registry class
Suspicious use of WriteProcessMemory
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-18 09:55
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-18 09:55
Reported
2024-06-18 09:58
Platform
win7-20240611-en
Max time kernel
124s
Max time network
126s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\AppPatch\Custom\Custom64\conhostdhfw.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| N/A | N/A | C:\Windows\AppPatch\Custom\Custom64\conhostdhfw.exe | N/A |
| N/A | N/A | C:\Windows\AppPatch\Custom\Custom64\conhostdhfw.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_8C1AD9434E0E1576771CA7E7EAD43D9E | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_D2FDAF9311DEB8FADA8D338E3BD2071D | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475 | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_8C1AD9434E0E1576771CA7E7EAD43D9E | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475 | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_D2FDAF9311DEB8FADA8D338E3BD2071D | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | C:\Windows\AppPatch\Custom\Custom64\conhostdhfw.exe | N/A |
| File created | C:\Program Files\AppPatch\8.77.dll | C:\Windows\AppPatch\Custom\Custom64\conhostdhfw.exe | N/A |
| File opened for modification | C:\Program Files\AppPatch\8.77.dll | C:\Windows\AppPatch\Custom\Custom64\conhostdhfw.exe | N/A |
| File created | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | C:\Windows\AppPatch\Custom\Custom64\conhostdhfw.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\AppPatch\Custom\Custom64\__tmp_rar_sfx_access_check_259421285 | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| File created | C:\Windows\AppPatch\Custom\Custom64\GoogleUpdateTaskMachineUA{16BC37E5-3A02-401D-B8D2-176130sdlvse.xml | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| File opened for modification | C:\Windows\AppPatch\Custom\Custom64\GoogleUpdateTaskMachineUA{16BC37E5-3A02-401D-B8D2-176130svc.xml | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| File created | C:\Windows\AppPatch\Custom\Custom64\GoogleUpdateTaskMachineUA{E67DA9CE-6D58-456B-9EBF-9366B90dllll.xml | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| File created | C:\Windows\AppPatch\Custom\Custom64\conhostdhfw.exe | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| File created | C:\Windows\AppPatch\Custom\Custom64\conhotsdfw.exe | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| File opened for modification | C:\Windows\AppPatch\Custom\Custom64\dllhost.exe | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| File opened for modification | C:\Windows\AppPatch\Custom\Custom64\conhostdhfw.exe | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| File created | C:\Windows\AppPatch\Custom\Custom64\GoogleUpdateTaskMachineUA{16BC37E5-3A02-401D-B8D2-176130bin lvse.xml | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| File opened for modification | C:\Windows\AppPatch\Custom\Custom64\GoogleUpdateTaskMachineUA{16BC37E5-3A02-401D-B8D2-176130bin lvse.xml | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| File opened for modification | C:\Windows\AppPatch\Custom\Custom64\GoogleUpdateTaskMachineUA{16BC37E5-3A02-401D-B8D2-176130sdlvse.xml | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| File created | C:\Windows\AppPatch\Custom\Custom64\GoogleUpdateTaskMachineUA{16BC37E5-3A02-401D-B8D2-176130svc.xml | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| File opened for modification | C:\Windows\AppPatch\Custom\Custom64\GoogleUpdateTaskMachineUA{E67DA9CE-6D58-456B-9EBF-9366B90dllll.xml | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| File created | C:\Windows\AppPatch\Custom\Custom64\conhost dhlvse.exe | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| File opened for modification | C:\Windows\AppPatch\Custom\Custom64\conhost dhlvse.exe | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| File opened for modification | C:\Windows\AppPatch\Custom\Custom64\svchost.exe | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| File opened for modification | C:\Windows\AppPatch\Custom\Custom64\conhotsdfw.exe | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| File created | C:\Windows\AppPatch\Custom\Custom64\conhotsdlvse.exe | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| File opened for modification | C:\Windows\AppPatch\Custom\Custom64\conhotsdlvse.exe | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| File created | C:\Windows\AppPatch\Custom\Custom64\dllhost.exe | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| File created | C:\Windows\AppPatch\Custom\Custom64\libcurllvse.exe | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| File opened for modification | C:\Windows\AppPatch\Custom\Custom64\libcurllvse.exe | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| File created | C:\Windows\AppPatch\Custom\Custom64\svchost.exe | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Program Files (x86)\Windows NT\conhostdhfw.exe |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-a0-3a-d9-da-22\WpadDecision = "0" | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1049C045-362A-4919-8E96-5E4DEED5D274}\WpadDecision = "0" | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-a0-3a-d9-da-22\WpadDecisionReason = "1" | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1049C045-362A-4919-8E96-5E4DEED5D274}\62-a0-3a-d9-da-22 | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1049C045-362A-4919-8E96-5E4DEED5D274}\WpadDecisionReason = "1" | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1049C045-362A-4919-8E96-5E4DEED5D274}\WpadNetworkName = "Network 2" | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-a0-3a-d9-da-22 | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-a0-3a-d9-da-22\WpadDecisionTime = c07fc4ca65c1da01 | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0166000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1049C045-362A-4919-8E96-5E4DEED5D274} | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1049C045-362A-4919-8E96-5E4DEED5D274}\WpadDecisionTime = c07fc4ca65c1da01 | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\OOBGameInstalled = "1" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\ServiceLocation | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54362000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 1900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd90b000000010000001200000044006900670069004300650072007400000014000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd155090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\mm.exe
"C:\Users\Admin\AppData\Local\Temp\mm.exe"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {29dfdaf6-2655-4d7d-9dae-112ce811cf33};C:\Users\Admin\AppData\Local\Temp\mm.exe;2936
C:\Windows\AppPatch\Custom\Custom64\conhostdhfw.exe
"C:\Windows\AppPatch\Custom\Custom64\conhostdhfw.exe"
C:\Program Files (x86)\Windows NT\conhostdhfw.exe
"C:\Program Files (x86)\Windows NT\conhostdhfw.exe"
C:\Program Files (x86)\Windows NT\conhostdhfw.exe
"C:\Program Files (x86)\Windows NT\conhostdhfw.exe"
C:\Program Files (x86)\Windows NT\conhostdhfw.exe
"C:\Program Files (x86)\Windows NT\conhostdhfw.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 344
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | movie.metaservices.microsoft.com | udp |
| US | 65.55.186.113:80 | movie.metaservices.microsoft.com | tcp |
| US | 8.8.8.8:53 | xiazai.caobibibi.com | udp |
| HK | 45.207.168.120:7744 | xiazai.caobibibi.com | tcp |
| US | 8.8.8.8:53 | bj.caobibibi.com | udp |
| HK | 45.204.85.28:10087 | bj.caobibibi.com | tcp |
| US | 8.8.8.8:53 | user.qzone.qq.com | udp |
| HK | 43.129.115.16:80 | user.qzone.qq.com | tcp |
| HK | 43.129.115.16:443 | user.qzone.qq.com | tcp |
| US | 8.8.8.8:53 | i.qq.com | udp |
| HK | 43.135.106.65:80 | i.qq.com | tcp |
| HK | 43.135.106.65:443 | i.qq.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | ocsp.digicert.cn | udp |
| US | 163.181.154.238:80 | ocsp.digicert.cn | tcp |
| HK | 45.204.85.28:10087 | bj.caobibibi.com | tcp |
| HK | 43.129.115.16:80 | user.qzone.qq.com | tcp |
| HK | 43.129.115.16:443 | user.qzone.qq.com | tcp |
| HK | 43.135.106.65:80 | i.qq.com | tcp |
| HK | 43.135.106.65:443 | i.qq.com | tcp |
Files
C:\Windows\AppPatch\Custom\Custom64\conhostdhfw.exe
| MD5 | 90d83bbad8110780e90b8f0beab172f9 |
| SHA1 | 0ced0e716b07945787bf78ae6296a5f24bfdbe59 |
| SHA256 | c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105 |
| SHA512 | 92d4a6697644925176852c2b43bf297b16afadc2a993c135b5aa9df3c74a280bfb7cde883c6bf5c8b06202ff55168997dcf89ef2e791a3aeaca3cb09b6ac7707 |
C:\Program Files\AppPatch\8.77.dll
| MD5 | 0a74e0bffbce3cc5466796739cfdeb44 |
| SHA1 | c3b50df0a1de18b7053bff1b0293f5512f824055 |
| SHA256 | cdabc33a27b23c2060637193a4cbad94e16d31e6a4df7d67bdc6b63c1d056b30 |
| SHA512 | 9fb4f39d95820f63da2d8767b76f317c512a8db1b86428f04baf4b163d0deaee5c4726c9f66807a3b1c223d575557fabc88e0cde73a4561b304f6edd76b8cc36 |
memory/2532-43-0x0000000010000000-0x000000001034B000-memory.dmp
memory/2532-47-0x0000000010000000-0x000000001034B000-memory.dmp
memory/2532-46-0x0000000010000000-0x000000001034B000-memory.dmp
memory/2980-59-0x0000000010000000-0x000000001034B000-memory.dmp
memory/2980-62-0x0000000010000000-0x000000001034B000-memory.dmp
memory/2980-63-0x0000000010000000-0x000000001034B000-memory.dmp
memory/1688-68-0x0000000010000000-0x000000001034B000-memory.dmp
memory/1688-69-0x0000000010000000-0x000000001034B000-memory.dmp
memory/1688-65-0x0000000010000000-0x000000001034B000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Windows\Temp\TarB10C.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-18 09:55
Reported
2024-06-18 09:58
Platform
win7-20240221-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\utilman.exe
"C:\Users\Admin\AppData\Local\Temp\utilman.exe"
Network
Files
memory/2200-0-0x0000000140000000-0x0000000140026000-memory.dmp
memory/2200-1-0x0000000140000000-0x0000000140026000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-18 09:55
Reported
2024-06-18 09:58
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\utilman.exe
"C:\Users\Admin\AppData\Local\Temp\utilman.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/1608-0-0x0000000140000000-0x0000000140026000-memory.dmp
memory/1608-2-0x0000000140000000-0x0000000140026000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-18 09:55
Reported
2024-06-18 09:55
Platform
win10v2004-20240508-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-18 09:55
Reported
2024-06-18 09:55
Platform
win7-20240221-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-18 09:55
Reported
2024-06-18 09:55
Platform
win10v2004-20240611-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-18 09:55
Reported
2024-06-18 09:55
Platform
win7-20240508-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-18 09:55
Reported
2024-06-18 09:55
Platform
win7-20240221-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-18 09:55
Reported
2024-06-18 09:55
Platform
win10v2004-20240611-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-18 09:55
Reported
2024-06-18 09:58
Platform
win7-20240611-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Clears Windows event logs
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\LogDelete.bat"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c WEVTUTIL EL
C:\Windows\system32\wevtutil.exe
WEVTUTIL EL
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Application"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "DebugChannel"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "DirectShowFilterGraph"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "DirectShowPluginControl"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Els_Hyphenation/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "EndpointMapper"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "ForwardedEvents"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "HardwareEvents"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Internet Explorer"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Key Management Service"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "MF_MediaFoundationDeviceProxy"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Media Center"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "MediaFoundationDeviceProxy"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "MediaFoundationPerformance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "MediaFoundationPipeline"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "MediaFoundationPlatform"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-IE/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-IEDVTOOL/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-IEFRAME/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-JSDumpHeap/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-PerfTrack-IEFRAME/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-PerfTrack-MSHTML/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ADSI/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-API-Tracing/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ATAPort/General"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ATAPort/SATA-LPM"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ActionQueue/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AltTab/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppID/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppLocker/EXE and DLL"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppLocker/MSI and Script"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Inventory"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Telemetry"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Audio/CaptureMonitor"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Audio/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Audio/Performance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Audit/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Authentication User Interface/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AxInstallService/Log"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Backup"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Biometrics/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Bits-Client/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Bits-Client/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BranchCache/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BranchCacheSMB/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BranchCacheSMB/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CAPI2/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CDROM/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-COM/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-COMRuntime/Tracing"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Calculator/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Calculator/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CertPoleEng/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CmiSetup/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CodeIntegrity/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CodeIntegrity/Verbose"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ComDlg32/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ComDlg32/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CredUI/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Crypto-RNG/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-D3D10Level9/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-D3D10Level9/PerfTiming"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DCLocator/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DNS-Client/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DUI/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DUSER/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DXGI/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DXGI/Logging"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DXP/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DateTimeControlPanel/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DateTimeControlPanel/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DateTimeControlPanel/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Deplorch/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DeviceSync/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DeviceSync/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DeviceUx/Informational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DeviceUx/Performance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Dhcp-Client/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Dhcp-Client/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DhcpNap/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DhcpNap/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Dhcpv6-Client/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Dhcpv6-Client/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DiagCpl/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-DPS/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-DPS/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-DPS/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-MSDE/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-PCW/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-PCW/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-PCW/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-PLA/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-PLA/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scheduled/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-TaskManager/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-WDC/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-WDI/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnostics-Networking/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnostics-Networking/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnostics-Performance/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Direct3D10/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Direct3D10_1/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Direct3D11/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Direct3D11/Logging"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Direct3D11/PerfTiming"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DirectShow-KernelSupport/Performance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DirectSound/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DirectWrite-FontCache/Tracing"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DirectWrite/Tracing"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Disk/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DiskDiagnostic/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DiskDiagnosticResolver/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DisplayColorCalibration/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DisplayColorCalibration/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DisplaySwitch/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Documents/Performance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DxgKrnl/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DxgKrnl/Performance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DxpTaskRingtone/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EFS/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EapHost/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EapHost/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EapHost/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EaseOfAccess/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EventCollector/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EventCollector/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EventLog-WMIProvider/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EventLog/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EventLog/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FMS/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FMS/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FMS/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Feedback-Service-TriggerProvider"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FileInfoMinifilter/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Firewall-CPL/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Folder Redirection/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Forwarding/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Forwarding/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-GettingStarted/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-GroupPolicy/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HAL/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HealthCenter/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HealthCenter/Performance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HealthCenterCPL/Performance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Help/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HomeGroup Control Panel/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HomeGroup Listener Service/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HomeGroup Provider Service/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HomeGroup-ListenerService"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HotStart/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HttpService/Trace"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IKE/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IKEDBG/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IPBusEnum/Tracing"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IPSEC-SRV/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-International/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Iphlpsvc/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Iphlpsvc/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Iphlpsvc/Trace"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Acpi/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Boot/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Disk/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-EventTracing/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-EventTracing/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-File/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Memory/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Network/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-PnP/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Power/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Power/Thermal-Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Process/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Registry/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-StoreMgr/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-StoreMgr/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-WDI/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-WDI/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-WDI/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-WHEA/Errors"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-WHEA/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Known Folders API Service"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-L2NA/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-LDAP-Client/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-LanguagePackSetup/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-LanguagePackSetup/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-LanguagePackSetup/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MCT/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MPS-CLNT/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MPS-DRV/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MPS-SRV/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MSPaint/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MSPaint/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MSPaint/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MUI/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MUI/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MUI/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MUI/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MobilityCenter/Performance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NCSI/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NCSI/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NDIS/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NDIS/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NTLM/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NWiFi/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Narrator/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NetShell/Performance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NetworkAccessProtection/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NetworkAccessProtection/WHC"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NetworkLocationWizard/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NetworkProfile/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NetworkProfile/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Networking-Correlation/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NlaSvc/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NlaSvc/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OLEACC/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OLEACC/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OOBE-Machine/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OfflineFiles/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OfflineFiles/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OfflineFiles/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OfflineFiles/SyncLog"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OneX/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OobeLdr/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PCI/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ParentalControls/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PeopleNearMe/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PowerCfg/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PowerCpl/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PowerShell/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PowerShell/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PrimaryNetworkIcon/Performance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PrintService/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PrintService/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PrintService/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Program-Compatibility-Assistant/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-QoS-Pacer/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-QoS-qWAVE/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RPC-Proxy/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RPC/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RPC/EEInfo"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ReadyBoost/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ReadyBoost/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ReadyBoostDriver/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ReadyBoostDriver/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Recovery/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ReliabilityAnalysisComponent/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RemoteAssistance/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RemoteAssistance/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RemoteAssistance/Tracing"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Remotefs-UTProvider/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Resource-Leak-Diagnostic/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ResourcePublication/Tracing"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RestartManager/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Search-Core/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-IdentityListener/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-SPP/Perf"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Sens/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ServiceReportingApi/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Services-Svchost/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Services/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Setup/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SetupCl/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SetupQueue/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SetupUGC/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-Core/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-Shwebsvc"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shsvcs/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Sidebar/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Speech-UserExperience/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Spell-Checking/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SpellChecker/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-StickyNotes/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-StickyNotes/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-StickyNotes/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-StorDiag/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-StorPort/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Subsys-Csr/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Subsys-SMSS/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Superfetch/Main"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Superfetch/StoreLog"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Sysprep/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SystemHealthAgent/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TCPIP/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TSF-msctf/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TSF-msctf/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TSF-msutb/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TSF-msutb/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TZUtil/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TaskScheduler/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TaskScheduler/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TaskScheduler/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TaskbarCPL/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-RDPClient/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-RDPClient/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ThemeCPL/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ThemeUI/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TunnelDriver"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UAC-FileVirtualization/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UAC/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UIAnimation/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UIAutomationCore/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UIAutomationCore/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UIAutomationCore/Perf"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UIRibbon/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-USB-USBHUB/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-USB-USBPORT/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-User Control Panel Performance/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-User Profile Service/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-User Profile Service/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-User-Loader/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UserModePowerService/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UserPnp/DeviceNotifications"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UserPnp/Performance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UserPnp/SchedulerOperations"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UxTheme/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-VAN/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-VDRVROOT/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-VHDMP/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-VWiFi/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-VolumeControl/Performance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-VolumeSnapshot-Driver/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WABSyncProvider/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WER-Diag/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WFP/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WFP/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WLAN-AutoConfig/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WLANConnectionFlow/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WMI-Activity/Trace"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WMPDMCCore/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WMPDMCUI/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WMPNSS-Service/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WMPNSSUI/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WPD-ClassInstaller/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WPD-ClassInstaller/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WPD-CompositeClassDriver/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WPD-MTPClassDriver/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WSC-SRV/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WUSA/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WWAN-MM-Events/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WWAN-SVC-Events/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WWAN-UI-Events/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WebIO-NDF/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WebIO/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WebServices/Tracing"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Win32k/Concurrency"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Win32k/Power"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Win32k/Render"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Win32k/Tracing"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Win32k/UIPI"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WinHTTP-NDF/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WinHttp/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WinINet/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WinRM/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WinRM/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WinRM/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Windeploy/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Windows Defender/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Windows Defender/WHC"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WindowsBackup/ActionCenter"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WindowsColorSystem/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WindowsColorSystem/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WindowsSystemAssessmentTool/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WindowsSystemAssessmentTool/Tracing"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WindowsUpdateClient/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Wininit/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Winlogon/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Winlogon/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Winsock-AFD/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Winsock-WS2HELP/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Winsrv/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Wired-AutoConfig/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Wired-AutoConfig/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Wordpad/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Wordpad/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Wordpad/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-mobsync/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ntshrui"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-osk/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-stobject/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "OAlerts"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Security"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Setup"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "System"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "TabletPC_InputPanel_Channel"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "WINDOWS_MP4SDECD_CHANNEL"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "WINDOWS_MSMPEG2VDEC_CHANNEL"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "WINDOWS_WMPHOTO_CHANNEL"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "WMPSetup"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "WMPSyncEngine"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Windows PowerShell"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "muxencode"
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-18 09:55
Reported
2024-06-18 09:58
Platform
win10v2004-20240611-en
Max time kernel
92s
Max time network
94s
Command Line
Signatures
Clears Windows event logs
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\LogDelete.bat"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c WEVTUTIL EL
C:\Windows\system32\wevtutil.exe
WEVTUTIL EL
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "AMSI/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "AirSpaceChannel"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Application"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "DirectShowFilterGraph"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "DirectShowPluginControl"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Els_Hyphenation/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "EndpointMapper"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "FirstUXPerf-Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "ForwardedEvents"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "General Logging"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "HardwareEvents"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "IHM_DebugChannel"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Intel-iaLPSS-GPIO/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Intel-iaLPSS-I2C/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Intel-iaLPSS2-GPIO2/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Intel-iaLPSS2-GPIO2/Performance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Intel-iaLPSS2-I2C/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Intel-iaLPSS2-I2C/Performance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Internet Explorer"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Key Management Service"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "MF_MediaFoundationDeviceMFT"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "MF_MediaFoundationDeviceProxy"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "MF_MediaFoundationFrameServer"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "MedaFoundationVideoProc"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "MedaFoundationVideoProcD3D"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "MediaFoundationAsyncWrapper"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "MediaFoundationContentProtection"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "MediaFoundationDS"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "MediaFoundationDeviceProxy"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "MediaFoundationMP4"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "MediaFoundationMediaEngine"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "MediaFoundationPerformance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "MediaFoundationPerformanceCore"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "MediaFoundationPipeline"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "MediaFoundationPlatform"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "MediaFoundationSrcPrefetch"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-AppV-Client-Streamingux/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-AppV-Client/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-AppV-Client/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-AppV-Client/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-AppV-Client/Virtual Applications"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-AppV-SharedPerformance/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Client-Licensing-Platform/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Client-Licensing-Platform/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Client-Licensing-Platform/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-IE/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-IEFRAME/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-JSDumpHeap/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-OneCore-Setup/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-PerfTrack-IEFRAME/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-PerfTrack-MSHTML/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-User Experience Virtualization-Admin/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-User Experience Virtualization-Agent Driver/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-User Experience Virtualization-Agent Driver/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-User Experience Virtualization-App Agent/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-User Experience Virtualization-App Agent/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-User Experience Virtualization-App Agent/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-User Experience Virtualization-IPC/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AAD/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AAD/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ADSI/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ASN1/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ATAPort/General"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ATAPort/SATA-LPM"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ActionQueue/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-All-User-Install-Agent/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AllJoyn/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AllJoyn/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppHost/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppHost/ApplicationTracing"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppHost/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppHost/Internal"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppID/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppLocker/EXE and DLL"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppLocker/MSI and Script"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppLocker/Packaged app-Deployment"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppLocker/Packaged app-Execution"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppModel-Runtime/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppModel-Runtime/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppModel-Runtime/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppModel-Runtime/Diagnostics"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppModel-State/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppModel-State/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppReadiness/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppReadiness/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppReadiness/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppSruProv"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppXDeployment/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppXDeployment/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppXDeploymentServer/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppXDeploymentServer/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppXDeploymentServer/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppXDeploymentServer/Restricted"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ApplicabilityEngine/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ApplicabilityEngine/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Inventory"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Telemetry"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Application-Experience/Steps-Recorder"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppxPackaging/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppxPackaging/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppxPackaging/Performance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AssignedAccess/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AssignedAccess/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AssignedAccessBroker/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AssignedAccessBroker/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AsynchronousCausality/Causality"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Audio/CaptureMonitor"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Audio/GlitchDetection"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Audio/Informational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Audio/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Audio/Performance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Audio/PlaybackManager"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Audit/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Authentication User Interface/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Authentication/ProtectedUser-Client"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AxInstallService/Log"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BTH-BTHPORT/HCI"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BTH-BTHPORT/L2CAP"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BTH-BTHUSB/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BTH-BTHUSB/Performance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Backup"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Battery/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Biometrics/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Biometrics/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BitLocker-Driver-Performance/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BitLocker/BitLocker Management"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BitLocker/BitLocker Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BitLocker/Tracing"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Bits-Client/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Bits-Client/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Bluetooth-Bthmini/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Bluetooth-Policy/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BranchCache/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BranchCacheMonitoring/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BranchCacheSMB/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BranchCacheSMB/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CAPI2/Catalog Database Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CAPI2/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CDROM/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-COM/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-COM/ApartmentInitialize"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-COM/ApartmentUninitialize"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-COM/Call"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-COM/CreateInstance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-COM/ExtensionCatalog"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-COM/FreeUnusedLibrary"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-COM/RundownInstrumentation"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-COMRuntime/Activations"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-COMRuntime/MessageProcessing"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-COMRuntime/Tracing"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CertPoleEng/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Cleanmgr/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CloudStore/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CloudStore/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CmiSetup/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CodeIntegrity/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CodeIntegrity/Verbose"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ComDlg32/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ComDlg32/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Compat-Appraiser/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Compat-Appraiser/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Containers-BindFlt/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Containers-BindFlt/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Containers-Wcifs/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Containers-Wcifs/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Containers-Wcnfs/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Containers-Wcnfs/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CoreApplication/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CoreApplication/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CoreApplication/Tracing"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CoreWindow/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CoreWindow/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Crashdump/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CredUI/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Crypto-BCRYPT/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Crypto-CNG/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Crypto-DPAPI/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Crypto-DPAPI/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Crypto-DSSEnh/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Crypto-NCrypt/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Crypto-RNG/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Crypto-RSAEnh/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-D3D10Level9/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-D3D10Level9/PerfTiming"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DAL-Provider/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DAL-Provider/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DAMM/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DCLocator/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DDisplay/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DDisplay/Logging"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DLNA-Namespace/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DNS-Client/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DSC/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DSC/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DSC/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DSC/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DUI/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DUSER/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DXGI/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DXGI/Logging"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DXP/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Data-Pdf/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DataIntegrityScan/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DataIntegrityScan/CrashRecovery"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DateTimeControlPanel/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DateTimeControlPanel/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DateTimeControlPanel/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Deduplication/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Deduplication/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Deduplication/Performance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Deduplication/Scrubbing"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Defrag-Core/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Deplorch/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DesktopActivityModerator/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DeviceAssociationService/Performance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DeviceConfidence/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DeviceGuard/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DeviceGuard/Verbose"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DeviceSetupManager/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DeviceSetupManager/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DeviceSetupManager/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DeviceSetupManager/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DeviceSync/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DeviceSync/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DeviceUpdateAgent/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DeviceUx/Informational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DeviceUx/Performance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Devices-Background/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Dhcp-Client/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Dhcp-Client/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Dhcpv6-Client/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Dhcpv6-Client/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DiagCpl/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-DPS/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-DPS/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-DPS/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-MSDE/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-PCW/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-PCW/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-PCW/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-PLA/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-PLA/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scheduled/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-WDC/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-WDI/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnostics-Networking/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnostics-Networking/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnostics-Performance/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Direct3D10/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Direct3D10_1/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Direct3D11/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Direct3D11/Logging"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Direct3D11/PerfTiming"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Direct3D12/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Direct3D12/Logging"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Direct3D12/PerfTiming"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Direct3D9/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Direct3DShaderCache/Default"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DirectComposition/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DirectManipulation/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DirectShow-KernelSupport/Performance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DirectSound/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Disk/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DiskDiagnostic/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DiskDiagnosticResolver/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Dism-Api/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Dism-Api/ExternalAnalytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Dism-Api/InternalAnalytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Dism-Cli/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DisplayColorCalibration/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DisplayColorCalibration/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DisplaySwitch/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Documents/Performance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Dot3MM/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DucUpdateAgent/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Dwm-API/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Dwm-Core/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Dwm-Dwm/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Dwm-Redir/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Dwm-Udwm/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DxgKrnl-Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DxgKrnl-Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DxgKrnl/Contention"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DxgKrnl/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DxgKrnl/Performance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DxgKrnl/Power"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EDP-Application-Learning/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EDP-Audit-Regular/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EDP-Audit-TCB/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EFS/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ESE/IODiagnose"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ESE/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EapHost/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EapHost/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EapHost/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EapMethods-RasChap/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EapMethods-RasTls/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EapMethods-Sim/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EapMethods-Ttls/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EaseOfAccess/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Energy-Estimation-Engine/EventLog"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Energy-Estimation-Engine/Trace"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EnhancedStorage-EhStorTcgDrv/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EventCollector/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EventCollector/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EventLog-WMIProvider/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EventLog/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EventLog/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FMS/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FMS/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FMS/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FeatureConfiguration/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FeatureConfiguration/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FileHistory-Catalog/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FileHistory-Catalog/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FileHistory-ConfigManager/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FileHistory-ConfigManager/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FileHistory-Core/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FileHistory-Core/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FileHistory-Core/WHC"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FileHistory-Engine/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FileHistory-Engine/BackupLog"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FileHistory-Engine/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FileHistory-EventListener/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FileHistory-EventListener/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FileHistory-Service/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FileHistory-Service/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FileHistory-UI-Events/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FileHistory-UI-Events/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FileInfoMinifilter/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Firewall-CPL/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Folder Redirection/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Forwarding/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Forwarding/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-GPIO-ClassExtension/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-GenericRoaming/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-GroupPolicy/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HAL/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HealthCenter/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HealthCenter/Performance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HealthCenterCPL/Performance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HelloForBusiness/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Help/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HomeGroup Control Panel/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HomeGroup Listener Service/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HomeGroup Provider Service/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HomeGroup-ListenerService"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HotspotAuth/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HotspotAuth/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HttpService/Log"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HttpService/Trace"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Hyper-V-Guest-Drivers/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Hyper-V-Guest-Drivers/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Hyper-V-Guest-Drivers/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Hyper-V-Hypervisor-Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Hyper-V-Hypervisor-Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Hyper-V-Hypervisor-Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Hyper-V-NETVSC/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Hyper-V-VID-Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Hyper-V-VID-Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IE-SmartScreen"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IKE/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IKEDBG/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IME-Broker/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IME-CandidateUI/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IME-CustomerFeedbackManager/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IME-CustomerFeedbackManagerUI/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IME-JPAPI/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IME-JPLMP/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IME-JPPRED/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IME-JPSetting/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IME-JPTIP/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IME-KRAPI/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IME-KRTIP/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IME-OEDCompiler/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IME-TCCORE/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IME-TCTIP/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IME-TIP/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IPNAT/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IPSEC-SRV/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IPxlatCfg/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IPxlatCfg/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IdCtrls/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IdCtrls/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IndirectDisplays-ClassExtension-Events/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Input-HIDCLASS-Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-InputSwitch/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Iphlpsvc/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Iphlpsvc/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Iphlpsvc/Trace"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-KdsSvc/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kerberos/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Acpi/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-AppCompat/General"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-AppCompat/Performance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-ApphelpCache/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-ApphelpCache/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-ApphelpCache/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Boot/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Boot/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Disk/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-EventTracing/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-EventTracing/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-File/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-IO/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Interrupt-Steering/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-IoTrace/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-LiveDump/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-LiveDump/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Memory/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Network/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Pdc/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Pep/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-PnP/Boot Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-PnP/Configuration"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-PnP/Configuration Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-PnP/Device Enumeration Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-PnP/Driver Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-PnP/Driver Watchdog"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Power/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Power/Thermal-Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Process/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Registry/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Registry/Performance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-ShimEngine/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-ShimEngine/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-ShimEngine/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-StoreMgr/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-StoreMgr/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-WDI/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-WDI/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-WDI/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-WHEA/Errors"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-WHEA/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-XDV/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-KeyboardFilter/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-KeyboardFilter/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-KeyboardFilter/Performance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Known Folders API Service"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-L2NA/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-LDAP-Client/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-LSA/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-LSA/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-LSA/Performance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-LanguagePackSetup/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-LanguagePackSetup/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-LanguagePackSetup/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-LimitsManagement/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-LinkLayerDiscoveryProtocol/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-LiveId/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-LiveId/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MPEG2-Video-Encoder-MFT_Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MPS-CLNT/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MPS-DRV/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MPS-SRV/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MSFTEDIT/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MSPaint/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MSPaint/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MSPaint/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MUI/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MUI/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MUI/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MUI/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Media-Streaming/DMC"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Media-Streaming/DMR"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Media-Streaming/MDE"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MediaFoundation-MFCaptureEngine/MFCaptureEngine"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MediaFoundation-Performance/SARStreamResource"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Minstore/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Minstore/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Mobile-Broadband-Experience-Api/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Mobile-Broadband-Experience-SmsApi/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MobilityCenter/Performance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/ManagementService"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Mprddm/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NCSI/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NCSI/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NDIS/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NDIS/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NTLM/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NWiFi/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Narrator/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Ncasvc/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NcdAutoSetup/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NcdAutoSetup/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NdisImPlatform/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Ndu/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NetShell/Performance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Network-Connection-Broker"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Network-DataUsage/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Network-Setup/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NetworkBridge/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NetworkLocationWizard/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NetworkProfile/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NetworkProfile/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NetworkProvider/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NetworkProvisioning/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NetworkProvisioning/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NetworkSecurity/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NetworkStatus/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Networking-Correlation/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Networking-RealTimeCommunication/Tracing"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NlaSvc/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NlaSvc/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Ntfs/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Ntfs/Performance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Ntfs/WHC"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OLE/Clipboard-Performance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OLEACC/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OLEACC/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OOBE-FirstLogonAnim/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OOBE-Machine-Core/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OOBE-Machine-DUI/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OOBE-Machine-DUI/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OOBE-Machine-Plugins-Wireless/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OcpUpdateAgent/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OfflineFiles/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OfflineFiles/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OfflineFiles/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OfflineFiles/SyncLog"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OneBackup/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OneX/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OneX/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OobeLdr/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OtpCredentialProvider/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PCI/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PackageStateRoaming/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PackageStateRoaming/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PackageStateRoaming/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ParentalControls/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Partition/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Partition/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PerceptionRuntime/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PerceptionSensorDataService/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PersistentMemory-Nvdimm/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PersistentMemory-Nvdimm/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PersistentMemory-Nvdimm/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PersistentMemory-PmemDisk/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PersistentMemory-PmemDisk/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PersistentMemory-PmemDisk/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PersistentMemory-ScmBus/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PersistentMemory-ScmBus/Certification"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PersistentMemory-ScmBus/Diagnose"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PersistentMemory-ScmBus/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PhotoAcq/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PlayToManager/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Policy/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Policy/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Power-Meter-Polling/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PowerCfg/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PowerCpl/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PowerShell/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PowerShell/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PowerShell/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PowerShell/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PrimaryNetworkIcon/Performance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PrintBRM/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PrintService-USBMon/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PrintService/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PrintService/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PrintService/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Privacy-Auditing/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ProcessStateManager/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Program-Compatibility-Assistant/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Provisioning-Diagnostics-Provider/AutoPilot"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Provisioning-Diagnostics-Provider/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Provisioning-Diagnostics-Provider/ManagementService"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Proximity-Common/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Proximity-Common/Informational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Proximity-Common/Performance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PushNotification-Developer/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PushNotification-InProc/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PushNotification-Platform/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PushNotification-Platform/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PushNotification-Platform/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-QoS-Pacer/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-QoS-qWAVE/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RPC-Proxy/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RPC/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RPC/EEInfo"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RRAS/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RRAS/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RadioManager/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Ras-NdisWanPacketCapture/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RasAgileVpn/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RasAgileVpn/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ReFS/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ReadyBoost/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ReadyBoost/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ReadyBoostDriver/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ReadyBoostDriver/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Regsvr32/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RemoteApp and Desktop Connections/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RemoteAssistance/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RemoteAssistance/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RemoteAssistance/Tracing"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-Kernel-Mode-Transport/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-User-Mode-Transport/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Remotefs-Rdbss/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Remotefs-Rdbss/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ResetEng-Trace/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ResourcePublication/Tracing"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RestartManager/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RetailDemo/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RetailDemo/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Runtime-Graphics/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Runtime-Networking-BackgroundTransfer/Tracing"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Runtime-Networking/Tracing"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Runtime-Web-Http/Tracing"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Runtime-WebAPI/Tracing"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Runtime-Windows-Media/WinRTAdaptiveMediaSource"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Runtime-Windows-Media/WinRTCaptureEngine"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Runtime-Windows-Media/WinRTMediaStreamSource"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Runtime-Windows-Media/WinRTTranscode"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Runtime/CreateInstance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Runtime/Error"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SMBClient/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SMBClient/HelperClassDiagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SMBClient/ObjectStateDiagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SMBClient/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SMBDirect/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SMBDirect/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SMBDirect/Netmon"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SMBServer/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SMBServer/Audit"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SMBServer/Connectivity"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SMBServer/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SMBServer/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SMBServer/Performance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SMBServer/Security"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SMBWitnessClient/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SMBWitnessClient/Informational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SPB-ClassExtension/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SPB-HIDI2C/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Schannel-Events/Perf"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Sdbus/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Sdbus/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Sdstor/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Search-Core/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SearchUI/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SearchUI/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SecureAssessment/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-Adminless/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Performance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-IdentityListener/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-IdentityStore/Performance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-LessPrivilegedAppContainer/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-Mitigations/KernelMode"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-Mitigations/UserMode"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-Netlogon/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-SPP-UX-GC/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-SPP-UX/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-SPP/Perf"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-UserConsentVerifier/Audit"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-Vault/Performance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SecurityMitigationsBroker/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SecurityMitigationsBroker/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SecurityMitigationsBroker/Perf"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SendTo/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Sens/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Sensors/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Sensors/Performance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Serial-ClassExtension-V2/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Serial-ClassExtension/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ServiceReportingApi/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Services-Svchost/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Services/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Servicing/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SettingSync-Azure/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SettingSync-Azure/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SettingSync-OneDrive/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SettingSync-OneDrive/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SettingSync-OneDrive/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SettingSync/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SettingSync/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SettingSync/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SettingSync/VerboseDebug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Setup/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SetupCl/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SetupPlatform/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SetupQueue/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SetupUGC/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-AppWizCpl/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-CredentialProviderUser/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-LogonUI/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-Core/ActionCenter"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-Core/AppDefaults"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-Core/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-Core/LogonTasksChannel"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-Core/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-LockScreenContent/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-OpenWith/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-Shwebsvc"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shsvcs/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SleepStudy/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SmartCard-Audit/Authentication"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SmartCard-DeviceEnum/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SmartScreen/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SmbClient/Audit"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SmbClient/Connectivity"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SmbClient/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SmbClient/Security"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Speech-UserExperience/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Spell-Checking/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SpellChecker/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Spellchecking-Host/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SruMon/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SrumTelemetry"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-StateRepository/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-StateRepository/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-StateRepository/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-StateRepository/Restricted"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-StorDiag/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-StorPort/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-ATAPort/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-ATAPort/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-ATAPort/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-ATAPort/Diagnose"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-ATAPort/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-ClassPnP/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-ClassPnP/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-ClassPnP/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-ClassPnP/Diagnose"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-ClassPnP/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-Disk/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-Disk/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-Disk/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-Disk/Diagnose"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-Disk/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-Storport/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-Storport/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-Storport/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-Storport/Diagnose"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-Storport/Health"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-Storport/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-Tiering-IoHeat/Heat"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-Tiering/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-StorageManagement/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-StorageManagement/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-StorageSettings/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-StorageSpaces-Driver/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-StorageSpaces-Driver/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-StorageSpaces-Driver/Performance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-StorageSpaces-ManagementAgent/WHC"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-StorageSpaces-SpaceManager/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Store/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storsvc/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Subsys-Csr/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Subsys-SMSS/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Superfetch/Main"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Superfetch/PfApLog"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Superfetch/StoreLog"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Sysmon/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Sysprep/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-System-Profile-HardwareId/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SystemSettingsHandlers/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SystemSettingsThreshold/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SystemSettingsThreshold/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SystemSettingsThreshold/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TCPIP/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TCPIP/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TSF-msctf/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TSF-msctf/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TSF-msutb/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TSF-msutb/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TTS/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TWinAPI/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TWinUI/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TWinUI/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TZSync/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TZSync/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TZUtil/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TaskScheduler/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TaskScheduler/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TaskScheduler/Maintenance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TaskScheduler/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TaskbarCPL/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-Printers/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-Printers/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-Printers/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-Printers/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-RDPClient/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-RDPClient/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Tethering-Manager/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Tethering-Station/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ThemeCPL/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ThemeUI/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Threat-Intelligence/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Time-Service-PTP-Provider/PTP-Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Time-Service/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Troubleshooting-Recommended/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Troubleshooting-Recommended/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TunnelDriver"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UAC-FileVirtualization/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UAC/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UI-Shell/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UIAnimation/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UIAutomationCore/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UIAutomationCore/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UIAutomationCore/Perf"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UIRibbon/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-USB-MAUSBHOST-Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-USB-UCX-Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-USB-USBHUB/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-USB-USBHUB3-Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-USB-USBPORT/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-USB-USBXHCI-Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-USB-USBXHCI-Trustlet-Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UniversalTelemetryClient/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-User Control Panel Performance/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-User Control Panel Usage/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-User Control Panel/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-User Control Panel/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-User Device Registration/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-User Device Registration/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-User Profile Service/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-User Profile Service/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-User-Loader/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-User-Loader/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UserAccountControl/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UserModePowerService/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UserPnp/ActionCenter"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UserPnp/DeviceInstall"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UserPnp/Performance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UserPnp/SchedulerOperations"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UxInit/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UxTheme/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-VAN/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-VDRVROOT/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-VHDMP-Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-VHDMP-Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-VIRTDISK-Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-VPN-Client/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-VPN/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-VWiFi/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-VerifyHardwareSecurity/Admin"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-VerifyHardwareSecurity/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Volume/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-VolumeControl/Performance"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-VolumeSnapshot-Driver/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-VolumeSnapshot-Driver/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WABSyncProvider/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WCNWiz/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WEPHOSTSVC/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WER-PayloadHealth/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WFP/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WFP/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WLAN-AutoConfig/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WLAN-Driver/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WLAN-MediaManager/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WLANConnectionFlow/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WMI-Activity/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WMI-Activity/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WMI-Activity/Trace"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WMPDMCUI/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WMPNSS-Service/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WMPNSS-Service/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WMPNSSUI/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WPD-API/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WPD-ClassInstaller/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WPD-ClassInstaller/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WPD-CompositeClassDriver/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WPD-MTPBT/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WPD-MTPClassDriver/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WPD-MTPClassDriver/Operational"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WPD-MTPIP/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WPD-MTPUS/Analytic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WSC-SRV/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WUSA/Debug"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WWAN-CFE/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WWAN-MM-Events/Diagnostic"
C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WWAN-MediaManager/Diagnostic"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 224.107.17.2.in-addr.arpa | udp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 160.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-18 09:55
Reported
2024-06-18 09:58
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\AppPatch\Custom\Custom64\conhostdhfw.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\AppPatch\8.77.dll | C:\Windows\AppPatch\Custom\Custom64\conhostdhfw.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\apppatch\Custom\Custom64\conhotsdfw.exe | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| File created | C:\Windows\apppatch\Custom\Custom64\dllhost.exe | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| File opened for modification | C:\Windows\apppatch\Custom\Custom64\dllhost.exe | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| File opened for modification | C:\Windows\apppatch\Custom\Custom64\GoogleUpdateTaskMachineUA{16BC37E5-3A02-401D-B8D2-176130bin lvse.xml | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| File created | C:\Windows\apppatch\Custom\Custom64\GoogleUpdateTaskMachineUA{16BC37E5-3A02-401D-B8D2-176130svc.xml | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| File opened for modification | C:\Windows\apppatch\Custom\Custom64\GoogleUpdateTaskMachineUA{16BC37E5-3A02-401D-B8D2-176130svc.xml | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| File created | C:\Windows\apppatch\Custom\Custom64\conhost dhlvse.exe | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| File created | C:\Windows\apppatch\Custom\Custom64\__tmp_rar_sfx_access_check_240600953 | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| File opened for modification | C:\Windows\apppatch\Custom\Custom64\conhotsdlvse.exe | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| File opened for modification | C:\Windows\apppatch\Custom\Custom64\GoogleUpdateTaskMachineUA{16BC37E5-3A02-401D-B8D2-176130sdlvse.xml | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| File created | C:\Windows\apppatch\Custom\Custom64\libcurllvse.exe | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| File created | C:\Windows\apppatch\Custom\Custom64\conhostdhfw.exe | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| File opened for modification | C:\Windows\apppatch\Custom\Custom64\conhostdhfw.exe | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| File created | C:\Windows\apppatch\Custom\Custom64\conhotsdfw.exe | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| File created | C:\Windows\apppatch\Custom\Custom64\GoogleUpdateTaskMachineUA{16BC37E5-3A02-401D-B8D2-176130sdlvse.xml | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| File created | C:\Windows\apppatch\Custom\Custom64\GoogleUpdateTaskMachineUA{E67DA9CE-6D58-456B-9EBF-9366B90dllll.xml | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| File created | C:\Windows\apppatch\Custom\Custom64\svchost.exe | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| File opened for modification | C:\Windows\apppatch\Custom\Custom64\conhost dhlvse.exe | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| File created | C:\Windows\apppatch\Custom\Custom64\GoogleUpdateTaskMachineUA{16BC37E5-3A02-401D-B8D2-176130bin lvse.xml | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| File opened for modification | C:\Windows\apppatch\Custom\Custom64\GoogleUpdateTaskMachineUA{E67DA9CE-6D58-456B-9EBF-9366B90dllll.xml | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| File opened for modification | C:\Windows\apppatch\Custom\Custom64\libcurllvse.exe | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| File opened for modification | C:\Windows\apppatch\Custom\Custom64\svchost.exe | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
| File created | C:\Windows\apppatch\Custom\Custom64\conhotsdlvse.exe | C:\Users\Admin\AppData\Local\Temp\mm.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4348 wrote to memory of 4660 | N/A | C:\Users\Admin\AppData\Local\Temp\mm.exe | C:\Windows\AppPatch\Custom\Custom64\conhostdhfw.exe |
| PID 4348 wrote to memory of 4660 | N/A | C:\Users\Admin\AppData\Local\Temp\mm.exe | C:\Windows\AppPatch\Custom\Custom64\conhostdhfw.exe |
| PID 4348 wrote to memory of 4660 | N/A | C:\Users\Admin\AppData\Local\Temp\mm.exe | C:\Windows\AppPatch\Custom\Custom64\conhostdhfw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\mm.exe
"C:\Users\Admin\AppData\Local\Temp\mm.exe"
C:\Windows\AppPatch\Custom\Custom64\conhostdhfw.exe
"C:\Windows\AppPatch\Custom\Custom64\conhostdhfw.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xiazai.caobibibi.com | udp |
| US | 8.8.8.8:53 | xiazai.caobibibi.com | udp |
| US | 8.8.8.8:53 | xiazai.caobibibi.com | udp |
| US | 8.8.8.8:53 | xiazai.caobibibi.com | udp |
| US | 8.8.8.8:53 | xiazai.caobibibi.com | udp |
| US | 8.8.8.8:53 | xiazai.caobibibi.com | udp |
| US | 8.8.8.8:53 | xiazai.caobibibi.com | udp |
| US | 8.8.8.8:53 | xiazai.caobibibi.com | udp |
| US | 8.8.8.8:53 | xiazai.caobibibi.com | udp |
| US | 8.8.8.8:53 | xiazai.caobibibi.com | udp |
| US | 8.8.8.8:53 | xiazai.caobibibi.com | udp |
| US | 8.8.8.8:53 | xiazai.caobibibi.com | udp |
Files
C:\Windows\apppatch\Custom\Custom64\conhostdhfw.exe
| MD5 | 90d83bbad8110780e90b8f0beab172f9 |
| SHA1 | 0ced0e716b07945787bf78ae6296a5f24bfdbe59 |
| SHA256 | c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105 |
| SHA512 | 92d4a6697644925176852c2b43bf297b16afadc2a993c135b5aa9df3c74a280bfb7cde883c6bf5c8b06202ff55168997dcf89ef2e791a3aeaca3cb09b6ac7707 |
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-18 09:55
Reported
2024-06-18 09:55
Platform
win10v2004-20240508-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-18 09:55
Reported
2024-06-18 09:58
Platform
win7-20240611-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\utilman.exe | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1968 wrote to memory of 2216 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\takeown.exe |
| PID 1968 wrote to memory of 2216 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\takeown.exe |
| PID 1968 wrote to memory of 2216 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\takeown.exe |
| PID 1968 wrote to memory of 1900 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\icacls.exe |
| PID 1968 wrote to memory of 1900 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\icacls.exe |
| PID 1968 wrote to memory of 1900 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\icacls.exe |
| PID 1968 wrote to memory of 2136 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\icacls.exe |
| PID 1968 wrote to memory of 2136 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\icacls.exe |
| PID 1968 wrote to memory of 2136 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\icacls.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2.bat"
C:\Windows\system32\takeown.exe
takeown /f c:\windows\system32\utilman.exe
C:\Windows\system32\icacls.exe
icacls c:\windows\system32\utilman.exe /grant administrators:F
C:\Windows\system32\icacls.exe
icacls c:\windows\system32\utilman.exe /grant Users:F
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-18 09:55
Reported
2024-06-18 09:58
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
51s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\utilman.exe | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3584 wrote to memory of 3208 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\takeown.exe |
| PID 3584 wrote to memory of 3208 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\takeown.exe |
| PID 3584 wrote to memory of 740 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\icacls.exe |
| PID 3584 wrote to memory of 740 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\icacls.exe |
| PID 3584 wrote to memory of 4596 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\icacls.exe |
| PID 3584 wrote to memory of 4596 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\icacls.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2.bat"
C:\Windows\system32\takeown.exe
takeown /f c:\windows\system32\utilman.exe
C:\Windows\system32\icacls.exe
icacls c:\windows\system32\utilman.exe /grant administrators:F
C:\Windows\system32\icacls.exe
icacls c:\windows\system32\utilman.exe /grant Users:F
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-18 09:55
Reported
2024-06-18 09:55
Platform
win7-20240611-en