Indicators of Compromise IoC Detection Description bcdb721d5be41a9d61bee20a458ae748e023238f Trojan.Win64.EDRKILLSHIFT.YXEHUT EDRKILLSHIFTER Binary 2d3a95e91449a366ccf56177a4542cc439635768 Trojan.Win64.EDRKILLSHIFT.YXEHUT EDRKILLSHIFTER Binary 77daf77d9d2a08cc22981c004689b870f74544b5 Trojan.Win64.EDRKILLSHIFT.YXEHUT EDRKILLSHIFTER Binary 6764ddb2e5b18bf5d0c621f3078d7ac72865c1c3 Trojan.Win64.EDRKILLSHIFT.YXEHUT EDRKILLSHIFTER Binary 86cdb729094c013e411ac9b4c72485a55a629e5d Trojan.Win64.EDRKILLSHIFT.A EDRKILLSHIFTER Binary 2e89cf3267c8724002c3c89be90874a22812efc6 Trojan.Win64.EDRKILLSHIFT.YXEHY EDRKILLSHIFTER Binary 3b035da6c69f9b05868ffe55d7a267d098c6f290 Normal Detection TDSSKILLER Binary hxxp://82.147.85[.]52/Loader.exe C&C Server IP Address where the Anti-EDR was downloaded 4c0d755f42902559d16b73ccc4511897f7bbce94 Ransom.Win64.RANSOMHUB.SMYXEHEZ.go RansomHub Ransomware Binaries 189c638388acd0189fe164cf81e455e41d9629d6 Ransom.Win64.RANSOMHUB.SMYXEHEZ.go RansomHub Ransomware Binaries de1241a592760cc1d850be8f41beebcd460b66ec Ransom.Win64.RANSOMHUB.SMYXEHEZ.go RansomHub Ransomware Binaries 8de2d38d33294586b4758599fdf65f1a265e013b Ransom.Win64.RANSOMHUB.SMYXEHEZ.go RansomHub Ransomware Binaries 5f2c7da181a0ef32df5b9c8a10ea5b3135489021 Ransom.Win64.RANSOMHUB.SMYXEHEZ.go RansomHub Ransomware Binaries e38082ae727aeaef4f241a1920150fdf6f149106 Normal NetScan Binary e187d58f59e0444f7ef9ddefec88d2b11b96e734 Normal Rclone binary List of applications that EDRKillShifter EDRKILLSHIFTER can terminate aswidsagedpa.exe filebeat.exe SecurityHealthService.exe aswidsagent.exe fortiedr.exe SecurityWRSA.exe avastsvc.exe fortiedrekrn.exe SenseCncProxy.exe avastui.exe klwtblfs.exe SenseIR.exe avguard.exe LogProcessorService.exe SenseNdr.exe bdagent.exe macmnsvc.exe SenseSampleUploader.exe bdntwrk.exe mbamservice.exe SentinelAgent.exe bdredline.exe mbamswissarmy.sys SentinelAgentWorker.exe Btm_netagent.exe mbamtray.exe SentinelBrowserNativeHost.exe ccSvcHst.exe mcshield.exe SentinelHelperService.exe CETASvc.exe mfeann.exe SentinelServiceHost.exe cmsmpeng.exe mfemms.exe SentinelStaticEngine.exe CNTAoSMgr.exe msascuil.exe SentinelStaticEngineScanner.exe coreFrameworkHost.exe MsMpEng.exe shstat.exe coreServiceShell.exe msseces.exe sophosav.exe CrAmTray.exe MsSense.exe SophosClean.exe CrsSvc.exe nortonsecurity.exe SophosHealth.exe CybereasonAV.exe Notifier.exe sophossps.exe CylanceSvc.exe nsservice.exe sophosui.exe cyserver.exe Ntrtscan.exe TaniumClient.exe CyveraService.exe pavfnsvr.exe TaniumCX.exe CyveraService.exe pavsrv.exe TaniumDetectEngine.exe CyvrFsFlt.exe PccNTMon.exe tm_netagent.exe ds_monitor.exe psanhost.exe TMBMSRV.exe dsa-connect.exe PtSessionAgent.exe TmCCSF.exe EIConnector.exe PtWatchDog.exe tmntsrv.exe elastic-agent.exe QualysAgent.exe tmproxy.exe elastic-endpoint.exe RepMgr.exe TmWSCSvc.exe EndpointBasecamp.exe RepUtils.exe uiSeAgnt.exe EPConsole.exe RepWAV.exe uiUpdateTray.exe EPSecurityService.exe RepWSC.exe uiWinMgr.exe EPUpdateService.exe rtvscan.exe uiWinMgrwrsa.exe ExecutionPreventionSvc.exe savservice.exe updatesrv.exe vavgnt.exe WatchDog.exe WSCommunicator.eTmListen.exe VMsMpEng.exe windefend.exe WSCommunicator.exe vsserv.exe winlogbeat.exe Ypavfnsvr.exe WRSkyClient.x64.exe WRCoreService.x64.exe   List of commands that LogDel.bat executes objectCmd: attrib Default.rdp -s -h reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f wevtutil.exe cl "muxencode" wevtutil.exe cl "Windows.Globalization/Analytic" wevtutil.exe cl "Windows PowerShell" wevtutil.exe cl "Windows Networking Vpn Plugin Platform/OperationalVerbose" wevtutil.exe cl "Windows Networking Vpn Plugin Platform/Operational" wevtutil.exe cl "WMPSyncEngine" wevtutil.exe cl "WMPSetup" wevtutil.exe cl "WINDOWS_wmvdecod_CHANNEL" wevtutil.exe cl "WINDOWS_WMPHOTO_CHANNEL" wevtutil.exe cl "WINDOWS_VC1ENC_CHANNEL" wevtutil.exe cl "WINDOWS_MSMPEG2VDEC_CHANNEL" wevtutil.exe cl "WINDOWS_MP4SDECD_CHANNEL" wevtutil.exe cl "WINDOWS_MFH264Enc_CHANNEL" wevtutil.exe cl "WINDOWS_KS_CHANNEL" wevtutil.exe cl "UIManager_Channel" wevtutil.exe cl "TimeBroker" wevtutil.exe cl "TabletPC_InputPanel_Channel/IHM" wevtutil.exe cl "TabletPC_InputPanel_Channel" wevtutil.exe cl "SystemEventsBroker" wevtutil.exe cl "System" wevtutil.exe cl "SmbWmiAnalytic" wevtutil.exe cl "Setup" wevtutil.exe cl "Security" wevtutil.exe cl "SMSApi" wevtutil.exe cl "RTWorkQueueTheading" wevtutil.exe cl "RTWorkQueueExtended" wevtutil.exe cl "Physical_Keyboard_Manager_Channel" wevtutil.exe cl "PICAgentLog" wevtutil.exe cl "OSK_SoftKeyboard_Channel" wevtutil.exe cl "Network Isolation Operational" wevtutil.exe cl "Navigator" wevtutil.exe cl "NIS-Driver-WFP/Diagnostic" wevtutil.exe cl "Microsoft-WindowsPhone-LocationServiceProvider/Debug" wevtutil.exe cl "Microsoft-Windows-stobject/Diagnostic" wevtutil.exe cl "Microsoft-Windows-osk/Diagnostic" wevtutil.exe cl "Microsoft-Windows-ntshrui-perf" wevtutil.exe cl "Microsoft-Windows-ntshrui" wevtutil.exe cl "Microsoft-Windows-mobsync/Diagnostic" wevtutil.exe cl "Microsoft-Windows-glcnd/Diagnostic" wevtutil.exe cl "Microsoft-Windows-glcnd/Debug" wevtutil.exe cl "Microsoft-Windows-glcnd/Admin" wevtutil.exe cl "Microsoft-Windows-XAudio2/Performance" wevtutil.exe cl "Microsoft-Windows-XAudio2/Debug" wevtutil.exe cl "Microsoft-Windows-XAML/Default" wevtutil.exe cl "Microsoft-Windows-XAML-Diagnostics/Default" wevtutil.exe cl "Microsoft-Windows-Workplace Join/Admin" wevtutil.exe cl "Microsoft-Windows-Wordpad/Diagnostic" wevtutil.exe cl "Microsoft-Windows-Wordpad/Debug" wevtutil.exe cl "Microsoft-Windows-Wordpad/Admin" wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Operational" wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Diagnostic" wevtutil.exe cl "Microsoft-Windows-Winsrv/Analytic" wevtutil.exe cl "Microsoft-Windows-Winsock-WS2HELP/Operational" wevtutil.exe cl "Microsoft-Windows-Winsock-NameResolution/Operational" wevtutil.exe cl "Microsoft-Windows-Winsock-AFD/Operational" wevtutil.exe cl "Microsoft-Windows-Winlogon/Operational" wevtutil.exe cl "Microsoft-Windows-Winlogon/Diagnostic" wevtutil.exe cl "Microsoft-Windows-Wininit/Diagnostic" wevtutil.exe cl "Microsoft-Windows-WindowsUpdateClient/Operational" wevtutil.exe cl "Microsoft-Windows-WindowsUpdateClient/Analytic" wevtutil.exe cl "Microsoft-Windows-WindowsUIImmersive/Operational" wevtutil.exe cl "Microsoft-Windows-WindowsUIImmersive/Diagnostic" wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Tracing" wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Operational" wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Operational" wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Debug" wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose" wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose" wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity" wevtutil.exe cl "Microsoft-Windows-Windows Defender/WHC" wevtutil.exe cl "Microsoft-Windows-Windows Defender/Operational" wevtutil.exe cl "Microsoft-Windows-Windeploy/Analytic" wevtutil.exe cl "Microsoft-Windows-WinURLMon/Analytic" wevtutil.exe cl "Microsoft-Windows-WinRM/Operational" wevtutil.exe cl "Microsoft-Windows-WinRM/Debug" wevtutil.exe cl "Microsoft-Windows-WinRM/Analytic" wevtutil.exe cl "Microsoft-Windows-WinNat/Trace" wevtutil.exe cl "Microsoft-Windows-WinNat/Oper" wevtutil.exe cl "Microsoft-Windows-WinMDE/MDE" wevtutil.exe cl "Microsoft-Windows-WinINet/WebSocket" wevtutil.exe cl "Microsoft-Windows-WinINet/UsageLog" wevtutil.exe cl "Microsoft-Windows-WinINet/Analytic" wevtutil.exe cl "Microsoft-Windows-WinINet-Config/ProxyConfigChanged" wevtutil.exe cl "Microsoft-Windows-WinINet-Capture/Analytic" wevtutil.exe cl "Microsoft-Windows-WinHttp/Diagnostic" wevtutil.exe cl "Microsoft-Windows-WinHTTP-NDF/Diagnostic" wevtutil.exe cl "Microsoft-Windows-Win32k/UIPI" wevtutil.exe cl "Microsoft-Windows-Win32k/Tracing" wevtutil.exe cl "Microsoft-Windows-Win32k/Render" wevtutil.exe cl "Microsoft-Windows-Win32k/Power" wevtutil.exe cl "Microsoft-Windows-Win32k/Operational" wevtutil.exe cl "Microsoft-Windows-Win32k/Messages" wevtutil.exe cl "Microsoft-Windows-Win32k/Contention" wevtutil.exe cl "Microsoft-Windows-Win32k/Concurrency" wevtutil.exe cl "Microsoft-Windows-Websocket-Protocol-Component/Tracing" wevtutil.exe cl "Microsoft-Windows-WebcamProvider/Analytic" wevtutil.exe cl "Microsoft-Windows-WebServices/Tracing" wevtutil.exe cl "Microsoft-Windows-WebIO/Diagnostic" wevtutil.exe cl "Microsoft-Windows-WebIO-NDF/Diagnostic" wevtutil.exe cl "Microsoft-Windows-WebAuth/Operational" wevtutil.exe cl "Microsoft-Windows-Wcmsvc/Operational" wevtutil.exe cl "Microsoft-Windows-Wcmsvc/Diagnostic" wevtutil.exe cl "Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic" wevtutil.exe cl "Microsoft-Windows-WUSA/Debug" wevtutil.exe cl "Microsoft-Windows-WPD-MTPUS/Analytic" wevtutil.exe cl "Microsoft-Windows-WPD-MTPIP/Analytic" wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Operational" wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Analytic" wevtutil.exe cl "Microsoft-Windows-WPD-MTPBT/Analytic" wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Operational" wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Analytic" wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Operational" wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Analytic" wevtutil.exe cl "Microsoft-Windows-WPD-API/Analytic" wevtutil.exe cl "Microsoft-Windows-WMPDMCUI/Diagnostic" wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Trace" wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Operational" wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Debug" wevtutil.exe cl "Microsoft-Windows-WLANConnectionFlow/Diagnostic" wevtutil.exe cl "Microsoft-Windows-WLAN-MediaManager/Diagnostic" wevtutil.exe cl "Microsoft-Windows-WFP/Operational" wevtutil.exe cl "Microsoft-Windows-WFP/Analytic" wevtutil.exe cl "Microsoft-Windows-WEPHOSTSVC/Operational" wevtutil.exe cl "Microsoft-Windows-WCNWiz/Analytic" wevtutil.exe cl "Microsoft-Windows-WCN-Config-Registrar/Diagnostic" wevtutil.exe cl "Microsoft-Windows-WABSyncProvider/Analytic" wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Operational" wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Analytic" wevtutil.exe cl "Microsoft-Windows-VolumeControl/Performance" wevtutil.exe cl "Microsoft-Windows-Volume/Diagnostic" wevtutil.exe cl "Microsoft-Windows-VerifyHardwareSecurity/Operational" wevtutil.exe cl "Microsoft-Windows-VerifyHardwareSecurity/Admin" wevtutil.exe cl "Microsoft-Windows-VPN/Operational" wevtutil.exe cl "Microsoft-Windows-VPN-Client/Operational" wevtutil.exe cl "Microsoft-Windows-VHDMP-Operational" wevtutil.exe cl "Microsoft-Windows-VHDMP-Analytic" wevtutil.exe cl "Microsoft-Windows-VDRVROOT/Operational" wevtutil.exe cl "Microsoft-Windows-VAN/Diagnostic" wevtutil.exe cl "Microsoft-Windows-UxTheme/Diagnostic" wevtutil.exe cl "Microsoft-Windows-UxInit/Diagnostic" wevtutil.exe cl "Microsoft-Windows-UserPnp/SchedulerOperations" wevtutil.exe cl "Microsoft-Windows-UserPnp/Performance" wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug" wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceInstall" wevtutil.exe cl "Microsoft-Windows-UserPnp/ActionCenter" wevtutil.exe cl "Microsoft-Windows-UserModePowerService/Diagnostic" wevtutil.exe cl "Microsoft-Windows-UserAccountControl/Diagnostic" wevtutil.exe cl "Microsoft-Windows-User-Loader/Operational" wevtutil.exe cl "Microsoft-Windows-User-Loader/Analytic" wevtutil.exe cl "Microsoft-Windows-User Profile Service/Operational" wevtutil.exe cl "Microsoft-Windows-User Profile Service/Diagnostic" wevtutil.exe cl "Microsoft-Windows-User Device Registration/Debug" wevtutil.exe cl "Microsoft-Windows-User Device Registration/Admin" wevtutil.exe cl "Microsoft-Windows-User Control Panel/Operational" wevtutil.exe cl "Microsoft-Windows-User Control Panel/Diagnostic" wevtutil.exe cl "Microsoft-Windows-User Control Panel Usage/Diagnostic" wevtutil.exe cl "Microsoft-Windows-User Control Panel Performance/Diagnostic" wevtutil.exe cl "Microsoft-Windows-Usbstor/Analytic" wevtutil.exe cl "Microsoft-Windows-UniversalTelemetryClient/Operational" wevtutil.exe cl "Microsoft-Windows-USB-USBXHCI-Analytic" wevtutil.exe cl "Microsoft-Windows-USB-USBPORT/Diagnostic" wevtutil.exe cl "Microsoft-Windows-USB-USBHUB3-Analytic" wevtutil.exe cl "Microsoft-Windows-USB-USBHUB/Diagnostic" wevtutil.exe cl "Microsoft-Windows-USB-UCX-Analytic" wevtutil.exe cl "Microsoft-Windows-UIRibbon/Diagnostic" wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Perf" wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Diagnostic" wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Debug" wevtutil.exe cl "Microsoft-Windows-UIAnimation/Diagnostic" wevtutil.exe cl "Microsoft-Windows-UI-Shell/Diagnostic" wevtutil.exe cl "Microsoft-Windows-UAC/Operational" wevtutil.exe cl "Microsoft-Windows-UAC-FileVirtualization/Operational" wevtutil.exe cl "Microsoft-Windows-TunnelDriver" wevtutil.exe cl "Microsoft-Windows-Threat-Intelligence/Analytic" wevtutil.exe cl "Microsoft-Windows-ThemeUI/Diagnostic" wevtutil.exe cl "Microsoft-Windows-ThemeCPL/Diagnostic" wevtutil.exe cl "Microsoft-Windows-Tethering-Manager/Analytic" wevtutil.exe cl "Microsoft-Windows-TerminalServices-SessionBroker-Client/Operational" wevtutil.exe cl "Microsoft-Windows-TerminalServices-SessionBroker-Client/Debug" wevtutil.exe cl "Microsoft-Windows-TerminalServices-SessionBroker-Client/Analytic" wevtutil.exe cl "Microsoft-Windows-TerminalServices-SessionBroker-Client/Admin" wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational" wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug" wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic" wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin" wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug" wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic" wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin" wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback" wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture" wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational" wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Debug" wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic" wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Operational" wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Debug" wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Analytic" wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Admin" wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational" wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug" wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic" wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin" wevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic" wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug" wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic" wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin" wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational" wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug" wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic" wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin" wevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic" wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational" wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Maintenance" wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic" wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug" wevtutil.exe cl "Microsoft-Windows-TZUtil/Operational" wevtutil.exe cl "Microsoft-Windows-TZSync/Operational" wevtutil.exe cl "Microsoft-Windows-TZSync/Analytic" wevtutil.exe cl "Microsoft-Windows-TWinUI/Operational" wevtutil.exe cl "Microsoft-Windows-TWinUI/Diagnostic" wevtutil.exe cl "Microsoft-Windows-TWinAPI/Diagnostic" wevtutil.exe cl "Microsoft-Windows-TTS/Diagnostic" wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic" wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug" wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic" wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug" wevtutil.exe cl "Microsoft-Windows-TCPIP/Operational" wevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic" wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Operational" wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Diagnostic" wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Debug" wevtutil.exe cl "Microsoft-Windows-System-Profile-HardwareId/Diagnostic" wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic" wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog" wevtutil.exe cl "Microsoft-Windows-Superfetch/PfApLog" wevtutil.exe cl "Microsoft-Windows-Superfetch/Main" wevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational" wevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational" wevtutil.exe cl "Microsoft-Windows-Store/Operational" wevtutil.exe cl "Microsoft-Windows-StorageSpaces-SpaceManager/Operational" wevtutil.exe cl "Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic" wevtutil.exe cl "Microsoft-Windows-StorageSpaces-ManagementAgent/WHC" wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Performance" wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Operational" wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Diagnostic" wevtutil.exe cl "Microsoft-Windows-StorageManagement/Operational" wevtutil.exe cl "Microsoft-Windows-StorageManagement/Debug" wevtutil.exe cl "Microsoft-Windows-Storage-Tiering/Admin" wevtutil.exe cl "Microsoft-Windows-Storage-Tiering-IoHeat/Heat" wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Operational" wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Diagnose" wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Debug" wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Analytic" wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Admin" wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Operational" wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Diagnose" wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Debug" wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Analytic" wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Admin" wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Operational" wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Diagnose" wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Debug" wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Analytic" wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Admin" wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Operational" wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Diagnose" wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Debug" wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Analytic" wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Admin" wevtutil.exe cl "Microsoft-Windows-StorPort/Operational" wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational" wevtutil.exe cl "Microsoft-Windows-StateRepository/Restricted" wevtutil.exe cl "Microsoft-Windows-StateRepository/Operational" wevtutil.exe cl "Microsoft-Windows-StateRepository/Diagnostic" wevtutil.exe cl "Microsoft-Windows-StateRepository/Debug" wevtutil.exe cl "Microsoft-Windows-SrumTelemetry" wevtutil.exe cl "Microsoft-Windows-Spellchecking-Host/Analytic" wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic" wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic" wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic" wevtutil.exe cl "Microsoft-Windows-SmbClient/Security" wevtutil.exe cl "Microsoft-Windows-SmbClient/Diagnostic" wevtutil.exe cl "Microsoft-Windows-SmbClient/Connectivity" wevtutil.exe cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational" wevtutil.exe cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin" wevtutil.exe cl "Microsoft-Windows-SmartCard-DeviceEnum/Operational" wevtutil.exe cl "Microsoft-Windows-SmartCard-Audit/Authentication" wevtutil.exe cl "Microsoft-Windows-SleepStudy/Diagnostic" wevtutil.exe cl "Microsoft-Windows-SilProvider/Operational" wevtutil.exe cl "Microsoft-Windows-SilProvider/Debug" wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic" wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic" wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc" wevtutil.exe cl "Microsoft-Windows-Shell-Search-UriHandler" wevtutil.exe cl "Microsoft-Windows-Shell-OpenWith/Diagnostic" wevtutil.exe cl "Microsoft-Windows-Shell-LockScreenContent/Diagnostic" wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic" wevtutil.exe cl "Microsoft-Windows-Shell-Core/Operational" wevtutil.exe cl "Microsoft-Windows-Shell-Core/LogonTasksChannel" wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic" wevtutil.exe cl "Microsoft-Windows-Shell-Core/AppDefaults" wevtutil.exe cl "Microsoft-Windows-Shell-Core/ActionCenter" wevtutil.exe cl "Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter" wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic" wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-LogonUI/Diagnostic" wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic" wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredentialProviderUser/Diagnostic" wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic" wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic" wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic" wevtutil.exe cl "Microsoft-Windows-Shell-AppWizCpl/Diagnostic" wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic" wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic" wevtutil.exe cl "Microsoft-Windows-SetupPlatform/Analytic" wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic" wevtutil.exe cl "Microsoft-Windows-Setup/Analytic" wevtutil.exe cl "Microsoft-Windows-SettingSync/VerboseDebug" wevtutil.exe cl "Microsoft-Windows-SettingSync/Operational" wevtutil.exe cl "Microsoft-Windows-SettingSync/Debug" wevtutil.exe cl "Microsoft-Windows-SettingSync/Analytic" wevtutil.exe cl "Microsoft-Windows-SettingSync-Azure/Operational" wevtutil.exe cl "Microsoft-Windows-SettingSync-Azure/Debug" wevtutil.exe cl "Microsoft-Windows-Servicing/Debug" wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic" wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic" wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug" wevtutil.exe cl "Microsoft-Windows-ServerManager-MultiMachine/Operational" wevtutil.exe cl "Microsoft-Windows-ServerManager-MultiMachine/Debug" wevtutil.exe cl "Microsoft-Windows-ServerManager-MultiMachine/Admin" wevtutil.exe cl "Microsoft-Windows-ServerManager-MgmtProvider/Operational" wevtutil.exe cl "Microsoft-Windows-ServerManager-MgmtProvider/Debug" wevtutil.exe cl "Microsoft-Windows-ServerManager-DeploymentProvider/Operational" wevtutil.exe cl "Microsoft-Windows-ServerManager-DeploymentProvider/Debug" wevtutil.exe cl "Microsoft-Windows-ServerManager-ConfigureSMRemoting/Operational" wevtutil.exe cl "Microsoft-Windows-ServerManager-ConfigureSMRemoting/Debug" wevtutil.exe cl "Microsoft-Windows-ServerEssentials-Deployment/Deploy" wevtutil.exe cl "Microsoft-Windows-Serial-ClassExtension/Analytic" wevtutil.exe cl "Microsoft-Windows-Serial-ClassExtension-V2/Analytic" wevtutil.exe cl "Microsoft-Windows-Sensors/Performance" wevtutil.exe cl "Microsoft-Windows-Sensors/Debug" wevtutil.exe cl "Microsoft-Windows-Sens/Debug" wevtutil.exe cl "Microsoft-Windows-SendTo/Diagnostic" wevtutil.exe cl "Microsoft-Windows-Security-Vault/Performance" wevtutil.exe cl "Microsoft-Windows-Security-UserConsentVerifier/Audit" wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf" wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX/Analytic" wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter" wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational" wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GC/Analytic" wevtutil.exe cl "Microsoft-Windows-Security-Netlogon/Operational" wevtutil.exe cl "Microsoft-Windows-Security-Mitigations/UserMode" wevtutil.exe cl "Microsoft-Windows-Security-Mitigations/KernelMode" wevtutil.exe cl "Microsoft-Windows-Security-IdentityStore/Performance" wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational" wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Performance" wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational" wevtutil.exe cl "Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational" wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational" wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic" wevtutil.exe cl "Microsoft-Windows-SearchUI/Operational" wevtutil.exe cl "Microsoft-Windows-SearchUI/Diagnostic" wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic" wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic" wevtutil.exe cl "Microsoft-Windows-Sdstor/Analytic" wevtutil.exe cl "Microsoft-Windows-Sdbus/Debug" wevtutil.exe cl "Microsoft-Windows-Sdbus/Analytic" wevtutil.exe cl "Microsoft-Windows-ScmDisk0101/Operational" wevtutil.exe cl "Microsoft-Windows-ScmDisk0101/Diagnostic" wevtutil.exe cl "Microsoft-Windows-ScmDisk0101/Analytic" wevtutil.exe cl "Microsoft-Windows-ScmBus/Operational" wevtutil.exe cl "Microsoft-Windows-ScmBus/Diagnose" wevtutil.exe cl "Microsoft-Windows-ScmBus/Certification" wevtutil.exe cl "Microsoft-Windows-ScmBus/Analytic" wevtutil.exe cl "Microsoft-Windows-Schannel-Events/Perf" wevtutil.exe cl "Microsoft-Windows-SPB-HIDI2C/Analytic" wevtutil.exe cl "Microsoft-Windows-SPB-ClassExtension/Analytic" wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Informational" wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Admin" wevtutil.exe cl "Microsoft-Windows-SMBServer/Security" wevtutil.exe cl "Microsoft-Windows-SMBServer/Performance" wevtutil.exe cl "Microsoft-Windows-SMBServer/Operational" wevtutil.exe cl "Microsoft-Windows-SMBServer/Diagnostic" wevtutil.exe cl "Microsoft-Windows-SMBServer/Connectivity" wevtutil.exe cl "Microsoft-Windows-SMBServer/Audit" wevtutil.exe cl "Microsoft-Windows-SMBServer/Analytic" wevtutil.exe cl "Microsoft-Windows-SMBDirect/Netmon" wevtutil.exe cl "Microsoft-Windows-SMBDirect/Debug" wevtutil.exe cl "Microsoft-Windows-SMBDirect/Admin" wevtutil.exe cl "Microsoft-Windows-SMBClient/Operational" wevtutil.exe cl "Microsoft-Windows-SMBClient/ObjectStateDiagnostic" wevtutil.exe cl "Microsoft-Windows-SMBClient/HelperClassDiagnostic" wevtutil.exe cl "Microsoft-Windows-SMBClient/Analytic" wevtutil.exe cl "Microsoft-Windows-SDDC-Management/Operational" wevtutil.exe cl "Microsoft-Windows-SDDC-Management/Admin" wevtutil.exe cl "Microsoft-Windows-Runtime/Error" wevtutil.exe cl "Microsoft-Windows-Runtime/CreateInstance" wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTTranscode" wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTMediaStreamSource" wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTCaptureEngine" wevtutil.exe cl "Microsoft-Windows-Runtime-WebAPI/Tracing" wevtutil.exe cl "Microsoft-Windows-Runtime-Web-Http/Tracing" wevtutil.exe cl "Microsoft-Windows-Runtime-Networking/Tracing" wevtutil.exe cl "Microsoft-Windows-Runtime-Networking-BackgroundTransfer/Tracing" wevtutil.exe cl "Microsoft-Windows-Runtime-Graphics/Analytic" wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational" wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing" wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational" wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational" wevtutil.exe cl "Microsoft-Windows-ResetEng-Trace/Diagnostic" wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Operational" wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Diagnostic" wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational" wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-User-Mode-Transport/Debug" wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-Kernel-Mode-Transport/Debug" wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin" wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational" wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Debug" wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin" wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Operational" wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin" wevtutil.exe cl "Microsoft-Windows-Regsvr32/Operational" wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational" wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic" wevtutil.exe cl "Microsoft-Windows-ReFS/Operational" wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Operational" wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Debug" wevtutil.exe cl "Microsoft-Windows-Ras-NdisWanPacketCapture/Diagnostic" wevtutil.exe cl "Microsoft-Windows-RadioManager/Analytic" wevtutil.exe cl "Microsoft-Windows-RRAS/Operational" wevtutil.exe cl "Microsoft-Windows-RRAS/Debug" wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo" wevtutil.exe cl "Microsoft-Windows-RPC/Debug" wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug" wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug" wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic" wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Operational" wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Debug" wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Admin" wevtutil.exe cl "Microsoft-Windows-PushNotification-InProc/Debug" wevtutil.exe cl "Microsoft-Windows-PushNotification-Developer/Debug" wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Performance" wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Informational" wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Diagnostic" wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade" wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Analytic" wevtutil.exe cl "Microsoft-Windows-ProcessStateManager/Diagnostic" wevtutil.exe cl "Microsoft-Windows-PrintService/Operational" wevtutil.exe cl "Microsoft-Windows-PrintService/Debug" wevtutil.exe cl "Microsoft-Windows-PrintService/Admin" wevtutil.exe cl "Microsoft-Windows-PrintService-USBMon/Debug" wevtutil.exe cl "Microsoft-Windows-PrintDialogs3D/Analytic" wevtutil.exe cl "Microsoft-Windows-PrintDialogs/Analytic" wevtutil.exe cl "Microsoft-Windows-PrintBRM/Admin" wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance" wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational" wevtutil.exe cl "Microsoft-Windows-PowerShell/Debug" wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic" wevtutil.exe cl "Microsoft-Windows-PowerShell/Admin" wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational" wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Debug" wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Analytic" wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic" wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic" wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic" wevtutil.exe cl "Microsoft-Windows-Power-Meter-Polling/Diagnostic" wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic" wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic" wevtutil.exe cl "Microsoft-Windows-Policy/Operational" wevtutil.exe cl "Microsoft-Windows-Policy/Analytic" wevtutil.exe cl "Microsoft-Windows-PlayToManager/Analytic" wevtutil.exe cl "Microsoft-Windows-PhotoAcq/Analytic" wevtutil.exe cl "Microsoft-Windows-PerceptionSensorDataService/Operational" wevtutil.exe cl "Microsoft-Windows-PerceptionRuntime/Operational" wevtutil.exe cl "Microsoft-Windows-Partition/Diagnostic" wevtutil.exe cl "Microsoft-Windows-Partition/Analytic" wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Operational" wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Debug" wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Analytic" wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic" wevtutil.exe cl "Microsoft-Windows-OtpCredentialProvider/Operational" wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic" wevtutil.exe cl "Microsoft-Windows-OneX/Operational" wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic" wevtutil.exe cl "Microsoft-Windows-OneBackup/Debug" wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog" wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational" wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug" wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic" wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Plugins/Diagnostic" wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Plugins-Wireless/Diagnostic" wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Operational" wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Diagnostic" wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Core/Diagnostic" wevtutil.exe cl "Microsoft-Windows-OOBE-FirstLogonAnim/Diagnostic"