Malware Analysis Report

2025-01-03 08:38

Sample ID 241121-b4rxvssldn
Target 2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida
SHA256 a0d4d52885b654cbfeefd194359936072133519c2bc7e8f68b7b668e59c67b94
Tags
rhysida credential_access defense_evasion discovery evasion execution impact persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a0d4d52885b654cbfeefd194359936072133519c2bc7e8f68b7b668e59c67b94

Threat Level: Known bad

The file 2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida was found to be: Known bad.

Malicious Activity Summary

rhysida credential_access defense_evasion discovery evasion execution impact persistence ransomware spyware stealer

Detect Rhysida ransomware

Rhysida

Rhysida family

Deletes shadow copies

Clears Windows event logs

Renames multiple (8161) files with added filename extension

Renames multiple (8136) files with added filename extension

Command and Scripting Interpreter: PowerShell

Credentials from Password Stores: Windows Credential Manager

Drops startup file

Reads user/profile data of web browsers

Power Settings

Hide Artifacts: Hidden Window

Indicator Removal: Clear Persistence

Sets desktop wallpaper using registry

Drops file in Program Files directory

System Time Discovery

Unsigned PE

System Network Configuration Discovery: Internet Connection Discovery

Browser Information Discovery

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Interacts with shadow copies

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-21 01:42

Signatures

Detect Rhysida ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Rhysida family

rhysida

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-21 01:42

Reported

2024-11-21 01:44

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe"

Signatures

Detect Rhysida ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Rhysida

ransomware rhysida

Rhysida family

rhysida

Clears Windows event logs

evasion ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (8136) files with added filename extension

ransomware

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A

Reads user/profile data of web browsers

spyware stealer

Hide Artifacts: Hidden Window

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Indicator Removal: Clear Persistence

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Power Settings

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\wevtutil.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Public\\bg.jpg" C:\Windows\system32\reg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\OrielReport.Dotx.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\XmlFile.zip.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0150150.WMF.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00810_.WMF.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00160_.GIF.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File created C:\Program Files\Windows Sidebar\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIDEBARBB.DPV.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL048.XML.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0088542.WMF.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199469.WMF.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\si.txt.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\tt\LC_MESSAGES\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multitabs.xml.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-output2.jar.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105388.WMF.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387591.JPG.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File created C:\Program Files\Microsoft Games\Chess\es-ES\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ml.pak.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_sv.properties.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\AIR98.POC.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01295_.GIF.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\HST10.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state_1.0.1.v20140709-1414.jar.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME06.CSS.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02252_.WMF.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkDrop32x32.gif.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\OUTEX.ECF.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\UTC.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Araguaina.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\hy\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR7B.GIF.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02738U.BMP.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\MSTAG.TLB.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105600.WMF.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FLAP.WMF.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.configuration_5.5.0.165303.jar.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107266.WMF.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIDBAR98.POC.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099170.WMF.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00224_.WMF.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04269_.WMF.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00276_.WMF.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\win32_CopyNoDrop32x32.gif.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\JOURNAL.INF.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Lime.css.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGATNGET.DPV.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\POSTIT.CFG.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\WWINTL.REST.IDX_DLL.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0186362.WMF.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A

Browser Information Discovery

discovery

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1076 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe C:\Windows\system32\cmd.exe
PID 1076 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe C:\Windows\system32\cmd.exe
PID 1076 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe C:\Windows\system32\cmd.exe
PID 2604 wrote to memory of 2176 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2604 wrote to memory of 2176 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2604 wrote to memory of 2176 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2176 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2176 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2176 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1076 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe C:\Windows\system32\cmd.exe
PID 1076 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe C:\Windows\system32\cmd.exe
PID 1076 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe C:\Windows\system32\cmd.exe
PID 2220 wrote to memory of 2228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2220 wrote to memory of 2228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2220 wrote to memory of 2228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2228 wrote to memory of 884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2228 wrote to memory of 884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2228 wrote to memory of 884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 884 wrote to memory of 2968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 884 wrote to memory of 2968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 884 wrote to memory of 2968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2228 wrote to memory of 2352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2228 wrote to memory of 2352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2228 wrote to memory of 2352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2228 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2228 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2228 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2228 wrote to memory of 3008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2228 wrote to memory of 3008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2228 wrote to memory of 3008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2228 wrote to memory of 1988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2228 wrote to memory of 1988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2228 wrote to memory of 1988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2228 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2228 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2228 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2228 wrote to memory of 2940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2228 wrote to memory of 2940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2228 wrote to memory of 2940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2228 wrote to memory of 1976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2228 wrote to memory of 1976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2228 wrote to memory of 1976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2228 wrote to memory of 3020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2228 wrote to memory of 3020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2228 wrote to memory of 3020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2228 wrote to memory of 1372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2228 wrote to memory of 1372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2228 wrote to memory of 1372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2228 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2228 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2228 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2228 wrote to memory of 2284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2228 wrote to memory of 2284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2228 wrote to memory of 2284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2228 wrote to memory of 568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2228 wrote to memory of 568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2228 wrote to memory of 568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2228 wrote to memory of 2384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2228 wrote to memory of 2384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2228 wrote to memory of 2384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2228 wrote to memory of 1360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2228 wrote to memory of 1360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2228 wrote to memory of 1360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2228 wrote to memory of 2856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmd.exe /c for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"

C:\Windows\system32\cmd.exe

cmd.exe /c for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wevtutil.exe el

C:\Windows\system32\wevtutil.exe

wevtutil.exe el

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Application"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "DebugChannel"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "DirectShowFilterGraph"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "DirectShowPluginControl"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Els_Hyphenation/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "EndpointMapper"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "ForwardedEvents"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "HardwareEvents"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Internet Explorer"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Key Management Service"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MF_MediaFoundationDeviceProxy"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Media Center"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationDeviceProxy"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPerformance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPipeline"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPlatform"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-IE/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-IEDVTOOL/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-API-Tracing/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ATAPort/General"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AltTab/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppID/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Backup"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Calculator/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Calculator/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DhcpNap/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DhcpNap/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-TaskManager/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectWrite-FontCache/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectWrite/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Disk/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Documents/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxpTaskRingtone/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EFS/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FMS/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FMS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Feedback-Service-TriggerProvider"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-GettingStarted/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HAL/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Help/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HotStart/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IKE/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IPBusEnum/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-International/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MCT/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/WHC"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OOBE-Machine/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PeopleNearMe/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RPC/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Recovery/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReliabilityAnalysisComponent/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Remotefs-UTProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Resource-Leak-Diagnostic/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sens/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sidebar/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StickyNotes/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StickyNotes/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StickyNotes/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Superfetch/Main"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SystemHealthAgent/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ThemeCPL/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ThemeUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TunnelDriver"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UAC-FileVirtualization/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UAC/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIAnimation/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Perf"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIRibbon/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-USB-USBHUB/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-USB-USBPORT/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User Control Panel Performance/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User Profile Service/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User Profile Service/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User-Loader/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserModePowerService/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceNotifications"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserPnp/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserPnp/SchedulerOperations"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UxTheme/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VAN/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VDRVROOT/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VHDMP/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VWiFi/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VolumeControl/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WABSyncProvider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WER-Diag/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WFP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WFP/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WLAN-AutoConfig/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WLANConnectionFlow/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Trace"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPDMCCore/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPDMCUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPNSSUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WSC-SRV/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WUSA/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WWAN-MM-Events/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WWAN-SVC-Events/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WWAN-UI-Events/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WebIO-NDF/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WebIO/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WebServices/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Win32k/Concurrency"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Win32k/Power"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Win32k/Render"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Win32k/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Win32k/UIPI"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WinHTTP-NDF/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WinHttp/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WinINet/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WinRM/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WinRM/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WinRM/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windeploy/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windows Defender/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windows Defender/WHC"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WindowsBackup/ActionCenter"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WindowsUpdateClient/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Wininit/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Winlogon/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Winlogon/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Winsock-AFD/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Winsock-WS2HELP/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Winsrv/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Wordpad/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Wordpad/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Wordpad/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-mobsync/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ntshrui"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-osk/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-stobject/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "OAlerts"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Security"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Setup"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "System"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "TabletPC_InputPanel_Channel"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "WINDOWS_MP4SDECD_CHANNEL"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "WINDOWS_MSMPEG2VDEC_CHANNEL"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "WINDOWS_WMPHOTO_CHANNEL"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "WMPSetup"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "WMPSyncEngine"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Windows PowerShell"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "muxencode"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmd.exe /c reg delete "HKCU\Contol Panel\Desktop" /v Wallpaper /f

C:\Windows\system32\cmd.exe

cmd.exe /c reg delete "HKCU\Contol Panel\Desktop" /v Wallpaper /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Contol Panel\Desktop" /v Wallpaper /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f

C:\Windows\system32\cmd.exe

cmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f

C:\Windows\system32\cmd.exe

cmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f

C:\Windows\system32\cmd.exe

cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f

C:\Windows\system32\cmd.exe

cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f

C:\Windows\system32\cmd.exe

cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\cmd.exe

cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\cmd.exe

cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rundll32.exe user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

rundll32.exe user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmd.exe /c start powershell.exe -WindowStyle Hidden -Command "Sleep -Milliseconds 1000; schtasks /delete /tn Rhsd /f;"

C:\Windows\system32\cmd.exe

cmd.exe /c start powershell.exe -WindowStyle Hidden -Command "Sleep -Milliseconds 1000; schtasks /delete /tn Rhsd /f;"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -WindowStyle Hidden -Command "Sleep -Milliseconds 1000; schtasks /delete /tn Rhsd /f;"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmd.exe /c start ping 127.0.0.1 -n 2 > nul && del /f /q "C:\Users\Admin\AppData\Local\Temp\C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe"

C:\Windows\system32\cmd.exe

cmd.exe /c start ping 127.0.0.1 -n 2

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /delete /tn Rhsd /f

Network

N/A

Files

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\CriticalBreachDetected.pdf

MD5 714516529c2b8a4909d5d5c1af575b0e
SHA1 98d4bc2ece961dbda5b4827edbfb46eae0e385b2
SHA256 1d89b0f3b494da14beea81f6a9be9307172fad98ce933825d82073112f078332
SHA512 e2319878bb2d263593da5391a920bfa1af603a4cdba642592af5a82b6b8e6bed24db46979ae94ed2598a9e1c0e009aa1e778d968221506c655ba3692b8a621d8

memory/1076-6304-0x0000000000400000-0x000000000048C000-memory.dmp

memory/1076-10374-0x0000000000400000-0x000000000048C000-memory.dmp

memory/1076-10375-0x0000000000400000-0x000000000048C000-memory.dmp

memory/1076-10376-0x0000000000400000-0x000000000048C000-memory.dmp

C:\Users\Public\bg.jpg

MD5 4f33ca74adcf0375d4ec6886247e652d
SHA1 b7eb7c7ab5c675877653d10cf19b33cab0cf672c
SHA256 a37684751505d990fd80ea92d1902447b8f3edcc07bad783e7c56f03194b03aa
SHA512 9b9e84c51bb5f2996b790058158d1f270a176a90f3c49b0ce61b6fc2be10242f0af72fea9bf0f3fa23d8dfdf833b54ca602064c33b5ae2ce7077e2e9196043c5

memory/1076-10379-0x0000000000400000-0x000000000048C000-memory.dmp

memory/1764-10384-0x000000001B630000-0x000000001B912000-memory.dmp

memory/1764-10385-0x00000000026F0000-0x00000000026F8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-21 01:42

Reported

2024-11-21 01:44

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe"

Signatures

Detect Rhysida ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Rhysida

ransomware rhysida

Rhysida family

rhysida

Clears Windows event logs

evasion ransomware
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A N/A N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (8161) files with added filename extension

ransomware

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A N/A N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A

Reads user/profile data of web browsers

spyware stealer

Hide Artifacts: Hidden Window

defense_evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Indicator Removal: Clear Persistence

defense_evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Power Settings

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\wevtutil.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Public\\bg.jpg" N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\NavigationIcons\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-tw\ui-strings.js.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\WPFT532.CNV.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\vlc.mo.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\LICENSE.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\selector.js.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-ma\ui-strings.js.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\nb-no\AppStore_icon.svg.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files\RepairExit.xlsx.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pt-br\ui-strings.js.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\inline-error-2x.png.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File created C:\Program Files\Common Files\System\ado\en-US\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\lt.pak.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\ui-strings.js.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\de-de\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-pl.xrm-ms.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\it-it\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\ext\meta-index.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Fonts\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ro-ro\ui-strings.js.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-ma\ui-strings.js.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\et.pak.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-pl.xrm-ms.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\asm.md.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File created C:\Program Files (x86)\Windows Defender\uk-UA\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\ui-strings.js.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ul-oob.xrm-ms.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\bcel.md.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOnNotificationInTray.gif.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ro-ro\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File created C:\Program Files (x86)\Windows Media Player\it-IT\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File created C:\Program Files (x86)\Windows Media Player\Network Sharing\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\sl-SI\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-pl.xrm-ms.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MANIFEST.XML.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\uk-ua\ui-strings.js.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\DEEPBLUE.INF.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ppd.xrm-ms.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\css\main.css.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\AXIS.INF.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\relaxngom.md.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\contrast-high\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files-select\js\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\root\ui-strings.js.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\improved-office-to-pdf.png.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-il\ui-strings.js.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ul-oob.xrm-ms.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\svgCheckboxUnselected.svg.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\MSFT_PackageManagement.schema.mof.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_invite_24.svg.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\nl-nl\ui-strings.js.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-fr\ui-strings.js.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe N/A

Browser Information Discovery

discovery

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Time Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\wevtutil.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5040 wrote to memory of 6164 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe C:\Windows\system32\cmd.exe
PID 5040 wrote to memory of 6164 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe C:\Windows\system32\cmd.exe
PID 6164 wrote to memory of 6232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 6164 wrote to memory of 6232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 6232 wrote to memory of 5900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 6232 wrote to memory of 5900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 5040 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe C:\Windows\system32\cmd.exe
PID 5040 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe C:\Windows\system32\cmd.exe
PID 2096 wrote to memory of 680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2096 wrote to memory of 680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 680 wrote to memory of 5592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 680 wrote to memory of 5592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 5592 wrote to memory of 5596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 5592 wrote to memory of 5596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 7148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 7148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 3480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 3480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 6824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 6824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 1860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 1860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 5748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 5748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 5092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 5092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 5780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 5780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 4944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 4944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 1436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 1436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 5612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 5612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 1664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 1664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 7116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 7116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 4512 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 4512 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 6136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 6136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 5000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 5000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 6112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 6112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 7128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 7128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 1308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 1308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 3176 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 3176 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 3808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 3808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 2088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 2088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 4160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 680 wrote to memory of 4160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-21_c43f12b8330643c72d21bad3b6cfcf82_rhysida.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmd.exe /c for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"

C:\Windows\system32\cmd.exe

cmd.exe /c for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wevtutil.exe el

C:\Windows\system32\wevtutil.exe

wevtutil.exe el

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "AMSI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "AirSpaceChannel"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Application"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "DirectShowFilterGraph"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "DirectShowPluginControl"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Els_Hyphenation/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "EndpointMapper"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "FirstUXPerf-Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "ForwardedEvents"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "General Logging"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "HardwareEvents"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "IHM_DebugChannel"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Internet Explorer"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Key Management Service"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MF_MediaFoundationDeviceMFT"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MF_MediaFoundationDeviceProxy"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MF_MediaFoundationFrameServer"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MedaFoundationVideoProc"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MedaFoundationVideoProcD3D"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationAsyncWrapper"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationContentProtection"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationDS"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationDeviceProxy"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationMP4"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationMediaEngine"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPerformance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPerformanceCore"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPipeline"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPlatform"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationSrcPrefetch"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-AppV-Client/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-AppV-Client/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-AppV-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-IE/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-Admin/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-IPC/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AAD/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AAD/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ASN1/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ATAPort/General"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-All-User-Install-Agent/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AllJoyn/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AllJoyn/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppHost/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppHost/ApplicationTracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppHost/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppHost/Internal"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppID/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Execution"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppModel-State/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppModel-State/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppReadiness/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppReadiness/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppReadiness/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppSruProv"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Restricted"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Steps-Recorder"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AsynchronousCausality/Causality"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/GlitchDetection"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/Informational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/PlaybackManager"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUser-Client"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/HCI"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/L2CAP"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Backup"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Battery/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Biometrics/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker-Driver-Performance/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Management"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bluetooth-Bthmini/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bluetooth-Policy/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheMonitoring/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CAPI2/Catalog Database Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/ApartmentInitialize"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/ApartmentUninitialize"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/Call"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/CreateInstance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/ExtensionCatalog"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/FreeUnusedLibrary"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/RundownInstrumentation"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COMRuntime/Activations"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COMRuntime/MessageProcessing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Cleanmgr/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CloudStore/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CloudStore/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CoreApplication/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CoreApplication/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CoreApplication/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CoreWindow/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CoreWindow/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crashdump/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-BCRYPT/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-CNG/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-DSSEnh/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-NCrypt/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-RSAEnh/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DAMM/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DDisplay/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DDisplay/Logging"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DLNA-Namespace/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DSC/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DSC/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DSC/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DSC/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Data-Pdf/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/CrashRecovery"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Deduplication/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Deduplication/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Deduplication/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Deduplication/Scrubbing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Defrag-Core/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DesktopActivityModerator/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceAssociationService/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceConfidence/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Verbose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceUpdateAgent/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Devices-Background/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D12/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D12/Logging"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D12/PerfTiming"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D9/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3DShaderCache/Default"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectComposition/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectManipulation/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Disk/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dism-Api/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dism-Api/ExternalAnalytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dism-Api/InternalAnalytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dism-Cli/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Documents/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dot3MM/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DucUpdateAgent/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dwm-API/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dwm-Core/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dwm-Dwm/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dwm-Redir/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dwm-Udwm/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Contention"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Power"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EDP-Application-Learning/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EDP-Audit-Regular/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EDP-Audit-TCB/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EFS/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ESE/IODiagnose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ESE/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapMethods-RasChap/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapMethods-RasTls/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapMethods-Sim/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapMethods-Ttls/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/EventLog"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/Trace"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EnhancedStorage-EhStorTcgDrv/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FMS/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FMS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/WHC"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/BackupLog"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-GPIO-ClassExtension/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-GenericRoaming/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HAL/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HelloForBusiness/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Help/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HttpService/Log"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-NETVSC/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IE-SmartScreen"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IKE/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-Broker/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-CandidateUI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManager/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManagerUI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-JPAPI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-JPLMP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-JPPRED/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-JPSetting/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-JPTIP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-KRAPI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-KRTIP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-OEDCompiler/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-TCCORE/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-TCTIP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-TIP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IPNAT/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IdCtrls/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IdCtrls/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IndirectDisplays-ClassExtension-Events/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Input-HIDCLASS-Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-InputSwitch/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-KdsSvc/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kerberos/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/General"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-IO/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Interrupt-Steering/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-IoTrace/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Pdc/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Pep/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Boot Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Device Enumeration Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Watchdog"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-XDV/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LSA/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LSA/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LSA/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LimitsManagement/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LiveId/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LiveId/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MPEG2-Video-Encoder-MFT_Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MSFTEDIT/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMC"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMR"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Media-Streaming/MDE"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFCaptureEngine/MFCaptureEngine"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-Performance/SARStreamResource"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Minstore/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Minstore/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-SmsApi/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/ManagementService"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Mprddm/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Ncasvc/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NdisImPlatform/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Ndu/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Network-Connection-Broker"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Network-DataUsage/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Network-Setup/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkBridge/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkProvider/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkSecurity/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkStatus/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Networking-RealTimeCommunication/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Ntfs/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Ntfs/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Ntfs/WHC"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OLE/Clipboard-Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OOBE-FirstLogonAnim/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Core/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Plugins-Wireless/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OcpUpdateAgent/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OneBackup/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OneX/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OtpCredentialProvider/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Partition/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Partition/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PerceptionRuntime/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PerceptionSensorDataService/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Certification"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Diagnose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PhotoAcq/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PlayToManager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Policy/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Policy/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Power-Meter-Polling/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerShell/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerShell/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrintBRM/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrintService-USBMon/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Privacy-Auditing/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ProcessStateManager/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/AutoPilot"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/ManagementService"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Informational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PushNotification-Developer/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PushNotification-InProc/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RPC/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RRAS/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RRAS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RadioManager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Ras-NdisWanPacketCapture/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReFS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Regsvr32/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-Kernel-Mode-Transport/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-User-Mode-Transport/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ResetEng-Trace/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RetailDemo/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RetailDemo/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Runtime-Graphics/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Runtime-Networking-BackgroundTransfer/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Runtime-Networking/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Runtime-Web-Http/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Runtime-WebAPI/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTAdaptiveMediaSource"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTCaptureEngine"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTMediaStreamSource"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTTranscode"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Runtime/CreateInstance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Runtime/Error"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBClient/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBClient/HelperClassDiagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBClient/ObjectStateDiagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBClient/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBDirect/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBDirect/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBDirect/Netmon"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBServer/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBServer/Audit"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBServer/Connectivity"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBServer/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBServer/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBServer/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBServer/Security"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Informational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SPB-ClassExtension/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SPB-HIDI2C/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Schannel-Events/Perf"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sdbus/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sdbus/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sdstor/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SearchUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SearchUI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SecureAssessment/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-Adminless/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-IdentityStore/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-LessPrivilegedAppContainer/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-Mitigations/KernelMode"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-Mitigations/UserMode"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-Netlogon/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GC/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-UserConsentVerifier/Audit"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-Vault/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Perf"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SendTo/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sens/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sensors/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sensors/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Serial-ClassExtension-V2/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Serial-ClassExtension/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Servicing/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SettingSync-Azure/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SettingSync-Azure/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SettingSync/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SettingSync/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SettingSync/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SettingSync/VerboseDebug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SetupPlatform/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AppWizCpl/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredentialProviderUser/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-LogonUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-Core/ActionCenter"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-Core/AppDefaults"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-Core/LogonTasksChannel"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-Core/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-LockScreenContent/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-OpenWith/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SleepStudy/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SmartCard-Audit/Authentication"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SmartCard-DeviceEnum/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SmartScreen/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SmbClient/Audit"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SmbClient/Connectivity"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SmbClient/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SmbClient/Security"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Spellchecking-Host/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SruMon/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SrumTelemetry"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StateRepository/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StateRepository/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StateRepository/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StateRepository/Restricted"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Diagnose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Diagnose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Diagnose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Diagnose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Health"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Tiering-IoHeat/Heat"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Tiering/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorageManagement/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorageManagement/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorageSettings/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorageSpaces-ManagementAgent/WHC"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorageSpaces-SpaceManager/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Store/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storsvc/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Superfetch/Main"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Superfetch/PfApLog"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sysmon/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-System-Profile-HardwareId/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SystemSettingsHandlers/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TCPIP/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TTS/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TWinAPI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TWinUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TWinUI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TZSync/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TZSync/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Maintenance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Tethering-Manager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Tethering-Station/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ThemeCPL/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ThemeUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Threat-Intelligence/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Time-Service-PTP-Provider/PTP-Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Time-Service/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Troubleshooting-Recommended/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Troubleshooting-Recommended/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TunnelDriver"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UAC-FileVirtualization/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UAC/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UI-Shell/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIAnimation/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Perf"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIRibbon/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-USB-MAUSBHOST-Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-USB-UCX-Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-USB-USBHUB/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-USB-USBHUB3-Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-USB-USBPORT/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-USB-USBXHCI-Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-USB-USBXHCI-Trustlet-Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UniversalTelemetryClient/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User Control Panel Performance/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User Control Panel Usage/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User Control Panel/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User Control Panel/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User Device Registration/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User Device Registration/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User Profile Service/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User Profile Service/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User-Loader/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User-Loader/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserAccountControl/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserModePowerService/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserPnp/ActionCenter"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceInstall"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserPnp/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserPnp/SchedulerOperations"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UxInit/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UxTheme/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VAN/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VDRVROOT/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VHDMP-Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VHDMP-Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VIRTDISK-Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VPN-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VPN/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VWiFi/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VerifyHardwareSecurity/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VerifyHardwareSecurity/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Volume/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VolumeControl/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WABSyncProvider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WCNWiz/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WEPHOSTSVC/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WER-PayloadHealth/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WFP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WFP/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WLAN-AutoConfig/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WLAN-Driver/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WLAN-MediaManager/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WLANConnectionFlow/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Trace"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPDMCUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPNSSUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-API/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-MTPBT/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-MTPIP/Analytic"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp

Files

C:\Program Files\7-Zip\Lang\CriticalBreachDetected.pdf

MD5 714516529c2b8a4909d5d5c1af575b0e
SHA1 98d4bc2ece961dbda5b4827edbfb46eae0e385b2
SHA256 1d89b0f3b494da14beea81f6a9be9307172fad98ce933825d82073112f078332
SHA512 e2319878bb2d263593da5391a920bfa1af603a4cdba642592af5a82b6b8e6bed24db46979ae94ed2598a9e1c0e009aa1e778d968221506c655ba3692b8a621d8

memory/5040-7102-0x0000000000400000-0x000000000048C000-memory.dmp

memory/5040-12396-0x0000000000400000-0x000000000048C000-memory.dmp

memory/5040-12397-0x0000000000400000-0x000000000048C000-memory.dmp

memory/5040-12398-0x0000000000400000-0x000000000048C000-memory.dmp

memory/5040-12401-0x0000000000400000-0x000000000048C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2xmpmx1t.efd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2196-12404-0x0000013C5A770000-0x0000013C5A792000-memory.dmp