86d252ae6702d04a88430dc9d6d3c05693f662640d730f486750bc62d9544917

Resubmissions

27/10/2022, 10:55

221027-m1cvbabhc2 10

24/09/2020, 00:45

200924-g9pq78cldx 6

Analysis

max time kernel
133s
max time network
68s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
27/10/2022, 10:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
Size

6.3MB
MD5

6eb69acd2ac82be838c8b3d8910b0d70
SHA1

6316421e06a6000f9736696f3b0d1f08ac1134c7
SHA256

e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f
SHA512

2b5402b5270bdc6949c2eebdc1ef4855f77a8e06cb894a7315ce24bdd45ab10d1b279282d50aef17ca7641b0279e08b1320295e1dfadf0f1a8607c901a1cce5d
SSDEEP

98304:O0ocX1uVfOpOdS6Ua6Jt95JO+APX1pG/OGqjB5bOf:X/X1uVfOpOdSVa6Jfx

Score

10^/10

evasion persistence ransomware spyware stealer

Malware Config

Extracted

Path

\??\c:\Users\pay_the_piper.txt

Ransom Note

tazerface strikes again! Now with twice the ransom! ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension ENCRYPTED By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/CA78BD67965B1577 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/CA78BD67965B1577 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: windowsIhrIMECBJdmEbMddpfJkAoLdcKkNskbIhMDJpIPglGNpdKCGtIMPijoKcFqIfFPe_ _ !!!!DANGER!!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/CA78BD67965B1577

http://decryptor.cc/CA78BD67965B1577

Extracted

Path

\??\c:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\pay_the_piper.txt

Ransom Note

tazerface strikes again! Now with twice the ransom! ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension ENCRYPTED By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/CA78BD67965B1577 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/CA78BD67965B1577 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: windowshIrijjLCkCcAjFdLoaPoqftLmMFhsGiGohbdHDcKqpbMdgGNOkdhAjaEMIGpFbaE_ _ !!!!DANGER!!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/CA78BD67965B1577

http://decryptor.cc/CA78BD67965B1577

Signatures

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal on Host

T1070

pid	Process
3276	wevtutil.exe
3808	wevtutil.exe
668	wevtutil.exe
4672	wevtutil.exe
4148	wevtutil.exe
3352	wevtutil.exe
3372	wevtutil.exe
208	wevtutil.exe
4420	wevtutil.exe
1276	wevtutil.exe
4128	wevtutil.exe
668	wevtutil.exe
3116	wevtutil.exe
4024	wevtutil.exe
4952	wevtutil.exe
4972	wevtutil.exe
2692	wevtutil.exe
2880	wevtutil.exe
3776	wevtutil.exe
3920	wevtutil.exe
4496	wevtutil.exe
4820	wevtutil.exe
4932	wevtutil.exe
3480	wevtutil.exe
1508	wevtutil.exe
4968	wevtutil.exe
3932	wevtutil.exe
516	wevtutil.exe
2488	wevtutil.exe
2708	wevtutil.exe
1368	wevtutil.exe
4560	wevtutil.exe
1644	wevtutil.exe
2248	wevtutil.exe
516	wevtutil.exe
4600	wevtutil.exe
1656	wevtutil.exe
1296	wevtutil.exe
1508	wevtutil.exe
4548	wevtutil.exe
3932	wevtutil.exe
872	wevtutil.exe
2872	wevtutil.exe
4408	wevtutil.exe
3728	wevtutil.exe
3404	wevtutil.exe
1684	wevtutil.exe
356	wevtutil.exe
3412	wevtutil.exe
2688	wevtutil.exe
3472	wevtutil.exe
4108	wevtutil.exe
4632	wevtutil.exe
4228	wevtutil.exe
5000	wevtutil.exe
5044	wevtutil.exe
3468	wevtutil.exe
4792	wevtutil.exe
3988	wevtutil.exe
4688	wevtutil.exe
4904	wevtutil.exe
4812	wevtutil.exe
1136	wevtutil.exe
380	wevtutil.exe

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\EnterDisconnect.png => \??\c:\Users\Admin\Pictures\EnterDisconnect.png.encrypted	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File renamed	C:\Users\Admin\Pictures\InvokeMeasure.tif => \??\c:\Users\Admin\Pictures\InvokeMeasure.tif.encrypted	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File renamed	C:\Users\Admin\Pictures\UpdateUndo.tif => \??\c:\Users\Admin\Pictures\UpdateUndo.tif.encrypted	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File renamed	C:\Users\Admin\Pictures\WriteOptimize.raw => \??\c:\Users\Admin\Pictures\WriteOptimize.raw.encrypted	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File renamed	C:\Users\Admin\Pictures\WriteSkip.png => \??\c:\Users\Admin\Pictures\WriteSkip.png.encrypted	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	reg.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pay_the_piper.txt	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\pay_the_piper.txt	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 56 IoCs

description	ioc	Process
File created	\??\c:\Users\Public\Libraries\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Public\AccountPictures\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Admin\Documents\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Admin\Searches\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Public\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Admin\Favorites\Links\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Admin\Music\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Admin\Contacts\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Public\Music\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Admin\Pictures\Saved Pictures\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Public\Downloads\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Public\Desktop\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Admin\Links\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Admin\OneDrive\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Admin\Downloads\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File opened for modification	\??\c:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Public\Pictures\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Admin\Pictures\Camera Roll\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Admin\Desktop\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Admin\Pictures\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Admin\Saved Games\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Admin\Favorites\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Public\Documents\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Public\Videos\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Admin\Videos\desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\sethc.exe	Process not Found
File created	\??\c:\Windows\System32\chtes.old	Process not Found
File opened for modification	\??\c:\Windows\System32\chtes.old	Process not Found
File opened for modification	\??\c:\Windows\System32\sethc.exe	Process not Found

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	SearchUI.exe
File created	C:\Windows\rescache\_merged\860799236\610465418.pri	SearchUI.exe
File created	C:\Windows\rescache\_merged\1301087654\4010849688.pri	SearchUI.exe
File created	\??\c:\Windows\shadow.bat	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	C:\Windows\rescache\_merged\2717123927\3950266016.pri	SearchUI.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	SearchUI.exe
File created	C:\Windows\rescache\_merged\4272278488\3302449443.pri	SearchUI.exe
File created	\??\c:\Windows\mssupdate.bat	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Windows\netlogin.bat	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
File created	\??\c:\Windows\chtes.bat	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	14	Go-http-client/1.1

Modifies registry class 25 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\NumberOfSubdomains = "2"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "0"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\MrtCache	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "129"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "0"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"	SearchUI.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4352	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	524	wevtutil.exe
Token: SeBackupPrivilege	524	wevtutil.exe
Token: SeSecurityPrivilege	2344	wevtutil.exe
Token: SeBackupPrivilege	2344	wevtutil.exe
Token: SeSecurityPrivilege	2968	wevtutil.exe
Token: SeBackupPrivilege	2968	wevtutil.exe
Token: SeSecurityPrivilege	356	wevtutil.exe
Token: SeBackupPrivilege	356	wevtutil.exe
Token: SeSecurityPrivilege	2772	wevtutil.exe
Token: SeBackupPrivilege	2772	wevtutil.exe
Token: SeSecurityPrivilege	1576	wevtutil.exe
Token: SeBackupPrivilege	1576	wevtutil.exe
Token: SeSecurityPrivilege	4820	wevtutil.exe
Token: SeBackupPrivilege	4820	wevtutil.exe
Token: SeSecurityPrivilege	1872	wevtutil.exe
Token: SeBackupPrivilege	1872	wevtutil.exe
Token: SeSecurityPrivilege	328	wevtutil.exe
Token: SeBackupPrivilege	328	wevtutil.exe
Token: SeSecurityPrivilege	2688	wevtutil.exe
Token: SeBackupPrivilege	2688	wevtutil.exe
Token: SeSecurityPrivilege	516	wevtutil.exe
Token: SeBackupPrivilege	516	wevtutil.exe
Token: SeSecurityPrivilege	3796	wevtutil.exe
Token: SeBackupPrivilege	3796	wevtutil.exe
Token: SeSecurityPrivilege	3396	wevtutil.exe
Token: SeBackupPrivilege	3396	wevtutil.exe
Token: SeSecurityPrivilege	4156	wevtutil.exe
Token: SeBackupPrivilege	4156	wevtutil.exe
Token: SeSecurityPrivilege	4152	wevtutil.exe
Token: SeBackupPrivilege	4152	wevtutil.exe
Token: SeSecurityPrivilege	4576	wevtutil.exe
Token: SeBackupPrivilege	4576	wevtutil.exe
Token: SeSecurityPrivilege	3460	wevtutil.exe
Token: SeBackupPrivilege	3460	wevtutil.exe
Token: SeSecurityPrivilege	2004	wevtutil.exe
Token: SeBackupPrivilege	2004	wevtutil.exe
Token: SeSecurityPrivilege	3468	wevtutil.exe
Token: SeBackupPrivilege	3468	wevtutil.exe
Token: SeSecurityPrivilege	1136	wevtutil.exe
Token: SeBackupPrivilege	1136	wevtutil.exe
Token: SeSecurityPrivilege	3376	wevtutil.exe
Token: SeBackupPrivilege	3376	wevtutil.exe
Token: SeSecurityPrivilege	3308	wevtutil.exe
Token: SeBackupPrivilege	3308	wevtutil.exe
Token: SeSecurityPrivilege	4512	wevtutil.exe
Token: SeBackupPrivilege	4512	wevtutil.exe
Token: SeSecurityPrivilege	4736	wevtutil.exe
Token: SeBackupPrivilege	4736	wevtutil.exe
Token: SeSecurityPrivilege	2216	wevtutil.exe
Token: SeBackupPrivilege	2216	wevtutil.exe
Token: SeSecurityPrivilege	4108	wevtutil.exe
Token: SeBackupPrivilege	4108	wevtutil.exe
Token: SeSecurityPrivilege	2276	wevtutil.exe
Token: SeBackupPrivilege	2276	wevtutil.exe
Token: SeSecurityPrivilege	1296	wevtutil.exe
Token: SeBackupPrivilege	1296	wevtutil.exe
Token: SeSecurityPrivilege	4560	wevtutil.exe
Token: SeBackupPrivilege	4560	wevtutil.exe
Token: SeSecurityPrivilege	4284	wevtutil.exe
Token: SeBackupPrivilege	4284	wevtutil.exe
Token: SeSecurityPrivilege	4868	wevtutil.exe
Token: SeBackupPrivilege	4868	wevtutil.exe
Token: SeSecurityPrivilege	5088	wevtutil.exe
Token: SeBackupPrivilege	5088	wevtutil.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4852	SearchUI.exe
1796	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 4352	2064	cmd.exe	75
PID 2064 wrote to memory of 4352	2064	cmd.exe	75
PID 4352 wrote to memory of 596	4352	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe	83
PID 4352 wrote to memory of 596	4352	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe	83
PID 596 wrote to memory of 1488	596	cmd.exe	84
PID 596 wrote to memory of 1488	596	cmd.exe	84
PID 4352 wrote to memory of 2132	4352	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe	85
PID 4352 wrote to memory of 2132	4352	e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe	85
PID 2132 wrote to memory of 668	2132	cmd.exe	86
PID 2132 wrote to memory of 668	2132	cmd.exe	86
PID 668 wrote to memory of 524	668	cmd.exe	87
PID 668 wrote to memory of 524	668	cmd.exe	87
PID 2132 wrote to memory of 2344	2132	cmd.exe	88
PID 2132 wrote to memory of 2344	2132	cmd.exe	88
PID 2132 wrote to memory of 2968	2132	cmd.exe	89
PID 2132 wrote to memory of 2968	2132	cmd.exe	89
PID 2132 wrote to memory of 356	2132	cmd.exe	90
PID 2132 wrote to memory of 356	2132	cmd.exe	90
PID 2132 wrote to memory of 2772	2132	cmd.exe	91
PID 2132 wrote to memory of 2772	2132	cmd.exe	91
PID 2132 wrote to memory of 1576	2132	cmd.exe	92
PID 2132 wrote to memory of 1576	2132	cmd.exe	92
PID 2132 wrote to memory of 4820	2132	cmd.exe	93
PID 2132 wrote to memory of 4820	2132	cmd.exe	93
PID 2132 wrote to memory of 1872	2132	cmd.exe	94
PID 2132 wrote to memory of 1872	2132	cmd.exe	94
PID 2132 wrote to memory of 328	2132	cmd.exe	95
PID 2132 wrote to memory of 328	2132	cmd.exe	95
PID 2132 wrote to memory of 2688	2132	cmd.exe	96
PID 2132 wrote to memory of 2688	2132	cmd.exe	96
PID 2132 wrote to memory of 2608	2132	cmd.exe	97
PID 2132 wrote to memory of 2608	2132	cmd.exe	97
PID 2132 wrote to memory of 516	2132	cmd.exe	98
PID 2132 wrote to memory of 516	2132	cmd.exe	98
PID 2132 wrote to memory of 3796	2132	cmd.exe	99
PID 2132 wrote to memory of 3796	2132	cmd.exe	99
PID 2132 wrote to memory of 3396	2132	cmd.exe	100
PID 2132 wrote to memory of 3396	2132	cmd.exe	100
PID 2132 wrote to memory of 4156	2132	cmd.exe	101
PID 2132 wrote to memory of 4156	2132	cmd.exe	101
PID 2132 wrote to memory of 4152	2132	cmd.exe	102
PID 2132 wrote to memory of 4152	2132	cmd.exe	102
PID 2132 wrote to memory of 4576	2132	cmd.exe	103
PID 2132 wrote to memory of 4576	2132	cmd.exe	103
PID 2132 wrote to memory of 3460	2132	cmd.exe	104
PID 2132 wrote to memory of 3460	2132	cmd.exe	104
PID 2132 wrote to memory of 2004	2132	cmd.exe	105
PID 2132 wrote to memory of 2004	2132	cmd.exe	105
PID 2132 wrote to memory of 3468	2132	cmd.exe	106
PID 2132 wrote to memory of 3468	2132	cmd.exe	106
PID 2132 wrote to memory of 1136	2132	cmd.exe	107
PID 2132 wrote to memory of 1136	2132	cmd.exe	107
PID 2132 wrote to memory of 3376	2132	cmd.exe	108
PID 2132 wrote to memory of 3376	2132	cmd.exe	108
PID 2132 wrote to memory of 3308	2132	cmd.exe	109
PID 2132 wrote to memory of 3308	2132	cmd.exe	109
PID 2132 wrote to memory of 4512	2132	cmd.exe	110
PID 2132 wrote to memory of 4512	2132	cmd.exe	110
PID 2132 wrote to memory of 4736	2132	cmd.exe	111
PID 2132 wrote to memory of 4736	2132	cmd.exe	111
PID 2132 wrote to memory of 2216	2132	cmd.exe	112
PID 2132 wrote to memory of 2216	2132	cmd.exe	112
PID 2132 wrote to memory of 4108	2132	cmd.exe	113
PID 2132 wrote to memory of 4108	2132	cmd.exe	113

C:\Users\Admin\AppData\Local\Temp\e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
"C:\Users\Admin\AppData\Local\Temp\e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe"
1⤵
PID:5036

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4720

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\AppData\Local\Temp\e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe
  e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f.exe encrypt password
  2⤵
  - Modifies extensions of user files
  - Drops startup file
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:4352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\Windows\netlogin.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:596
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /f /v Debugger /t REG_SZ /d "C:\Windows\system32\cmd.exe"
      4⤵
      Sets file execution options in registry
      PID:1488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\Windows\mssupdate.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c WEVTUTIL EL
      4⤵
      Suspicious use of WriteProcessMemory
      PID:668
    - - C:\Windows\system32\wevtutil.exe
        
        WEVTUTIL EL
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:524
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "AirSpaceChannel"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2344
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Analytic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2968
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Application"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:356
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "DirectShowFilterGraph"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2772
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "DirectShowPluginControl"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1576
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Els_Hyphenation/Analytic"
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:4820
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "EndpointMapper"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1872
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "FirstUXPerf-Analytic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:328
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "ForwardedEvents"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2688
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "General Logging"
      4⤵
      PID:2608
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "HardwareEvents"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:516
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "IHM_DebugChannel"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3796
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Intel-iaLPSS-GPIO/Analytic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3396
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Intel-iaLPSS-I2C/Analytic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4156
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Intel-iaLPSS2-GPIO2/Debug"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4152
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Intel-iaLPSS2-GPIO2/Performance"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4576
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Intel-iaLPSS2-I2C/Debug"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3460
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Intel-iaLPSS2-I2C/Performance"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2004
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Internet Explorer"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3468
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Key Management Service"
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:1136
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "MF_MediaFoundationDeviceProxy"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3376
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "MedaFoundationVideoProc"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3308
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "MedaFoundationVideoProcD3D"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4512
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "MediaFoundationAsyncWrapper"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4736
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "MediaFoundationContentProtection"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2216
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "MediaFoundationDS"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4108
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "MediaFoundationDeviceProxy"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2276
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "MediaFoundationMediaEngine"
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:1296
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "MediaFoundationPerformance"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4560
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "MediaFoundationPerformanceCore"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4284
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "MediaFoundationPipeline"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4868
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "MediaFoundationPlatform"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5088
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "MediaFoundationSrcPrefetch"
      4⤵
      PID:4548
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-AppV-Client-Streamingux/Debug"
      4⤵
      PID:5020
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-AppV-Client/Admin"
      4⤵
      PID:4600
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-AppV-Client/Debug"
      4⤵
      PID:3228
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-AppV-Client/Operational"
      4⤵
      Clears Windows event logs
      PID:3116
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-AppV-Client/Virtual Applications"
      4⤵
      PID:1664
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-AppV-SharedPerformance/Analytic"
      4⤵
      PID:4236
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Client-Licensing-Platform/Admin"
      4⤵
      PID:2292
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Client-Licensing-Platform/Debug"
      4⤵
      Clears Windows event logs
      PID:4932
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Client-Licensing-Platform/Diagnostic"
      4⤵
      PID:3412
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-IE/Diagnostic"
      4⤵
      PID:3556
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-IEFRAME/Diagnostic"
      4⤵
      PID:3584
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-JSDumpHeap/Diagnostic"
      4⤵
      PID:3356
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-OneCore-Setup/Analytic"
      4⤵
      Clears Windows event logs
      PID:3932
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-PerfTrack-IEFRAME/Diagnostic"
      4⤵
      PID:4232
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-PerfTrack-MSHTML/Diagnostic"
      4⤵
      PID:3268
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-User Experience Virtualization-Admin/Debug"
      4⤵
      Clears Windows event logs
      PID:380
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-User Experience Virtualization-Agent Driver/Debug"
      4⤵
      Clears Windows event logs
      PID:1684
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-User Experience Virtualization-Agent Driver/Operational"
      4⤵
      PID:1532
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-User Experience Virtualization-App Agent/Analytic"
      4⤵
      PID:4640
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-User Experience Virtualization-App Agent/Debug"
      4⤵
      PID:5076
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-User Experience Virtualization-App Agent/Operational"
      4⤵
      PID:1172
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-User Experience Virtualization-IPC/Operational"
      4⤵
      PID:1544
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
      4⤵
      PID:4620
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
      4⤵
      PID:4672
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
      4⤵
      PID:1488
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-AAD/Analytic"
      4⤵
      PID:2072
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-AAD/Operational"
      4⤵
      PID:2516
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-ADSI/Debug"
      4⤵
      PID:524
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-ASN1/Operational"
      4⤵
      PID:2760
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-ATAPort/General"
      4⤵
      PID:2964
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-ATAPort/SATA-LPM"
      4⤵
      PID:2764
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-ActionQueue/Analytic"
      4⤵
      Clears Windows event logs
      PID:356
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-All-User-Install-Agent/Admin"
      4⤵
      PID:2772
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-AllJoyn/Debug"
      4⤵
      PID:1980
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-AllJoyn/Operational"
      4⤵
      PID:2696
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-AppHost/Admin"
      4⤵
      PID:2692
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-AppHost/ApplicationTracing"
      4⤵
      PID:5084
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-AppHost/Diagnostic"
      4⤵
      PID:328
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-AppHost/Internal"
      4⤵
      PID:2708
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-AppID/Operational"
      4⤵
      PID:2608
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-AppLocker/EXE and DLL"
      4⤵
      PID:3964
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-AppLocker/MSI and Script"
      4⤵
      PID:5116
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-AppLocker/Packaged app-Deployment"
      4⤵
      PID:4140
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-AppLocker/Packaged app-Execution"
      4⤵
      PID:4124
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-AppModel-Runtime/Admin"
      4⤵
      PID:3972
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-AppModel-Runtime/Analytic"
      4⤵
      PID:3512
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-AppModel-Runtime/Debug"
      4⤵
      PID:4612
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-AppModel-Runtime/Diagnostics"
      4⤵
      PID:4824
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-AppModel-State/Debug"
      4⤵
      PID:4904
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-AppModel-State/Diagnostic"
      4⤵
      PID:4652
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-AppReadiness/Admin"
      4⤵
      PID:3544
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-AppReadiness/Debug"
      4⤵
      PID:2928
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-AppReadiness/Operational"
      4⤵
      PID:3276
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-AppSruProv"
      4⤵
      PID:3468
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-AppXDeployment/Diagnostic"
      4⤵
      PID:1444
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-AppXDeployment/Operational"
      4⤵
      PID:996
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-AppXDeploymentServer/Debug"
      4⤵
      PID:2248
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-AppXDeploymentServer/Diagnostic"
      4⤵
      PID:4720
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-AppXDeploymentServer/Operational"
      4⤵
      PID:3308
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-AppXDeploymentServer/Restricted"
      4⤵
      PID:3572
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-ApplicabilityEngine/Analytic"
      4⤵
      PID:4712
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-ApplicabilityEngine/Operational"
      4⤵
      PID:508
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Admin"
      4⤵
      PID:4108
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Analytic"
      4⤵
      PID:4604
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Debug"
      4⤵
      PID:4952
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Operational"
      4⤵
      PID:4288
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"
      4⤵
      PID:4244
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
      4⤵
      PID:4284
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"
      4⤵
      PID:4348
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"
      4⤵
      PID:2356
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
      4⤵
      PID:2440
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Inventory"
      4⤵
      PID:4972
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Telemetry"
      4⤵
      PID:5020
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Application-Experience/Steps-Recorder"
      4⤵
      PID:4188
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-ApplicationResourceManagementSystem/Diagnostic"
      4⤵
      PID:4964
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-ApplicationResourceManagementSystem/Operational"
      4⤵
      PID:4784
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-AppxPackaging/Debug"
      4⤵
      PID:4616
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-AppxPackaging/Operational"
      4⤵
      Clears Windows event logs
      PID:3352
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-AppxPackaging/Performance"
      4⤵
      PID:4408
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-AssignedAccess/Admin"
      4⤵
      PID:3608
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-AssignedAccess/Operational"
      4⤵
      PID:3384
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-AssignedAccessBroker/Admin"
      4⤵
      PID:3436
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-AssignedAccessBroker/Operational"
      4⤵
      Clears Windows event logs
      PID:3412
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-AsynchronousCausality/Causality"
      4⤵
      PID:3560
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Audio/CaptureMonitor"
      4⤵
      PID:3364
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Audio/GlitchDetection"
      4⤵
      PID:4264
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Audio/Informational"
      4⤵
      PID:4220
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Audio/Operational"
      4⤵
      PID:4224
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Audio/Performance"
      4⤵
      PID:4208
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Audio/PlaybackManager"
      4⤵
      PID:5072
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Audit/Analytic"
      4⤵
      PID:1992
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Authentication User Interface/Operational"
      4⤵
      PID:1016
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"
      4⤵
      PID:3852
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Authentication/ProtectedUser-Client"
      4⤵
      PID:4008
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"
      4⤵
      PID:1532
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"
      4⤵
      PID:3524
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-AxInstallService/Log"
      4⤵
      PID:4680
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"
      4⤵
      PID:1656
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"
      4⤵
      PID:4184
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"
      4⤵
      PID:2284
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Backup"
      4⤵
      PID:4740
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"
      4⤵
      PID:4688
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"
      4⤵
      PID:596
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Battery/Diagnostic"
      4⤵
      PID:2360
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Biometrics/Analytic"
      4⤵
      PID:660
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Biometrics/Operational"
      4⤵
      PID:1368
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
      4⤵
      PID:2344
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
      4⤵
      PID:2968
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-BitLocker-Driver-Performance/Operational"
      4⤵
      PID:2768
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-BitLocker/BitLocker Management"
      4⤵
      Clears Windows event logs
      PID:2872
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-BitLocker/BitLocker Operational"
      4⤵
      PID:2868
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-BitLocker/Tracing"
      4⤵
      PID:1536
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Bits-Client/Analytic"
      4⤵
      PID:4820
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Bits-Client/Operational"
      4⤵
      PID:1872
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"
      4⤵
      PID:2680
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
      4⤵
      PID:2688
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-BranchCache/Operational"
      4⤵
      PID:3872
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
      4⤵
      PID:2324
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
      4⤵
      PID:1436
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-BranchCacheMonitoring/Analytic"
      4⤵
      PID:4164
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-BranchCacheSMB/Analytic"
      4⤵
      PID:3796
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-BranchCacheSMB/Operational"
      4⤵
      PID:4140
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-CAPI2/Catalog Database Debug"
      4⤵
      PID:4580
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-CAPI2/Operational"
      4⤵
      PID:4432
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-CDROM/Operational"
      4⤵
      PID:4532
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-COM/Analytic"
      4⤵
      PID:4808
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-COM/ApartmentInitialize"
      4⤵
      PID:4856
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-COM/ApartmentUninitialize"
      4⤵
      PID:752
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-COM/Call"
      4⤵
      PID:3300
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-COM/CreateInstance"
      4⤵
      Clears Windows event logs
      PID:4420
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-COM/ExtensionCatalog"
      4⤵
      Clears Windows event logs
      PID:2880
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-COM/FreeUnusedLibrary"
      4⤵
      PID:760
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-COMRuntime/Activations"
      4⤵
      PID:2012
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-COMRuntime/MessageProcessing"
      4⤵
      PID:3376
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-COMRuntime/Tracing"
      4⤵
      PID:4708
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-CertPoleEng/Operational"
      4⤵
      PID:1248
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
      4⤵
      PID:5100
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"
      4⤵
      PID:4128
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"
      4⤵
      PID:4596
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
      4⤵
      PID:2216
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-CloudStorageWizard/Analytic"
      4⤵
      PID:2200
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-CloudStorageWizard/Operational"
      4⤵
      PID:1988
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-CloudStore/Debug"
      4⤵
      PID:3724
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-CloudStore/Operational"
      4⤵
      PID:4560
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-CmiSetup/Analytic"
      4⤵
      PID:4792
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-CodeIntegrity/Operational"
      4⤵
      PID:2068
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-CodeIntegrity/Verbose"
      4⤵
      PID:2488
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-ComDlg32/Analytic"
      4⤵
      PID:5088
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-ComDlg32/Debug"
      4⤵
      PID:4548
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Compat-Appraiser/Analytic"
      4⤵
      PID:3256
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Compat-Appraiser/Operational"
      4⤵
      PID:4796
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Containers-Wcifs/Debug"
      4⤵
      PID:4960
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Containers-Wcifs/Operational"
      4⤵
      PID:3064
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Containers-Wcnfs/Debug"
      4⤵
      PID:3116
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Containers-Wcnfs/Operational"
      4⤵
      PID:3728
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-CoreApplication/Diagnostic"
      4⤵
      PID:1664
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-CoreApplication/Operational"
      4⤵
      PID:4236
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-CoreApplication/Tracing"
      4⤵
      PID:3380
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"
      4⤵
      PID:4932
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"
      4⤵
      Clears Windows event logs
      PID:3480
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-CoreWindow/Analytic"
      4⤵
      PID:3576
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-CoreWindow/Debug"
      4⤵
      PID:3404
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
      4⤵
      PID:3584
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
      4⤵
      PID:3920
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Crashdump/Operational"
      4⤵
      PID:3348
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-CredUI/Diagnostic"
      4⤵
      PID:3832
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Crypto-BCRYPT/Analytic"
      4⤵
      PID:3840
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Crypto-CNG/Analytic"
      4⤵
      PID:3864
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"
      4⤵
      PID:5028
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Crypto-DPAPI/Debug"
      4⤵
      PID:1996
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Crypto-DPAPI/Operational"
      4⤵
      PID:380
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Crypto-DSSEnh/Analytic"
      4⤵
      PID:4988
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Crypto-NCrypt/Operational"
      4⤵
      PID:872
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Crypto-RNG/Analytic"
      4⤵
      PID:5000
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Crypto-RSAEnh/Analytic"
      4⤵
      PID:1788
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-D3D10Level9/Analytic"
      4⤵
      PID:1172
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-D3D10Level9/PerfTiming"
      4⤵
      PID:1116
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DAL-Provider/Analytic"
      4⤵
      PID:2288
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DAL-Provider/Operational"
      4⤵
      PID:1356
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DAMM/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:3988
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DCLocator/Debug"
      4⤵
      PID:1488
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DDisplay/Analytic"
      4⤵
      PID:2072
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DDisplay/Logging"
      4⤵
      PID:2512
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DLNA-Namespace/Analytic"
      4⤵
      PID:524
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DNS-Client/Operational"
      4⤵
      PID:2760
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DSC/Admin"
      4⤵
      PID:2964
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DSC/Analytic"
      4⤵
      PID:2764
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DSC/Debug"
      4⤵
      PID:2876
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DSC/Operational"
      4⤵
      PID:2772
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DUI/Diagnostic"
      4⤵
      PID:1980
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DUSER/Diagnostic"
      4⤵
      PID:2696
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DXGI/Analytic"
      4⤵
      PID:2692
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DXGI/Logging"
      4⤵
      PID:5084
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DXP/Analytic"
      4⤵
      PID:328
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Data-Pdf/Debug"
      4⤵
      Clears Windows event logs
      PID:2708
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DataIntegrityScan/Admin"
      4⤵
      PID:2608
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DataIntegrityScan/CrashRecovery"
      4⤵
      PID:2324
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DateTimeControlPanel/Analytic"
      4⤵
      PID:5036
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DateTimeControlPanel/Debug"
      4⤵
      PID:4112
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DateTimeControlPanel/Operational"
      4⤵
      PID:4148
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Deduplication/Diagnostic"
      4⤵
      PID:4156
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Deduplication/Operational"
      4⤵
      Clears Windows event logs
      PID:3472
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Deduplication/Performance"
      4⤵
      PID:3080
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Deduplication/Scrubbing"
      4⤵
      PID:4828
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Defrag-Core/Debug"
      4⤵
      PID:4880
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Deplorch/Analytic"
      4⤵
      PID:4876
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DesktopActivityModerator/Diagnostic"
      4⤵
      PID:3460
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"
      4⤵
      PID:4420
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DeviceAssociationService/Performance"
      4⤵
      PID:3612
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DeviceConfidence/Analytic"
      4⤵
      Clears Windows event logs
      PID:3776
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DeviceGuard/Operational"
      4⤵
      PID:2012
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"
      4⤵
      PID:4056
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug"
      4⤵
      PID:1168
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DeviceSetupManager/Admin"
      4⤵
      PID:1808
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DeviceSetupManager/Analytic"
      4⤵
      PID:3844
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DeviceSetupManager/Debug"
      4⤵
      PID:4736
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DeviceSetupManager/Operational"
      4⤵
      PID:5104
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DeviceSync/Analytic"
      4⤵
      PID:4464
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DeviceSync/Operational"
      4⤵
      PID:2280
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DeviceUx/Informational"
      4⤵
      PID:4316
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DeviceUx/Performance"
      4⤵
      PID:1296
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Devices-Background/Operational"
      4⤵
      PID:4280
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Dhcp-Client/Admin"
      4⤵
      PID:4228
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Dhcp-Client/Operational"
      4⤵
      PID:428
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Dhcpv6-Client/Admin"
      4⤵
      PID:764
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Dhcpv6-Client/Operational"
      4⤵
      PID:4860
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DiagCpl/Debug"
      4⤵
      PID:2440
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic"
      4⤵
      PID:3256
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Diagnosis-DPS/Analytic"
      4⤵
      PID:3876
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Diagnosis-DPS/Debug"
      4⤵
      PID:3232
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Diagnosis-DPS/Operational"
      4⤵
      PID:3044
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Diagnosis-MSDE/Debug"
      4⤵
      PID:4776
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Diagnosis-PCW/Analytic"
      4⤵
      PID:2916
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Diagnosis-PCW/Debug"
      4⤵
      PID:3352
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Diagnosis-PCW/Operational"
      4⤵
      PID:2292
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Diagnosis-PLA/Debug"
      4⤵
      PID:3272
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Diagnosis-PLA/Operational"
      4⤵
      PID:3428
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
      4⤵
      PID:2088
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scheduled/Operational"
      4⤵
      PID:3412
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Admin"
      4⤵
      PID:1280
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Analytic"
      4⤵
      PID:3816
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Debug"
      4⤵
      PID:3948
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Operational"
      4⤵
      PID:1796
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
      4⤵
      PID:3900
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
      4⤵
      PID:3892
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Diagnosis-WDC/Analytic"
      4⤵
      PID:4240
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Diagnosis-WDI/Debug"
      4⤵
      PID:3896
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Diagnostics-Networking/Debug"
      4⤵
      PID:4232
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Diagnostics-Networking/Operational"
      4⤵
      PID:5040
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:5044
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
      4⤵
      PID:5064
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
      4⤵
      PID:1684
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
      4⤵
      PID:4496
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Diagnostics-Performance/Operational"
      4⤵
      PID:4632
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Direct3D10/Analytic"
      4⤵
      PID:4640
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Direct3D10_1/Analytic"
      4⤵
      PID:5076
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Direct3D11/Analytic"
      4⤵
      PID:1788
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Direct3D11/Logging"
      4⤵
      PID:4184
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Direct3D11/PerfTiming"
      4⤵
      PID:2288
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Direct3D12/Analytic"
      4⤵
      PID:4688
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Direct3D12/Logging"
      4⤵
      PID:596
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Direct3D12/PerfTiming"
      4⤵
      PID:2360
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Direct3D9/Analytic"
      4⤵
      PID:660
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Direct3DShaderCache/Default"
      4⤵
      Clears Windows event logs
      PID:1368
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DirectComposition/Diagnostic"
      4⤵
      PID:2344
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DirectManipulation/Diagnostic"
      4⤵
      PID:2968
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DirectShow-KernelSupport/Performance"
      4⤵
      PID:4836
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DirectSound/Debug"
      4⤵
      PID:2872
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DirectWrite-FontCache/Tracing"
      4⤵
      PID:2868
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DirectWrite/Tracing"
      4⤵
      PID:1536
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Disk/Operational"
      4⤵
      PID:4820
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DiskDiagnostic/Operational"
      4⤵
      PID:1872
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
      4⤵
      PID:2680
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DiskDiagnosticResolver/Operational"
      4⤵
      PID:2688
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Dism-Api/Analytic"
      4⤵
      PID:3872
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Dism-Api/ExternalAnalytic"
      4⤵
      PID:3964
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Dism-Api/InternalAnalytic"
      4⤵
      PID:5116
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Dism-Cli/Analytic"
      4⤵
      PID:3396
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DisplayColorCalibration/Debug"
      4⤵
      PID:4164
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DisplayColorCalibration/Operational"
      4⤵
      PID:4140
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DisplaySwitch/Diagnostic"
      4⤵
      PID:3512
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Documents/Performance"
      4⤵
      PID:4576
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Dot3MM/Diagnostic"
      4⤵
      PID:4668
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
      4⤵
      PID:4904
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Dwm-API/Diagnostic"
      4⤵
      PID:4652
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Dwm-Core/Diagnostic"
      4⤵
      PID:4364
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Dwm-Dwm/Diagnostic"
      4⤵
      PID:4876
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Dwm-Redir/Diagnostic"
      4⤵
      PID:2376
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Dwm-Udwm/Diagnostic"
      4⤵
      PID:4924
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DxgKrnl/Contention"
      4⤵
      PID:2880
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DxgKrnl/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:3468
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DxgKrnl/Performance"
      4⤵
      PID:760
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DxgKrnl/Power"
      4⤵
      PID:3376
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
      4⤵
      PID:4708
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-EDP-Application-Learning/Admin"
      4⤵
      PID:1248
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-EDP-Audit-Regular/Admin"
      4⤵
      PID:5100
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-EDP-Audit-TCB/Admin"
      4⤵
      PID:4128
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-EFS/Debug"
      4⤵
      PID:4596
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-ESE/IODiagnose"
      4⤵
      PID:2216
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-ESE/Operational"
      4⤵
      PID:2200
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-EapHost/Analytic"
      4⤵
      PID:1988
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-EapHost/Debug"
      4⤵
      PID:3724
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-EapHost/Operational"
      4⤵
      Clears Windows event logs
      PID:4560
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-EapMethods-RasChap/Operational"
      4⤵
      PID:4792
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-EapMethods-RasTls/Operational"
      4⤵
      PID:2068
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-EapMethods-Sim/Operational"
      4⤵
      PID:2488
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-EapMethods-Ttls/Operational"
      4⤵
      PID:4860
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-EaseOfAccess/Diagnostic"
      4⤵
      PID:4972
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-EmbeddedAppLauncher/Admin"
      4⤵
      PID:4548
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-EmbeddedAppLauncher/Operational"
      4⤵
      PID:4796
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Energy-Estimation-Engine/EventLog"
      4⤵
      PID:4960
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Energy-Estimation-Engine/Trace"
      4⤵
      PID:3064
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-EnhancedStorage-EhStorTcgDrv/Analytic"
      4⤵
      PID:1372
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-EventCollector/Debug"
      4⤵
      PID:4616
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-EventCollector/Operational"
      4⤵
      PID:2320
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-EventLog-WMIProvider/Debug"
      4⤵
      PID:3992
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-EventLog/Analytic"
      4⤵
      Clears Windows event logs
      PID:1508
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-EventLog/Debug"
      4⤵
      PID:3444
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-FMS/Analytic"
      4⤵
      PID:3436
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-FMS/Debug"
      4⤵
      PID:3568
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-FMS/Operational"
      4⤵
      PID:2008
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
      4⤵
      PID:3560
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
      4⤵
      PID:1276
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-FileHistory-Catalog/Analytic"
      4⤵
      PID:4308
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-FileHistory-Catalog/Debug"
      4⤵
      PID:3584
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-FileHistory-ConfigManager/Analytic"
      4⤵
      Clears Windows event logs
      PID:3920
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-FileHistory-ConfigManager/Debug"
      4⤵
      PID:4224
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-FileHistory-Core/Analytic"
      4⤵
      PID:3896
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-FileHistory-Core/Debug"
      4⤵
      PID:4232
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-FileHistory-Core/WHC"
      4⤵
      PID:5040
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-FileHistory-Engine/Analytic"
      4⤵
      PID:5044
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-FileHistory-Engine/BackupLog"
      4⤵
      PID:4008
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-FileHistory-Engine/Debug"
      4⤵
      PID:5064
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-FileHistory-EventListener/Analytic"
      4⤵
      PID:4496
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-FileHistory-EventListener/Debug"
      4⤵
      PID:3112
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-FileHistory-Service/Analytic"
      4⤵
      PID:5000
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-FileHistory-Service/Debug"
      4⤵
      PID:1656
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-FileHistory-UI-Events/Analytic"
      4⤵
      PID:1172
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-FileHistory-UI-Events/Debug"
      4⤵
      PID:2284
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-FileInfoMinifilter/Operational"
      4⤵
      PID:4620
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Firewall-CPL/Diagnostic"
      4⤵
      PID:1852
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Folder Redirection/Operational"
      4⤵
      PID:4980
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-FontGroups/Diagnostic"
      4⤵
      PID:1344
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Forwarding/Debug"
      4⤵
      PID:2168
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Forwarding/Operational"
      4⤵
      Clears Windows event logs
      PID:668
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-GPIO-ClassExtension/Analytic"
      4⤵
      PID:2496
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-GenericRoaming/Admin"
      4⤵
      PID:2344
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-GroupPolicy/Operational"
      4⤵
      PID:2752
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-HAL/Debug"
      4⤵
      PID:2768
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-HealthCenter/Debug"
      4⤵
      PID:64
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-HealthCenter/Performance"
      4⤵
      PID:1576
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-HealthCenterCPL/Performance"
      4⤵
      PID:1012
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-HelloForBusiness/Operational"
      4⤵
      PID:364
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Help/Operational"
      4⤵
      PID:2612
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
      4⤵
      PID:2700
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-HomeGroup Control Panel/Operational"
      4⤵
      PID:3860
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-HomeGroup Listener Service/Operational"
      4⤵
      PID:3848
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:516
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-HomeGroup Provider Service/Operational"
      4⤵
      PID:3508
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-HomeGroup-ListenerService"
      4⤵
      PID:5036
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-HotspotAuth/Analytic"
      4⤵
      PID:3936
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-HotspotAuth/Operational"
      4⤵
      PID:3972
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-HttpService/Log"
      4⤵
      PID:4152
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-HttpService/Trace"
      4⤵
      PID:4612
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Hyper-V-Guest-Drivers/Admin"
      4⤵
      PID:4532
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic"
      4⤵
      PID:4804
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Hyper-V-Guest-Drivers/Debug"
      4⤵
      PID:2004
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose"
      4⤵
      PID:2928
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Hyper-V-Guest-Drivers/Operational"
      4⤵
      PID:3300
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Hyper-V-NETVSC/Diagnostic"
      4⤵
      PID:3828
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-IKE/Operational"
      4⤵
      PID:3612
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-IKEDBG/Debug"
      4⤵
      PID:828
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-IME-Broker/Analytic"
      4⤵
      PID:2248
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-IME-CandidateUI/Analytic"
      4⤵
      PID:4056
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-IME-CustomerFeedbackManager/Debug"
      4⤵
      PID:4512
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-IME-CustomerFeedbackManagerUI/Analytic"
      4⤵
      PID:4520
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-IME-JPAPI/Analytic"
      4⤵
      PID:4136
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-IME-JPLMP/Analytic"
      4⤵
      PID:4736
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-IME-JPPRED/Analytic"
      4⤵
      PID:5104
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-IME-JPSetting/Analytic"
      4⤵
      PID:2276
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-IME-JPTIP/Analytic"
      4⤵
      PID:4952
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-IME-KRAPI/Analytic"
      4⤵
      PID:4544
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-IME-KRTIP/Analytic"
      4⤵
      PID:1296
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-IME-OEDCompiler/Analytic"
      4⤵
      PID:4280
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-IME-TCCORE/Analytic"
      4⤵
      PID:4228
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-IME-TCTIP/Analytic"
      4⤵
      PID:2068
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-IME-TIP/Analytic"
      4⤵
      PID:2488
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-IPNAT/Diagnostic"
      4⤵
      PID:4860
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-IPSEC-SRV/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:4972
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-IdCtrls/Analytic"
      4⤵
      Clears Windows event logs
      PID:4600
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-IdCtrls/Operational"
      4⤵
      PID:3228
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-IndirectDisplays-ClassExtension-Events/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:4968
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Input-HIDCLASS-Analytic"
      4⤵
      PID:3324
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-InputSwitch/Diagnostic"
      4⤵
      PID:4776
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
      4⤵
      PID:1664
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-International/Operational"
      4⤵
      PID:2916
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Iphlpsvc/Debug"
      4⤵
      PID:4408
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Iphlpsvc/Operational"
      4⤵
      PID:4064
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Iphlpsvc/Trace"
      4⤵
      Clears Windows event logs
      PID:1508
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-KdsSvc/Operational"
      4⤵
      PID:3576
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kerberos/Operational"
      4⤵
      PID:3444
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kernel-Acpi/Diagnostic"
      4⤵
      PID:3568
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kernel-AppCompat/General"
      4⤵
      PID:2008
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kernel-AppCompat/Performance"
      4⤵
      PID:3560
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kernel-ApphelpCache/Analytic"
      4⤵
      PID:1276
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kernel-ApphelpCache/Debug"
      4⤵
      PID:4308
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kernel-ApphelpCache/Operational"
      4⤵
      PID:3584
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kernel-Boot/Analytic"
      4⤵
      PID:4208
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kernel-Boot/Operational"
      4⤵
      PID:3920
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
      4⤵
      PID:3896
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kernel-Disk/Analytic"
      4⤵
      PID:1112
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kernel-EventTracing/Admin"
      4⤵
      PID:1500
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kernel-EventTracing/Analytic"
      4⤵
      PID:3864
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kernel-File/Analytic"
      4⤵
      PID:1016
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kernel-IO/Operational"
      4⤵
      PID:3852
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kernel-Interrupt-Steering/Diagnostic"
      4⤵
      PID:380
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kernel-IoTrace/Diagnostic"
      4⤵
      PID:1532
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kernel-LiveDump/Analytic"
      4⤵
      PID:1184
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kernel-Memory/Analytic"
      4⤵
      PID:4632
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kernel-Network/Analytic"
      4⤵
      PID:5000
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kernel-Pdc/Diagnostic"
      4⤵
      PID:5076
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kernel-Pep/Diagnostic"
      4⤵
      PID:1172
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kernel-PnP/Boot Diagnostic"
      4⤵
      PID:1116
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kernel-PnP/Configuration"
      4⤵
      PID:4740
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kernel-PnP/Configuration Diagnostic"
      4⤵
      Clears Windows event logs
      PID:4688
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kernel-PnP/Device Enumeration Diagnostic"
      4⤵
      PID:1448
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kernel-PnP/Driver Diagnostic"
      4⤵
      PID:596
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kernel-Power/Diagnostic"
      4⤵
      PID:660
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
      4⤵
      PID:1368
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kernel-Power/Thermal-Operational"
      4⤵
      PID:668
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
      4⤵
      PID:2968
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kernel-Process/Analytic"
      4⤵
      PID:2876
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
      4⤵
      PID:4836
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kernel-Registry/Analytic"
      4⤵
      PID:356
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kernel-Registry/Performance"
      4⤵
      PID:4840
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kernel-ShimEngine/Debug"
      4⤵
      PID:4816
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kernel-ShimEngine/Diagnostic"
      4⤵
      PID:3416
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kernel-ShimEngine/Operational"
      4⤵
      PID:2612
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kernel-StoreMgr/Analytic"
      4⤵
      PID:2700
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kernel-StoreMgr/Operational"
      4⤵
      PID:2324
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kernel-WDI/Analytic"
      4⤵
      PID:3848
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kernel-WDI/Debug"
      4⤵
      PID:516
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kernel-WDI/Operational"
      4⤵
      PID:3508
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kernel-WHEA/Errors"
      4⤵
      PID:4156
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kernel-WHEA/Operational"
      4⤵
      PID:5036
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Kernel-XDV/Analytic"
      4⤵
      PID:3972
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Known Folders API Service"
      4⤵
      PID:4152
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-L2NA/Diagnostic"
      4⤵
      PID:4880
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-LDAP-Client/Debug"
      4⤵
      PID:4612
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-LSA/Diagnostic"
      4⤵
      PID:4804
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-LSA/Operational"
      4⤵
      PID:4420
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-LSA/Performance"
      4⤵
      PID:2004
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
      4⤵
      PID:3300
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-LanguagePackSetup/Analytic"
      4⤵
      PID:3828
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-LanguagePackSetup/Debug"
      4⤵
      PID:3612
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-LanguagePackSetup/Operational"
      4⤵
      PID:828
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-LanguageProfile/Analytic"
      4⤵
      PID:3308
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-LimitsManagement/Diagnostic"
      4⤵
      PID:2248
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-LinkLayerDiscoveryProtocol/Diagnostic"
      4⤵
      PID:4512
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational"
      4⤵
      PID:508
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-LiveId/Analytic"
      4⤵
      Clears Windows event logs
      PID:4108
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-LiveId/Operational"
      4⤵
      PID:4596
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-MPEG2-Video-Encoder-MFT_Analytic"
      4⤵
      PID:2276
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-MPS-CLNT/Diagnostic"
      4⤵
      PID:2280
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-MPS-DRV/Diagnostic"
      4⤵
      PID:1988
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-MPS-SRV/Diagnostic"
      4⤵
      PID:3724
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-MSFTEDIT/Diagnostic"
      4⤵
      PID:4560
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-MSPaint/Admin"
      4⤵
      PID:3996
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-MSPaint/Debug"
      4⤵
      PID:3808
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-MSPaint/Diagnostic"
      4⤵
      PID:764
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-MUI/Admin"
      4⤵
      PID:2440
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-MUI/Analytic"
      4⤵
      PID:4188
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-MUI/Debug"
      4⤵
      PID:4548
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-MUI/Operational"
      4⤵
      PID:4796
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Media-Streaming/DMC"
      4⤵
      PID:4960
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Media-Streaming/DMR"
      4⤵
      PID:3728
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Media-Streaming/MDE"
      4⤵
      PID:1372
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-MediaFoundation-MFCaptureEngine/MFCaptureEngine"
      4⤵
      PID:4616
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
      4⤵
      PID:3380
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
      4⤵
      PID:2320
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
      4⤵
      PID:4932
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-MediaFoundation-Performance/SARStreamResource"
      4⤵
      PID:3384
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
      4⤵
      PID:2088
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
      4⤵
      PID:1644
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Minstore/Analytic"
      4⤵
      Clears Windows event logs
      PID:3404
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Minstore/Debug"
      4⤵
      PID:1188
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal/Analytic"
      4⤵
      PID:3560
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Mobile-Broadband-Experience-Api/Analytic"
      4⤵
      PID:4264
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Analytic"
      4⤵
      PID:4220
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational"
      4⤵
      Clears Windows event logs
      PID:3932
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Mobile-Broadband-Experience-SmsApi/Analytic"
      4⤵
      PID:4092
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Mobile-Broadband-Experience-SmsRouter/Admin"
      4⤵
      PID:4716
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Mobile-Broadband-Experience-SmsRouter/Analytic"
      4⤵
      PID:560
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-MobilityCenter/Performance"
      4⤵
      PID:492
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Mprddm/Operational"
      4⤵
      PID:1112
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-NCSI/Analytic"
      4⤵
      PID:4232
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-NCSI/Operational"
      4⤵
      PID:5040
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
      4⤵
      PID:3852
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
      4⤵
      PID:4008
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-NDIS/Diagnostic"
      4⤵
      PID:5064
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-NDIS/Operational"
      4⤵
      Clears Windows event logs
      PID:4496
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-NFC-Class-Extension/Analytical"
      4⤵
      Clears Windows event logs
      PID:4632
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-NTLM/Operational"
      4⤵
      PID:3112
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-NWiFi/Diagnostic"
      4⤵
      PID:4684
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Narrator/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:1656
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Ncasvc/Operational"
      4⤵
      PID:1116
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-NcdAutoSetup/Diagnostic"
      4⤵
      PID:2120
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-NcdAutoSetup/Operational"
      4⤵
      Clears Windows event logs
      PID:4672
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-NdisImPlatform/Operational"
      4⤵
      PID:2072
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Ndu/Diagnostic"
      4⤵
      PID:596
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-NetShell/Performance"
      4⤵
      PID:2516
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Network-Connection-Broker"
      4⤵
      PID:1368
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Network-DataUsage/Analytic"
      4⤵
      PID:3028
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Network-Setup/Diagnostic"
      4⤵
      PID:2968
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
      4⤵
      PID:2780
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-NetworkBridge/Diagnostic"
      4⤵
      PID:2768
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-NetworkLocationWizard/Operational"
      4⤵
      PID:2696
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-NetworkProfile/Diagnostic"
      4⤵
      PID:1576
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-NetworkProfile/Operational"
      4⤵
      PID:5084
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-NetworkProvider/Operational"
      4⤵
      PID:328
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-NetworkProvisioning/Analytic"
      4⤵
      Clears Windows event logs
      PID:2688
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-NetworkProvisioning/Operational"
      4⤵
      PID:3856
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-NetworkSecurity/Debug"
      4⤵
      PID:3872
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-NetworkStatus/Analytic"
      4⤵
      PID:2108
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Networking-Correlation/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:516
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Networking-RealTimeCommunication/Tracing"
      4⤵
      PID:4148
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-NlaSvc/Diagnostic"
      4⤵
      PID:3936
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-NlaSvc/Operational"
      4⤵
      PID:5036
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Ntfs/Operational"
      4⤵
      PID:4472
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Ntfs/Performance"
      4⤵
      PID:4828
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Ntfs/WHC"
      4⤵
      Clears Windows event logs
      PID:4904
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-NvdimmN/Analytic"
      4⤵
      PID:4612
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-NvdimmN/Diagnostic"
      4⤵
      PID:3544
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-NvdimmN/Operational"
      4⤵
      PID:4876
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-OLE/Clipboard-Performance"
      4⤵
      PID:3460
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-OLEACC/Debug"
      4⤵
      PID:2004
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-OLEACC/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:4024
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-OOBE-FirstLogonAnim/Diagnostic"
      4⤵
      PID:3612
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-OOBE-Machine-Core/Diagnostic"
      4⤵
      PID:4508
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-OOBE-Machine-DUI/Diagnostic"
      4⤵
      PID:760
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-OOBE-Machine-DUI/Operational"
      4⤵
      PID:3572
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-OOBE-Machine-Plugins-Wireless/Diagnostic"
      4⤵
      PID:4712
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-OfflineFiles/Analytic"
      4⤵
      PID:3844
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-OfflineFiles/Debug"
      4⤵
      PID:2420
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-OfflineFiles/Operational"
      4⤵
      PID:2216
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-OfflineFiles/SyncLog"
      4⤵
      PID:2200
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-OneBackup/Debug"
      4⤵
      PID:2428
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-OneX/Diagnostic"
      4⤵
      PID:3440
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-OneX/Operational"
      4⤵
      PID:4868
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-OobeLdr/Analytic"
      4⤵
      PID:428
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-OtpCredentialProvider/Operational"
      4⤵
      Clears Windows event logs
      PID:4792
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-PCI/Diagnostic"
      4⤵
      PID:2068
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-PackageStateRoaming/Analytic"
      4⤵
      PID:2488
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-PackageStateRoaming/Debug"
      4⤵
      PID:4860
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-PackageStateRoaming/Operational"
      4⤵
      PID:4964
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-ParentalControls/Operational"
      4⤵
      PID:4188
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Partition/Analytic"
      4⤵
      PID:4548
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Partition/Diagnostic"
      4⤵
      PID:3388
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
      4⤵
      PID:4796
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-PerceptionRuntime/Operational"
      4⤵
      PID:3728
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-PerceptionSensorDataService/Operational"
      4⤵
      PID:1372
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-PhotoAcq/Analytic"
      4⤵
      PID:4616
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-PlayToManager/Analytic"
      4⤵
      PID:3272
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-PmemDisk/Analytic"
      4⤵
      PID:2320
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-PmemDisk/Diagnostic"
      4⤵
      PID:3436
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-PmemDisk/Operational"
      4⤵
      PID:4932
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Policy/Analytic"
      4⤵
      PID:3428
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Policy/Operational"
      4⤵
      PID:3444
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
      4⤵
      PID:3568
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
      4⤵
      PID:1180
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Power-Meter-Polling/Diagnostic"
      4⤵
      PID:2008
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-PowerCfg/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:1276
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-PowerCpl/Diagnostic"
      4⤵
      PID:4308
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
      4⤵
      PID:3584
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Analytic"
      4⤵
      PID:4208
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Debug"
      4⤵
      PID:3920
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational"
      4⤵
      PID:3896
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-PowerShell/Admin"
      4⤵
      PID:492
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-PowerShell/Analytic"
      4⤵
      PID:1500
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-PowerShell/Debug"
      4⤵
      PID:3864
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-PowerShell/Operational"
      4⤵
      PID:4664
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-PriResources-Deployment/Diagnostic"
      4⤵
      PID:3852
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-PriResources-Deployment/Operational"
      4⤵
      PID:380
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-PrimaryNetworkIcon/Performance"
      4⤵
      PID:5064
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-PrintBRM/Admin"
      4⤵
      PID:4640
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-PrintDialogs/Analytic"
      4⤵
      PID:1184
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-PrintDialogs3D/Analytic"
      4⤵
      PID:5000
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-PrintService-USBMon/Debug"
      4⤵
      PID:5076
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-PrintService/Admin"
      4⤵
      PID:1656
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-PrintService/Debug"
      4⤵
      PID:1116
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-PrintService/Operational"
      4⤵
      PID:2120
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-ProcessStateManager/Diagnostic"
      4⤵
      PID:4672
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Program-Compatibility-Assistant/Analytic"
      4⤵
      PID:2072
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade"
      4⤵
      PID:596
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin"
      4⤵
      PID:2516
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Provisioning-Diagnostics-Provider/Debug"
      4⤵
      PID:1368
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Proximity-Common/Diagnostic"
      4⤵
      PID:3028
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Proximity-Common/Informational"
      4⤵
      PID:2968
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Proximity-Common/Performance"
      4⤵
      PID:1536
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-PushNotification-Developer/Debug"
      4⤵
      Clears Windows event logs
      PID:2692
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-PushNotification-InProc/Debug"
      4⤵
      PID:1872
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-PushNotification-Platform/Admin"
      4⤵
      PID:2680
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-PushNotification-Platform/Debug"
      4⤵
      PID:4816
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-PushNotification-Platform/Operational"
      4⤵
      PID:328
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-QoS-Pacer/Diagnostic"
      4⤵
      PID:3964
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-QoS-qWAVE/Debug"
      4⤵
      PID:3856
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-RPC-Proxy/Debug"
      4⤵
      PID:3872
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-RPC/Debug"
      4⤵
      PID:4164
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-RPC/EEInfo"
      4⤵
      PID:2108
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-RRAS/Debug"
      4⤵
      Clears Windows event logs
      PID:4148
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-RRAS/Operational"
      4⤵
      PID:4156
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-RadioManager/Analytic"
      4⤵
      PID:4432
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Ras-NdisWanPacketCapture/Diagnostic"
      4⤵
      PID:3972
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-RasAgileVpn/Debug"
      4⤵
      PID:4472
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-RasAgileVpn/Operational"
      4⤵
      PID:4856
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-ReFS/Operational"
      4⤵
      PID:4880
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-ReadyBoost/Analytic"
      4⤵
      PID:4804
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-ReadyBoost/Operational"
      4⤵
      Clears Windows event logs
      PID:3276
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-ReadyBoostDriver/Analytic"
      4⤵
      PID:704
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-ReadyBoostDriver/Operational"
      4⤵
      PID:3460
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Regsvr32/Operational"
      4⤵
      PID:3776
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
      4⤵
      PID:3828
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-RemoteApp and Desktop Connections/Operational"
      4⤵
      PID:828
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-RemoteAssistance/Admin"
      4⤵
      PID:3308
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-RemoteAssistance/Operational"
      4⤵
      PID:2248
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-RemoteAssistance/Tracing"
      4⤵
      PID:4712
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
      4⤵
      PID:5100
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Debug"
      4⤵
      Clears Windows event logs
      PID:4128
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
      4⤵
      PID:4604
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin"
      4⤵
      PID:5104
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-Kernel-Mode-Transport/Debug"
      4⤵
      Clears Windows event logs
      PID:4952
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-User-Mode-Transport/Debug"
      4⤵
      PID:4316
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational"
      4⤵
      PID:1988
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Remotefs-Rdbss/Diagnostic"
      4⤵
      PID:1296
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Remotefs-Rdbss/Operational"
      4⤵
      PID:2356
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-ResetEng-Trace/Diagnostic"
      4⤵
      PID:5088
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
      4⤵
      PID:2932
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
      4⤵
      PID:5020
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-ResourcePublication/Tracing"
      4⤵
      PID:4972
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-RestartManager/Operational"
      4⤵
      PID:4784
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-RetailDemo/Admin"
      4⤵
      PID:3116
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-RetailDemo/Operational"
      4⤵
      Clears Windows event logs
      PID:4548
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Runtime-Graphics/Analytic"
      4⤵
      PID:3064
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Runtime-Networking-BackgroundTransfer/Tracing"
      4⤵
      PID:4236
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Runtime-Networking/Tracing"
      4⤵
      PID:2292
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Runtime-Web-Http/Tracing"
      4⤵
      Clears Windows event logs
      PID:3372
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Runtime-WebAPI/Tracing"
      4⤵
      PID:3608
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Runtime-Windows-Media/WinRTCaptureEngine"
      4⤵
      Clears Windows event logs
      PID:4408
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Runtime-Windows-Media/WinRTMediaStreamSource"
      4⤵
      PID:1508
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Runtime-Windows-Media/WinRTTranscode"
      4⤵
      PID:3580
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Runtime/CreateInstance"
      4⤵
      PID:1280
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Runtime/Error"
      4⤵
      PID:3816
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SENSE/Operational"
      4⤵
      PID:3364
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SMBClient/Analytic"
      4⤵
      PID:1188
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SMBClient/HelperClassDiagnostic"
      4⤵
      PID:3900
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SMBClient/ObjectStateDiagnostic"
      4⤵
      PID:4264
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SMBClient/Operational"
      4⤵
      PID:4220
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SMBServer/Analytic"
      4⤵
      PID:3584
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SMBServer/Audit"
      4⤵
      PID:4092
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SMBServer/Connectivity"
      4⤵
      PID:4208
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SMBServer/Diagnostic"
      4⤵
      PID:1504
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SMBServer/Operational"
      4⤵
      PID:492
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SMBServer/Performance"
      4⤵
      PID:1684
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SMBServer/Security"
      4⤵
      PID:1016
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SMBWitnessClient/Admin"
      4⤵
      Clears Windows event logs
      PID:872
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SMBWitnessClient/Informational"
      4⤵
      PID:1532
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SPB-ClassExtension/Analytic"
      4⤵
      PID:1772
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SPB-HIDI2C/Analytic"
      4⤵
      PID:208
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Schannel-Events/Perf"
      4⤵
      PID:1788
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-ScmBus/Analytic"
      4⤵
      PID:1356
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-ScmBus/Certification"
      4⤵
      PID:2288
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-ScmBus/Diagnose"
      4⤵
      PID:5076
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-ScmBus/Operational"
      4⤵
      PID:1488
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Sdbus/Analytic"
      4⤵
      PID:1852
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Sdbus/Debug"
      4⤵
      PID:4980
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Sdstor/Analytic"
      4⤵
      PID:2360
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Search-Core/Diagnostic"
      4⤵
      PID:2072
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
      4⤵
      PID:600
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SearchUI/Diagnostic"
      4⤵
      PID:2496
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SearchUI/Operational"
      4⤵
      PID:2344
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SecureAssessment/Operational"
      4⤵
      PID:2752
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
      4⤵
      PID:2968
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
      4⤵
      PID:4836
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational"
      4⤵
      PID:4820
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational"
      4⤵
      PID:2692
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Performance"
      4⤵
      PID:2616
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Security-IdentityListener/Operational"
      4⤵
      PID:2620
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Security-IdentityStore/Performance"
      4⤵
      PID:2612
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Security-LessPrivilegedAppContainer/Operational"
      4⤵
      PID:2700
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Security-Netlogon/Operational"
      4⤵
      PID:4584
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Security-SPP-UX-GC/Analytic"
      4⤵
      PID:5116
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational"
      4⤵
      PID:3848
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter"
      4⤵
      PID:4140
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Security-SPP-UX/Analytic"
      4⤵
      PID:3512
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Security-SPP/Perf"
      4⤵
      PID:3936
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Security-UserConsentVerifier/Audit"
      4⤵
      PID:4668
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Security-Vault/Performance"
      4⤵
      PID:4532
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SecurityMitigationsBroker/Admin"
      4⤵
      PID:752
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SecurityMitigationsBroker/Operational"
      4⤵
      PID:4364
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SecurityMitigationsBroker/Perf"
      4⤵
      PID:3488
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SendTo/Diagnostic"
      4⤵
      PID:1136
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Sens/Debug"
      4⤵
      PID:3300
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Sensors/Debug"
      4⤵
      PID:4420
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Sensors/Performance"
      4⤵
      PID:996
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Serial-ClassExtension-V2/Analytic"
      4⤵
      PID:4720
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Serial-ClassExtension/Analytic"
      4⤵
      PID:3376
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-ServiceReportingApi/Debug"
      4⤵
      PID:4708
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Services-Svchost/Diagnostic"
      4⤵
      PID:1248
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Services/Diagnostic"
      4⤵
      PID:4520
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Servicing/Debug"
      4⤵
      PID:4736
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SettingSync-Azure/Debug"
      4⤵
      PID:4464
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SettingSync-Azure/Operational"
      4⤵
      PID:4596
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SettingSync-OneDrive/Analytic"
      4⤵
      PID:4244
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SettingSync-OneDrive/Debug"
      4⤵
      PID:2200
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SettingSync-OneDrive/Operational"
      4⤵
      PID:4348
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SettingSync/Analytic"
      4⤵
      PID:3724
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SettingSync/Debug"
      4⤵
      Clears Windows event logs
      PID:4228
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SettingSync/Operational"
      4⤵
      PID:4560
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SettingSync/VerboseDebug"
      4⤵
      PID:4792
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Setup/Analytic"
      4⤵
      PID:2068
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SetupCl/Analytic"
      4⤵
      PID:2488
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SetupPlatform/Analytic"
      4⤵
      PID:4860
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SetupQueue/Analytic"
      4⤵
      PID:4964
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SetupUGC/Analytic"
      4⤵
      PID:4188
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
      4⤵
      PID:4960
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Shell-AppWizCpl/Diagnostic"
      4⤵
      PID:3388
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
      4⤵
      PID:4796
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
      4⤵
      PID:3728
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
      4⤵
      PID:2292
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-CredentialProviderUser/Diagnostic"
      4⤵
      PID:4616
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
      4⤵
      PID:3272
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-LogonUI/Diagnostic"
      4⤵
      PID:4408
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
      4⤵
      PID:4592
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter"
      4⤵
      PID:4932
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Shell-Core/ActionCenter"
      4⤵
      PID:3428
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Shell-Core/AppDefaults"
      4⤵
      PID:3444
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Shell-Core/Diagnostic"
      4⤵
      PID:1796
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Shell-Core/LogonTasksChannel"
      4⤵
      PID:3588
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Shell-Core/Operational"
      4⤵
      PID:3892
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
      4⤵
      PID:3900
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Shell-LockScreenContent/Diagnostic"
      4⤵
      PID:3932
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Shell-OpenWith/Diagnostic"
      4⤵
      PID:4264
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Shell-Search-UriHandler"
      4⤵
      PID:3584
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Shell-Shwebsvc"
      4⤵
      PID:4092
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
      4⤵
      PID:560
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Diagnostic"
      4⤵
      PID:1504
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Operational"
      4⤵
      PID:2224
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Shsvcs/Diagnostic"
      4⤵
      PID:4232
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SleepStudy/Diagnostic"
      4⤵
      PID:3520
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SmartCard-Audit/Authentication"
      4⤵
      PID:5040
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SmartCard-DeviceEnum/Operational"
      4⤵
      PID:4680
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin"
      4⤵
      PID:1628
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational"
      4⤵
      PID:4496
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SmbClient/Connectivity"
      4⤵
      PID:1544
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SmbClient/Diagnostic"
      4⤵
      PID:5000
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SmbClient/Security"
      4⤵
      PID:2284
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Speech-UserExperience/Diagnostic"
      4⤵
      PID:4620
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Spell-Checking/Analytic"
      4⤵
      PID:1656
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SpellChecker/Analytic"
      4⤵
      PID:1116
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Spellchecking-Host/Analytic"
      4⤵
      PID:2120
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SruMon/Diagnostic"
      4⤵
      PID:1448
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SrumTelemetry"
      4⤵
      PID:4672
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-StateRepository/Debug"
      4⤵
      PID:596
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-StateRepository/Diagnostic"
      4⤵
      PID:2516
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-StateRepository/Operational"
      4⤵
      PID:1368
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-StateRepository/Restricted"
      4⤵
      PID:2876
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-StorDiag/Operational"
      4⤵
      PID:3028
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-StorPort/Operational"
      4⤵
      PID:1536
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Storage-ATAPort/Admin"
      4⤵
      PID:1576
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Storage-ATAPort/Analytic"
      4⤵
      PID:2692
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Storage-ATAPort/Debug"
      4⤵
      PID:2708
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Storage-ATAPort/Diagnose"
      4⤵
      PID:2620
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Storage-ATAPort/Operational"
      4⤵
      PID:2612
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Storage-ClassPnP/Admin"
      4⤵
      PID:2700
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Storage-ClassPnP/Analytic"
      4⤵
      PID:4584
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Storage-ClassPnP/Debug"
      4⤵
      PID:5116
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Storage-ClassPnP/Diagnose"
      4⤵
      PID:3848
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Storage-ClassPnP/Operational"
      4⤵
      PID:4140
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Storage-Disk/Admin"
      4⤵
      PID:3512
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Storage-Disk/Analytic"
      4⤵
      PID:3936
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Storage-Disk/Debug"
      4⤵
      PID:4668
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Storage-Disk/Diagnose"
      4⤵
      PID:4532
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Storage-Disk/Operational"
      4⤵
      PID:752
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Storage-Storport/Admin"
      4⤵
      PID:2376
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Storage-Storport/Analytic"
      4⤵
      PID:1444
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Storage-Storport/Debug"
      4⤵
      PID:2880
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Storage-Storport/Diagnose"
      4⤵
      PID:3468
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Storage-Storport/Operational"
      4⤵
      PID:2012
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Storage-Tiering-IoHeat/Heat"
      4⤵
      PID:4056
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Storage-Tiering/Admin"
      4⤵
      PID:1168
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-StorageManagement/Debug"
      4⤵
      PID:1808
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-StorageManagement/Operational"
      4⤵
      PID:4512
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-StorageSpaces-Driver/Diagnostic"
      4⤵
      PID:508
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-StorageSpaces-Driver/Operational"
      4⤵
      PID:4108
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-StorageSpaces-Driver/Performance"
      4⤵
      PID:4004
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-StorageSpaces-ManagementAgent/WHC"
      4⤵
      PID:4288
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic"
      4⤵
      PID:2276
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-StorageSpaces-SpaceManager/Operational"
      4⤵
      PID:4544
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Store/Operational"
      4⤵
      PID:4284
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Subsys-Csr/Operational"
      4⤵
      PID:4280
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Subsys-SMSS/Operational"
      4⤵
      PID:3996
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Superfetch/Main"
      4⤵
      PID:3808
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Superfetch/PfApLog"
      4⤵
      PID:4560
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Superfetch/StoreLog"
      4⤵
      PID:4792
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Sysprep/Analytic"
      4⤵
      PID:2068
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-System-Profile-HardwareId/Diagnostic"
      4⤵
      PID:2488
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SystemSettingsHandlers/Debug"
      4⤵
      PID:4860
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SystemSettingsThreshold/Debug"
      4⤵
      PID:3232
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SystemSettingsThreshold/Diagnostic"
      4⤵
      PID:4964
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-SystemSettingsThreshold/Operational"
      4⤵
      PID:4776
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TCPIP/Diagnostic"
      4⤵
      PID:4960
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TCPIP/Operational"
      4⤵
      PID:3064
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TSF-msctf/Debug"
      4⤵
      PID:2916
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TSF-msctf/Diagnostic"
      4⤵
      PID:4236
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TSF-msutb/Debug"
      4⤵
      PID:3372
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TSF-msutb/Diagnostic"
      4⤵
      PID:3384
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TTS/Diagnostic"
      4⤵
      PID:3608
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TWinAPI/Diagnostic"
      4⤵
      PID:5048
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TWinUI/Diagnostic"
      4⤵
      PID:3412
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TWinUI/Operational"
      4⤵
      PID:2088
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TZSync/Analytic"
      4⤵
      Clears Windows event logs
      PID:1644
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TZSync/Operational"
      4⤵
      PID:824
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TZUtil/Operational"
      4⤵
      PID:3568
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TaskScheduler/Debug"
      4⤵
      PID:3356
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TaskScheduler/Diagnostic"
      4⤵
      PID:4240
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TaskScheduler/Maintenance"
      4⤵
      PID:3840
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TaskScheduler/Operational"
      4⤵
      PID:4212
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TaskbarCPL/Diagnostic"
      4⤵
      PID:4716
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
      4⤵
      PID:4636
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
      4⤵
      PID:3268
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
      4⤵
      PID:4208
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
      4⤵
      PID:1996
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
      4⤵
      PID:5044
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
      4⤵
      PID:3520
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
      4⤵
      PID:4664
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
      4⤵
      PID:5056
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
      4⤵
      PID:5064
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
      4⤵
      PID:4948
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
      4⤵
      PID:1788
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
      4⤵
      Clears Windows event logs
      PID:5000
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
      4⤵
      PID:4740
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TerminalServices-Printers/Admin"
      4⤵
      PID:2284
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TerminalServices-Printers/Analytic"
      4⤵
      PID:1656
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TerminalServices-Printers/Debug"
      4⤵
      PID:1116
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TerminalServices-Printers/Operational"
      4⤵
      PID:2120
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
      4⤵
      PID:1448
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TerminalServices-RDPClient/Debug"
      4⤵
      PID:2756
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TerminalServices-RDPClient/Operational"
      4⤵
      PID:668
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
      4⤵
      PID:2868
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"
      4⤵
      PID:2768
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
      4⤵
      PID:2696
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"
      4⤵
      PID:4840
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"
      4⤵
      PID:5084
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
      4⤵
      PID:1576
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"
      4⤵
      PID:2616
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"
      4⤵
      PID:2708
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"
      4⤵
      PID:2620
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"
      4⤵
      PID:2612
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Tethering-Manager/Analytic"
      4⤵
      PID:2700
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Tethering-Station/Analytic"
      4⤵
      PID:4584
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-ThemeCPL/Diagnostic"
      4⤵
      PID:5116
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-ThemeUI/Diagnostic"
      4⤵
      PID:3848
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Threat-Intelligence/Analytic"
      4⤵
      PID:4140
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-TunnelDriver"
      4⤵
      PID:3512
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-UAC-FileVirtualization/Operational"
      4⤵
      PID:3936
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-UAC/Operational"
      4⤵
      PID:4668
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-UI-Shell/Diagnostic"
      4⤵
      PID:4532
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-UIAnimation/Diagnostic"
      4⤵
      PID:2928
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-UIAutomationCore/Debug"
      4⤵
      PID:4612
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-UIAutomationCore/Diagnostic"
      4⤵
      PID:4804
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-UIAutomationCore/Perf"
      4⤵
      PID:3276
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-UIRibbon/Diagnostic"
      4⤵
      PID:4924
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-USB-MAUSBHOST-Analytic"
      4⤵
      PID:2004
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-USB-UCX-Analytic"
      4⤵
      PID:3776
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-USB-USBHUB/Diagnostic"
      4⤵
      PID:3828
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-USB-USBHUB3-Analytic"
      4⤵
      PID:1248
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-USB-USBPORT/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:2248
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-USB-USBXHCI-Analytic"
      4⤵
      PID:4712
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-UniversalTelemetryClient/Operational"
      4⤵
      PID:5100
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-User Control Panel Performance/Diagnostic"
      4⤵
      PID:4128
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-User Control Panel Usage/Diagnostic"
      4⤵
      PID:4604
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-User Control Panel/Diagnostic"
      4⤵
      PID:5104
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-User Control Panel/Operational"
      4⤵
      PID:2428
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-User Device Registration/Admin"
      4⤵
      PID:4316
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-User Device Registration/Debug"
      4⤵
      PID:4280
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-User Profile Service/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:3808
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-User Profile Service/Operational"
      4⤵
      PID:4560
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-User-Loader/Analytic"
      4⤵
      PID:2932
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-User-Loader/Operational"
      4⤵
      PID:4792
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-UserAccountControl/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:2488
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-UserModePowerService/Diagnostic"
      4⤵
      PID:4968
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-UserPnp/ActionCenter"
      4⤵
      PID:4860
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-UserPnp/DeviceInstall"
      4⤵
      PID:3388
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"
      4⤵
      PID:1888
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-UserPnp/Performance"
      4⤵
      PID:4796
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-UserPnp/SchedulerOperations"
      4⤵
      PID:3728
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-UxInit/Diagnostic"
      4⤵
      PID:2292
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-UxTheme/Diagnostic"
      4⤵
      PID:4616
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-VAN/Diagnostic"
      4⤵
      PID:768
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-VDRVROOT/Operational"
      4⤵
      PID:3384
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-VHDMP-Analytic"
      4⤵
      PID:3608
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-VHDMP-Operational"
      4⤵
      PID:5068
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-VIRTDISK/Operational"
      4⤵
      PID:3948
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-VPN-Client/Operational"
      4⤵
      PID:3404
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-VPN/Operational"
      4⤵
      PID:1188
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-VWiFi/Diagnostic"
      4⤵
      PID:3560
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-VerifyHardwareSecurity/Admin"
      4⤵
      PID:1276
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-VerifyHardwareSecurity/Operational"
      4⤵
      PID:4220
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Volume/Diagnostic"
      4⤵
      PID:3932
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-VolumeControl/Performance"
      4⤵
      PID:416
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-VolumeSnapshot-Driver/Analytic"
      4⤵
      PID:3920
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-VolumeSnapshot-Driver/Operational"
      4⤵
      PID:3896
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WABSyncProvider/Analytic"
      4⤵
      PID:1112
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"
      4⤵
      PID:492
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WCNWiz/Analytic"
      4⤵
      PID:1684
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WEPHOSTSVC/Operational"
      4⤵
      PID:4988
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WFP/Analytic"
      4⤵
      PID:872
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WFP/Operational"
      4⤵
      PID:1532
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WLAN-AutoConfig/Operational"
      4⤵
      PID:1772
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"
      4⤵
      PID:4184
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WLAN-Driver/Analytic"
      4⤵
      Clears Windows event logs
      PID:208
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WLAN-MediaManager/Diagnostic"
      4⤵
      PID:3112
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WLANConnectionFlow/Diagnostic"
      4⤵
      PID:1788
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WMI-Activity/Debug"
      4⤵
      PID:4620
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WMI-Activity/Operational"
      4⤵
      PID:1852
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WMI-Activity/Trace"
      4⤵
      PID:2964
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WMPDMCUI/Diagnostic"
      4⤵
      PID:4672
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"
      4⤵
      PID:2756
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WMPNSS-Service/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:668
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WMPNSSUI/Diagnostic"
      4⤵
      PID:2876
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WPD-API/Analytic"
      4⤵
      PID:356
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WPD-ClassInstaller/Analytic"
      4⤵
      PID:1536
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WPD-ClassInstaller/Operational"
      4⤵
      PID:1872
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"
      4⤵
      PID:364
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WPD-CompositeClassDriver/Operational"
      4⤵
      PID:2688
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WPD-MTPBT/Analytic"
      4⤵
      PID:328
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WPD-MTPClassDriver/Analytic"
      4⤵
      PID:3860
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WPD-MTPClassDriver/Operational"
      4⤵
      PID:3856
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WPD-MTPIP/Analytic"
      4⤵
      PID:3872
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WPD-MTPUS/Analytic"
      4⤵
      PID:3508
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WSC-SRV/Diagnostic"
      4⤵
      PID:5116
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WUSA/Debug"
      4⤵
      PID:4824
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WWAN-CFE/Diagnostic"
      4⤵
      PID:3848
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WWAN-MM-Events/Diagnostic"
      4⤵
      PID:3512
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WWAN-MediaManager/Diagnostic"
      4⤵
      PID:3936
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic"
      4⤵
      PID:4668
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WWAN-SVC-Events/Diagnostic"
      4⤵
      PID:4532
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WWAN-SVC-Events/Operational"
      4⤵
      PID:3488
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Wcmsvc/Diagnostic"
      4⤵
      PID:2376
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Wcmsvc/Operational"
      4⤵
      PID:3300
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WebAuth/Operational"
      4⤵
      PID:2880
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WebIO-NDF/Diagnostic"
      4⤵
      PID:3468
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WebIO/Diagnostic"
      4⤵
      PID:2004
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WebPlatStorage-Server"
      4⤵
      PID:3776
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WebServices/Tracing"
      4⤵
      PID:3828
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WebcamProvider/Analytic"
      4⤵
      PID:3308
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Websocket-Protocol-Component/Tracing"
      4⤵
      PID:508
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WiFiDisplay/Analytic"
      4⤵
      PID:4108
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Win32k/Concurrency"
      4⤵
      PID:4004
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Win32k/Contention"
      4⤵
      PID:4288
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Win32k/Messages"
      4⤵
      PID:2200
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Win32k/Operational"
      4⤵
      PID:4544
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Win32k/Power"
      4⤵
      PID:4284
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Win32k/Render"
      4⤵
      PID:1988
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Win32k/Tracing"
      4⤵
      PID:428
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Win32k/UIPI"
      4⤵
      PID:2356
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WinHTTP-NDF/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:4812
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WinHttp/Diagnostic"
      4⤵
      PID:4356
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WinINet-Capture/Analytic"
      4⤵
      PID:4600
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WinINet-Config/ProxyConfigChanged"
      4⤵
      PID:3876
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WinINet/Analytic"
      4⤵
      PID:4784
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WinINet/UsageLog"
      4⤵
      PID:4968
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WinINet/WebSocket"
      4⤵
      PID:3116
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WinMDE/MDE"
      4⤵
      PID:3324
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WinNat/Oper"
      4⤵
      PID:1664
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WinNat/Trace"
      4⤵
      PID:3380
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WinRM/Analytic"
      4⤵
      Clears Windows event logs
      PID:3728
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WinRM/Debug"
      4⤵
      PID:2292
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WinRM/Operational"
      4⤵
      PID:4616
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-WinURLMon/Analytic"
      4⤵
      PID:768
  - - C:\Windows\system32\wevtutil.exe
      WEVTUTIL CL "Microsoft-Windows-Windeploy/Analytic"
      4⤵
      PID:1280

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Indicator Removal on Host

T1070

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\Windows\chtes.bat

Filesize
167B

MD5
d394b2b01ed38c9946fbab04570066b1

SHA1
ef1ffedb5a2e61faa23bf78dd6bd343f5a3a3942

SHA256
ec3fc388676e6c701252443b4892756f740b2c48dfae71963dd688c5a6af688f

SHA512
f0ed9eb30eb1ce6bce4d8bd6eee822211ba939abb5e1f5f6d667e6c0b9c7668ba6aec4b98aa6cc398fd7ad51a4acbd45de6427593702f0f33e2c12def21b1696

Download Submit
\??\c:\Windows\mssupdate.bat

Filesize
62B

MD5
4b76846750f44d0f376a1d7b030ceb7a

SHA1
8dc36f08d60d27653034d6518f236d1f8653502b

SHA256
fe35fdfd6b34936cd3484966524a63e22c7692f439e56acf180d0ea6cf239142

SHA512
f81b0eb9b8c229032530c4cf7fa9a7a67ce24c24ffbc33832ff852e2da2c262d452a963668ee139777fcd650437c3f500dbd751d88e5cae403aae4fdd63c878c

Download Submit
\??\c:\Windows\netlogin.bat

Filesize
156B

MD5
82b5560c678267f2d4ca8f6eb4a5496f

SHA1
529cff6a6922eecabebcdc4c1940d67ecfa93706

SHA256
a40fbc35d41cb0b4d92c64960ada318c11eaeb4ef49d629ce68e09bad7eeef62

SHA512
b1e8ad30004883e296fb358a496831a0648a5fa7495bd9f8051b4c1b6e29a1a09618064d696a7b892d2a16c74633e20346e024e0efe6cfe5188985b32c5bc909

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads