Malware Analysis Report

2025-01-03 08:37

Sample ID 241121-b6c7gsslfj
Target 2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida
SHA256 f06b905626d742ec5a1eab8027d9097b74fd0413a901d0599eac8555d1f89e50
Tags
rhysida credential_access defense_evasion discovery evasion execution impact persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f06b905626d742ec5a1eab8027d9097b74fd0413a901d0599eac8555d1f89e50

Threat Level: Known bad

The file 2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida was found to be: Known bad.

Malicious Activity Summary

rhysida credential_access defense_evasion discovery evasion execution impact persistence ransomware spyware stealer

Rhysida family

Detect Rhysida ransomware

Rhysida

Renames multiple (8113) files with added filename extension

Renames multiple (8166) files with added filename extension

Clears Windows event logs

Deletes shadow copies

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Drops startup file

Credentials from Password Stores: Windows Credential Manager

Power Settings

Hide Artifacts: Hidden Window

Indicator Removal: Clear Persistence

Sets desktop wallpaper using registry

Drops file in Program Files directory

Unsigned PE

Browser Information Discovery

System Time Discovery

System Network Configuration Discovery: Internet Connection Discovery

Uses Volume Shadow Copy service COM API

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Interacts with shadow copies

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-21 01:45

Signatures

Detect Rhysida ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Rhysida family

rhysida

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-21 01:45

Reported

2024-11-21 01:47

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe"

Signatures

Detect Rhysida ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Rhysida

ransomware rhysida

Rhysida family

rhysida

Clears Windows event logs

evasion ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (8113) files with added filename extension

ransomware

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A

Reads user/profile data of web browsers

spyware stealer

Hide Artifacts: Hidden Window

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Indicator Removal: Clear Persistence

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Power Settings

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\wevtutil.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Public\\bg.jpg" C:\Windows\system32\reg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\vlc.mo.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB.DEV_COL.HXC.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0230876.WMF.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-1.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Center.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\SETUP.XML.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+4.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text_3.9.1.v20140827-1810.jar.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Kosrae.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\ChkrRes.dll.mui.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsMacroTemplate.html.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewTemplate.html.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_mid_over.gif.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00532_.WMF.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00372_.WMF.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SlateBlue.css.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\POSTCARD.DPV.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME08.CSS.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0183168.WMF.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs.xml.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\PowerPointMUI.XML.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File created C:\Program Files (x86)\Google\Update\Install\{FC37790F-E395-416A-A1A1-53BC987E89B4}\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB7.BDR.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Andorra.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\THMBNAIL.PNG.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\Palmer.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_zh_CN.jar.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ONENOTE.HXS.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00050_.WMF.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\TAB_ON.GIF.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106816.WMF.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunjce_provider.jar.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Asuncion.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_ja.jar.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\ERROR.GIF.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14514_.GIF.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR6B.GIF.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD00146_.WMF.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\eclipse.inf.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-awt.xml.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cayenne.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\icudtl.dat.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216874.WMF.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Paris.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cambridge_Bay.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Adjacency.thmx.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files\Microsoft Games\More Games\fr-FR\MoreGames.dll.mui.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\js\jquery.jstree.js.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_zh_CN.jar.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0315447.JPG.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21481_.GIF.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152436.WMF.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00320_.WMF.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_ja.jar.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A

Browser Information Discovery

discovery

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2168 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe C:\Windows\system32\cmd.exe
PID 2168 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe C:\Windows\system32\cmd.exe
PID 2168 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe C:\Windows\system32\cmd.exe
PID 1240 wrote to memory of 1156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1240 wrote to memory of 1156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1240 wrote to memory of 1156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1156 wrote to memory of 572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1156 wrote to memory of 572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1156 wrote to memory of 572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2168 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe C:\Windows\system32\cmd.exe
PID 2168 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe C:\Windows\system32\cmd.exe
PID 2168 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe C:\Windows\system32\cmd.exe
PID 3000 wrote to memory of 776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3000 wrote to memory of 776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3000 wrote to memory of 776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 776 wrote to memory of 1400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 776 wrote to memory of 1400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 776 wrote to memory of 1400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1400 wrote to memory of 848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1400 wrote to memory of 848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1400 wrote to memory of 848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 776 wrote to memory of 1496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 776 wrote to memory of 1496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 776 wrote to memory of 1496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 776 wrote to memory of 2380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 776 wrote to memory of 2380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 776 wrote to memory of 2380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 776 wrote to memory of 2956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 776 wrote to memory of 2956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 776 wrote to memory of 2956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 776 wrote to memory of 1392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 776 wrote to memory of 1392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 776 wrote to memory of 1392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 776 wrote to memory of 1588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 776 wrote to memory of 1588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 776 wrote to memory of 1588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 776 wrote to memory of 616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 776 wrote to memory of 616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 776 wrote to memory of 616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 776 wrote to memory of 2504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 776 wrote to memory of 2504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 776 wrote to memory of 2504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 776 wrote to memory of 1948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 776 wrote to memory of 1948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 776 wrote to memory of 1948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 776 wrote to memory of 3052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 776 wrote to memory of 3052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 776 wrote to memory of 3052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 776 wrote to memory of 680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 776 wrote to memory of 680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 776 wrote to memory of 680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 776 wrote to memory of 676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 776 wrote to memory of 676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 776 wrote to memory of 676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 776 wrote to memory of 588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 776 wrote to memory of 588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 776 wrote to memory of 588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 776 wrote to memory of 2148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 776 wrote to memory of 2148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 776 wrote to memory of 2148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 776 wrote to memory of 1628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 776 wrote to memory of 1628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 776 wrote to memory of 1628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 776 wrote to memory of 1556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmd.exe /c for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"

C:\Windows\system32\cmd.exe

cmd.exe /c for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wevtutil.exe el

C:\Windows\system32\wevtutil.exe

wevtutil.exe el

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Application"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "DebugChannel"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "DirectShowFilterGraph"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "DirectShowPluginControl"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Els_Hyphenation/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "EndpointMapper"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "ForwardedEvents"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "HardwareEvents"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Internet Explorer"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Key Management Service"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MF_MediaFoundationDeviceProxy"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Media Center"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationDeviceProxy"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPerformance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPipeline"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPlatform"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-IE/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-IEDVTOOL/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-API-Tracing/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ATAPort/General"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AltTab/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppID/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Backup"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Calculator/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Calculator/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DhcpNap/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DhcpNap/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-TaskManager/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectWrite-FontCache/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectWrite/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Disk/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Documents/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxpTaskRingtone/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EFS/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FMS/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FMS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Feedback-Service-TriggerProvider"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-GettingStarted/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HAL/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Help/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HotStart/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IKE/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IPBusEnum/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-International/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MCT/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/WHC"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OOBE-Machine/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PeopleNearMe/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RPC/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Recovery/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReliabilityAnalysisComponent/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Remotefs-UTProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Resource-Leak-Diagnostic/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sens/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sidebar/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StickyNotes/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StickyNotes/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StickyNotes/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Superfetch/Main"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SystemHealthAgent/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ThemeCPL/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ThemeUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TunnelDriver"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UAC-FileVirtualization/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UAC/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIAnimation/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Perf"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIRibbon/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-USB-USBHUB/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-USB-USBPORT/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User Control Panel Performance/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User Profile Service/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User Profile Service/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User-Loader/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserModePowerService/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceNotifications"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserPnp/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserPnp/SchedulerOperations"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UxTheme/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VAN/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VDRVROOT/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VHDMP/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VWiFi/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VolumeControl/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WABSyncProvider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WER-Diag/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WFP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WFP/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WLAN-AutoConfig/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WLANConnectionFlow/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Trace"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPDMCCore/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPDMCUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPNSSUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WSC-SRV/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WUSA/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WWAN-MM-Events/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WWAN-SVC-Events/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WWAN-UI-Events/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WebIO-NDF/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WebIO/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WebServices/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Win32k/Concurrency"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Win32k/Power"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Win32k/Render"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Win32k/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Win32k/UIPI"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WinHTTP-NDF/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WinHttp/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WinINet/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WinRM/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WinRM/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WinRM/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windeploy/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windows Defender/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windows Defender/WHC"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WindowsBackup/ActionCenter"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WindowsUpdateClient/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Wininit/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Winlogon/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Winlogon/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Winsock-AFD/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Winsock-WS2HELP/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Winsrv/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Wordpad/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Wordpad/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Wordpad/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-mobsync/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ntshrui"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-osk/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-stobject/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "OAlerts"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Security"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Setup"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "System"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "TabletPC_InputPanel_Channel"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "WINDOWS_MP4SDECD_CHANNEL"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "WINDOWS_MSMPEG2VDEC_CHANNEL"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "WINDOWS_WMPHOTO_CHANNEL"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "WMPSetup"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "WMPSyncEngine"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Windows PowerShell"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "muxencode"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmd.exe /c reg delete "HKCU\Contol Panel\Desktop" /v Wallpaper /f

C:\Windows\system32\cmd.exe

cmd.exe /c reg delete "HKCU\Contol Panel\Desktop" /v Wallpaper /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Contol Panel\Desktop" /v Wallpaper /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f

C:\Windows\system32\cmd.exe

cmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f

C:\Windows\system32\cmd.exe

cmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f

C:\Windows\system32\cmd.exe

cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f

C:\Windows\system32\cmd.exe

cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f

C:\Windows\system32\cmd.exe

cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\cmd.exe

cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\cmd.exe

cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rundll32.exe user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

rundll32.exe user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmd.exe /c start powershell.exe -WindowStyle Hidden -Command "Sleep -Milliseconds 1000; schtasks /delete /tn Rhsd /f;"

C:\Windows\system32\cmd.exe

cmd.exe /c start powershell.exe -WindowStyle Hidden -Command "Sleep -Milliseconds 1000; schtasks /delete /tn Rhsd /f;"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -WindowStyle Hidden -Command "Sleep -Milliseconds 1000; schtasks /delete /tn Rhsd /f;"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmd.exe /c start ping 127.0.0.1 -n 2 > nul && del /f /q "C:\Users\Admin\AppData\Local\Temp\C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe"

C:\Windows\system32\cmd.exe

cmd.exe /c start ping 127.0.0.1 -n 2

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 2

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /delete /tn Rhsd /f

Network

N/A

Files

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\CriticalBreachDetected.pdf

MD5 bae4e959e5862e891b972f2c9116701e
SHA1 1403d8ed28ac069abfdfe9a2036a74d52a7c7494
SHA256 37c8633ee17bdf7ae21a547fee680920c720e9d32d03dd6dd217805de4d487e6
SHA512 98e831104c57c70f6af75fe6179f558b3cafd201b355176e8c47abd68592725fb43f30e967e3cf93d3152e61eb77a89ba9fe5c55da205448a1930509949a3344

memory/2168-6412-0x0000000000400000-0x000000000048C000-memory.dmp

memory/2168-10352-0x0000000000400000-0x000000000048C000-memory.dmp

memory/2168-10353-0x0000000000400000-0x000000000048C000-memory.dmp

memory/2168-10354-0x0000000000400000-0x000000000048C000-memory.dmp

memory/2168-10356-0x0000000000400000-0x000000000048C000-memory.dmp

memory/2512-10361-0x000000001B610000-0x000000001B8F2000-memory.dmp

memory/2512-10362-0x0000000002260000-0x0000000002268000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-21 01:45

Reported

2024-11-21 01:47

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe"

Signatures

Detect Rhysida ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Rhysida

ransomware rhysida

Rhysida family

rhysida

Clears Windows event logs

evasion ransomware
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (8166) files with added filename extension

ransomware

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A N/A N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A

Reads user/profile data of web browsers

spyware stealer

Hide Artifacts: Hidden Window

defense_evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Indicator Removal: Clear Persistence

defense_evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Power Settings

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\wevtutil.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Public\\bg.jpg" N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fullscreen-exit-press.svg.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\it-it\ui-strings.js.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\zh-cn\ui-strings.js.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\Simple\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ppd.xrm-ms.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ca-es\ui-strings.js.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\version.js.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\SPRING.ELM.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART14.BDR.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-phn.xrm-ms.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Shell\Themes\Glyphs\Font\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sv-se\ui-strings.js.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\AppxMetadata\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Review_RHP.aapp.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_newfolder_18.svg.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\icons.png.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-gb\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\css\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\adc_logo.png.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ru-ru\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File created C:\Program Files (x86)\Windows Media Player\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ui-strings.js.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fr-fr\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\sk-SK\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL106.XML.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sm\LC_MESSAGES\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\hu-HU\View3d\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\Help\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\OptimizePDF_R_RHP.aapp.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\s_thumbnailview_18.svg.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\gd.pak.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\asm.md.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\ThankYou\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\AddressBook.png.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\selector.js.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\ARM\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\dcfmui.msi.16.en-us.tree.dat.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\SETUP.CHM.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fr-ma\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\bs\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluDCFilesEmpty_180x180.svg.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\reflow.api.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\fr-CA.pak.DATA.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\Pitchbook.potx.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-GB\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\back-arrow-hover.svg.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\collect_feedback\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hr-hr\ui-strings.js.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected] C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\lib\ant-javafx.jar.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ppd.xrm-ms.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\root\ui-strings.js.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-pl.xrm-ms.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\DatabaseCompare.HxS.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\CriticalBreachDetected.pdf C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\Office.Runtime.js.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUAB.TTF.rhysida C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe N/A

Browser Information Discovery

discovery

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Time Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\wevtutil.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4788 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe C:\Windows\system32\cmd.exe
PID 4788 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 3672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 3672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3672 wrote to memory of 3888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3672 wrote to memory of 3888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4788 wrote to memory of 5652 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe C:\Windows\system32\cmd.exe
PID 4788 wrote to memory of 5652 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe C:\Windows\system32\cmd.exe
PID 5652 wrote to memory of 1968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 5652 wrote to memory of 1968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1968 wrote to memory of 2792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1968 wrote to memory of 2792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2792 wrote to memory of 2464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2792 wrote to memory of 2464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 3656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 3656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 4696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 4696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 3488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 3488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 5784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 5784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 3704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 3704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 4912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 4912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 5208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 5208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 1196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 1196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 5584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 5584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 2024 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 2024 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 4672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 4672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 1988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 1988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 3592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 3592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 3724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 3724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 5228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 5228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 1168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 1168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 2896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 2896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 5112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 5112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 4792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 4792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 5940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 5940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 2932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 2932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 3164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 3164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 2064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 1968 wrote to memory of 2064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-21_ddaa09b5c3bf5aa24e300c24905469f2_rhysida.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmd.exe /c for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"

C:\Windows\system32\cmd.exe

cmd.exe /c for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wevtutil.exe el

C:\Windows\system32\wevtutil.exe

wevtutil.exe el

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "AMSI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "AirSpaceChannel"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Application"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "DirectShowFilterGraph"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "DirectShowPluginControl"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Els_Hyphenation/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "EndpointMapper"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "FirstUXPerf-Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "ForwardedEvents"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "General Logging"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "HardwareEvents"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "IHM_DebugChannel"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Internet Explorer"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Key Management Service"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MF_MediaFoundationDeviceMFT"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MF_MediaFoundationDeviceProxy"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MF_MediaFoundationFrameServer"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MedaFoundationVideoProc"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MedaFoundationVideoProcD3D"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationAsyncWrapper"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationContentProtection"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationDS"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationDeviceProxy"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationMP4"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationMediaEngine"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPerformance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPerformanceCore"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPipeline"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPlatform"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationSrcPrefetch"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-AppV-Client/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-AppV-Client/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-AppV-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-IE/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-Admin/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-IPC/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AAD/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AAD/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ASN1/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ATAPort/General"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-All-User-Install-Agent/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AllJoyn/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AllJoyn/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppHost/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppHost/ApplicationTracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppHost/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppHost/Internal"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppID/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Execution"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppModel-State/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppModel-State/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppReadiness/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppReadiness/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppReadiness/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppSruProv"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Restricted"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Steps-Recorder"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AsynchronousCausality/Causality"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/GlitchDetection"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/Informational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/PlaybackManager"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUser-Client"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/HCI"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/L2CAP"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Backup"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Battery/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Biometrics/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker-Driver-Performance/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Management"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bluetooth-Bthmini/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bluetooth-Policy/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheMonitoring/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CAPI2/Catalog Database Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/ApartmentInitialize"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/ApartmentUninitialize"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/Call"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/CreateInstance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/ExtensionCatalog"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/FreeUnusedLibrary"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/RundownInstrumentation"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COMRuntime/Activations"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COMRuntime/MessageProcessing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Cleanmgr/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CloudStore/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CloudStore/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CoreApplication/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CoreApplication/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CoreApplication/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CoreWindow/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CoreWindow/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crashdump/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-BCRYPT/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-CNG/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-DSSEnh/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-NCrypt/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-RSAEnh/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DAMM/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DDisplay/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DDisplay/Logging"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DLNA-Namespace/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DSC/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DSC/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DSC/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DSC/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Data-Pdf/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/CrashRecovery"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Deduplication/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Deduplication/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Deduplication/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Deduplication/Scrubbing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Defrag-Core/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DesktopActivityModerator/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceAssociationService/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceConfidence/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Verbose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceUpdateAgent/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Devices-Background/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D12/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D12/Logging"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D12/PerfTiming"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D9/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3DShaderCache/Default"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectComposition/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectManipulation/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Disk/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dism-Api/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dism-Api/ExternalAnalytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dism-Api/InternalAnalytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dism-Cli/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Documents/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dot3MM/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DucUpdateAgent/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dwm-API/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dwm-Core/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dwm-Dwm/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dwm-Redir/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dwm-Udwm/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Contention"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Power"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EDP-Application-Learning/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EDP-Audit-Regular/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EDP-Audit-TCB/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EFS/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ESE/IODiagnose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ESE/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapMethods-RasChap/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapMethods-RasTls/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapMethods-Sim/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapMethods-Ttls/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/EventLog"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/Trace"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EnhancedStorage-EhStorTcgDrv/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FMS/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FMS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/WHC"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/BackupLog"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-GPIO-ClassExtension/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-GenericRoaming/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HAL/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HelloForBusiness/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Help/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HttpService/Log"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-NETVSC/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IE-SmartScreen"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IKE/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-Broker/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-CandidateUI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManager/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManagerUI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-JPAPI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-JPLMP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-JPPRED/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-JPSetting/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-JPTIP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-KRAPI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-KRTIP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-OEDCompiler/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-TCCORE/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-TCTIP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-TIP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IPNAT/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IdCtrls/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IdCtrls/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IndirectDisplays-ClassExtension-Events/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Input-HIDCLASS-Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-InputSwitch/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-KdsSvc/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kerberos/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/General"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-IO/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Interrupt-Steering/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-IoTrace/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Pdc/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Pep/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Boot Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Device Enumeration Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Watchdog"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-XDV/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LSA/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LSA/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LSA/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LimitsManagement/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LiveId/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LiveId/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MPEG2-Video-Encoder-MFT_Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MSFTEDIT/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMC"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMR"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Media-Streaming/MDE"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFCaptureEngine/MFCaptureEngine"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-Performance/SARStreamResource"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Minstore/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Minstore/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-SmsApi/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/ManagementService"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Mprddm/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Ncasvc/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NdisImPlatform/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Ndu/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Network-Connection-Broker"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Network-DataUsage/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Network-Setup/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkBridge/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkProvider/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkSecurity/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkStatus/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Networking-RealTimeCommunication/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Ntfs/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Ntfs/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Ntfs/WHC"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OLE/Clipboard-Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OOBE-FirstLogonAnim/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Core/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Plugins-Wireless/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OcpUpdateAgent/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OneBackup/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OneX/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OtpCredentialProvider/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Partition/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Partition/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PerceptionRuntime/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PerceptionSensorDataService/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Certification"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Diagnose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PhotoAcq/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PlayToManager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Policy/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Policy/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Power-Meter-Polling/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerShell/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerShell/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrintBRM/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrintService-USBMon/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Privacy-Auditing/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ProcessStateManager/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/AutoPilot"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/ManagementService"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Informational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PushNotification-Developer/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PushNotification-InProc/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RPC/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RRAS/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RRAS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RadioManager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Ras-NdisWanPacketCapture/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReFS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Regsvr32/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-Kernel-Mode-Transport/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-User-Mode-Transport/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ResetEng-Trace/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RetailDemo/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RetailDemo/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Runtime-Graphics/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Runtime-Networking-BackgroundTransfer/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Runtime-Networking/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Runtime-Web-Http/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Runtime-WebAPI/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTAdaptiveMediaSource"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTCaptureEngine"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTMediaStreamSource"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTTranscode"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Runtime/CreateInstance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Runtime/Error"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBClient/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBClient/HelperClassDiagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBClient/ObjectStateDiagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBClient/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBDirect/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBDirect/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBDirect/Netmon"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBServer/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBServer/Audit"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBServer/Connectivity"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBServer/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBServer/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBServer/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBServer/Security"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Informational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SPB-ClassExtension/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SPB-HIDI2C/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Schannel-Events/Perf"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sdbus/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sdbus/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sdstor/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SearchUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SearchUI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SecureAssessment/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-Adminless/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-IdentityStore/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-LessPrivilegedAppContainer/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-Mitigations/KernelMode"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-Mitigations/UserMode"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-Netlogon/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GC/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-UserConsentVerifier/Audit"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-Vault/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Perf"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SendTo/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sens/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sensors/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sensors/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Serial-ClassExtension-V2/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Serial-ClassExtension/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Servicing/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SettingSync-Azure/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SettingSync-Azure/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SettingSync/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SettingSync/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SettingSync/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SettingSync/VerboseDebug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SetupPlatform/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AppWizCpl/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredentialProviderUser/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-LogonUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-Core/ActionCenter"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-Core/AppDefaults"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-Core/LogonTasksChannel"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-Core/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-LockScreenContent/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-OpenWith/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SleepStudy/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SmartCard-Audit/Authentication"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SmartCard-DeviceEnum/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SmartScreen/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SmbClient/Audit"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SmbClient/Connectivity"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SmbClient/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SmbClient/Security"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Spellchecking-Host/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SruMon/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SrumTelemetry"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StateRepository/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StateRepository/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StateRepository/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StateRepository/Restricted"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Diagnose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Diagnose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Diagnose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Diagnose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Health"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Tiering-IoHeat/Heat"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storage-Tiering/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorageManagement/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorageManagement/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorageSettings/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorageSpaces-ManagementAgent/WHC"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorageSpaces-SpaceManager/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Store/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Storsvc/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Superfetch/Main"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Superfetch/PfApLog"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sysmon/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-System-Profile-HardwareId/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SystemSettingsHandlers/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TCPIP/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TTS/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TWinAPI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TWinUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TWinUI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TZSync/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TZSync/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Maintenance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Tethering-Manager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Tethering-Station/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ThemeCPL/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ThemeUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Threat-Intelligence/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Time-Service-PTP-Provider/PTP-Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Time-Service/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Troubleshooting-Recommended/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Troubleshooting-Recommended/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TunnelDriver"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UAC-FileVirtualization/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UAC/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UI-Shell/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIAnimation/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Perf"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIRibbon/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-USB-MAUSBHOST-Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-USB-UCX-Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-USB-USBHUB/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-USB-USBHUB3-Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-USB-USBPORT/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-USB-USBXHCI-Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-USB-USBXHCI-Trustlet-Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UniversalTelemetryClient/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User Control Panel Performance/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User Control Panel Usage/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User Control Panel/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User Control Panel/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User Device Registration/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User Device Registration/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User Profile Service/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User Profile Service/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User-Loader/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User-Loader/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserAccountControl/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserModePowerService/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserPnp/ActionCenter"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceInstall"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserPnp/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserPnp/SchedulerOperations"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UxInit/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UxTheme/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VAN/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VDRVROOT/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VHDMP-Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VHDMP-Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VIRTDISK-Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VPN-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VPN/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VWiFi/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VerifyHardwareSecurity/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VerifyHardwareSecurity/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Volume/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VolumeControl/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WABSyncProvider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WCNWiz/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WEPHOSTSVC/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WER-PayloadHealth/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WFP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WFP/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WLAN-AutoConfig/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WLAN-Driver/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WLAN-MediaManager/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WLANConnectionFlow/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Trace"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPDMCUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPNSSUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-API/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-MTPBT/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-MTPIP/Analytic"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp

Files

C:\Program Files\7-Zip\Lang\CriticalBreachDetected.pdf

MD5 bae4e959e5862e891b972f2c9116701e
SHA1 1403d8ed28ac069abfdfe9a2036a74d52a7c7494
SHA256 37c8633ee17bdf7ae21a547fee680920c720e9d32d03dd6dd217805de4d487e6
SHA512 98e831104c57c70f6af75fe6179f558b3cafd201b355176e8c47abd68592725fb43f30e967e3cf93d3152e61eb77a89ba9fe5c55da205448a1930509949a3344

memory/4788-7371-0x0000000000400000-0x000000000048C000-memory.dmp

memory/4788-12411-0x0000000000400000-0x000000000048C000-memory.dmp

memory/4788-12412-0x0000000000400000-0x000000000048C000-memory.dmp

memory/4788-12413-0x0000000000400000-0x000000000048C000-memory.dmp

memory/4788-12416-0x0000000000400000-0x000000000048C000-memory.dmp

memory/1084-12417-0x000001B71D6D0000-0x000001B71D6F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vnkie3rx.0e5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82