f7f336955fa601fcd9ecb0e30911e6543882b2027dcbd27ac307d25fabd342db

Analysis

max time kernel
31s
max time network
35s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
22-03-2023 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Meta Unban/Cleaners/EventCleaner.exe
Size

219KB
MD5

9353ed7c3ba8e2417ce2664ae7afac16
SHA1

05699a2a2792795db1d8f59273172ad80bdc8b06
SHA256

069b31cb7f9054647b684da4fc5263fa690e32d75729ec6b5c808b0c532b9628
SHA512

cb456c14c9ef6f49a92c989668bedb423e4020b761e627c4d67f90e855e9385d58cf0d1e024a0c728126cccdad2836615d23cd3011a8447470482ca939795262
SSDEEP

6144:Qtzsb5Uh28+V1WW69B9VjMdxPedN9ug0z9TB9SmDqzW:QtzE5elwLz9TrVeW

Score

9^/10

evasion ransomware

Malware Config

Signatures

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal on Host

T1070

Processes:

wevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

pid	process
3064	wevtutil.exe
2148	wevtutil.exe
2428	wevtutil.exe
3040	wevtutil.exe
4252	wevtutil.exe
3552	wevtutil.exe
552	wevtutil.exe
4756	wevtutil.exe
2092	wevtutil.exe
428	wevtutil.exe
2740	wevtutil.exe
4596	wevtutil.exe
848	wevtutil.exe
3832	wevtutil.exe
444	wevtutil.exe
4616	wevtutil.exe
628	wevtutil.exe
4800	wevtutil.exe
3100	wevtutil.exe
2148	wevtutil.exe
2064	wevtutil.exe
2392	wevtutil.exe
460	wevtutil.exe
4596	wevtutil.exe
3912	wevtutil.exe
4668	wevtutil.exe
1964	wevtutil.exe
4304	wevtutil.exe
1500	wevtutil.exe
1516	wevtutil.exe
1208	wevtutil.exe
876	wevtutil.exe
2236	wevtutil.exe
2208	wevtutil.exe
1992	wevtutil.exe
3788	wevtutil.exe
4764	wevtutil.exe
4116	wevtutil.exe
876	wevtutil.exe
4260	wevtutil.exe
2452	wevtutil.exe
1468	wevtutil.exe
5096	wevtutil.exe
4136	wevtutil.exe
3424	wevtutil.exe
3108	wevtutil.exe
1488	wevtutil.exe
3144	wevtutil.exe
3684	wevtutil.exe
4700	wevtutil.exe
3324	wevtutil.exe
4180	wevtutil.exe
4936	wevtutil.exe
1464	wevtutil.exe
2104	wevtutil.exe
1372	wevtutil.exe
4984	wevtutil.exe
212	wevtutil.exe
3412	wevtutil.exe
4048	wevtutil.exe
1656	wevtutil.exe
4712	wevtutil.exe
3228	wevtutil.exe
3848	wevtutil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeSecurityPrivilege	4560	wevtutil.exe
Token: SeBackupPrivilege	4560	wevtutil.exe
Token: SeSecurityPrivilege	4128	wevtutil.exe
Token: SeBackupPrivilege	4128	wevtutil.exe
Token: SeSecurityPrivilege	100	wevtutil.exe
Token: SeBackupPrivilege	100	wevtutil.exe
Token: SeSecurityPrivilege	216	wevtutil.exe
Token: SeBackupPrivilege	216	wevtutil.exe
Token: SeSecurityPrivilege	4768	wevtutil.exe
Token: SeBackupPrivilege	4768	wevtutil.exe
Token: SeSecurityPrivilege	2664	wevtutil.exe
Token: SeBackupPrivilege	2664	wevtutil.exe
Token: SeSecurityPrivilege	3808	wevtutil.exe
Token: SeBackupPrivilege	3808	wevtutil.exe
Token: SeSecurityPrivilege	2772	wevtutil.exe
Token: SeBackupPrivilege	2772	wevtutil.exe
Token: SeSecurityPrivilege	4776	wevtutil.exe
Token: SeBackupPrivilege	4776	wevtutil.exe
Token: SeSecurityPrivilege	336	wevtutil.exe
Token: SeBackupPrivilege	336	wevtutil.exe
Token: SeSecurityPrivilege	1324	wevtutil.exe
Token: SeBackupPrivilege	1324	wevtutil.exe
Token: SeSecurityPrivilege	1892	wevtutil.exe
Token: SeBackupPrivilege	1892	wevtutil.exe
Token: SeSecurityPrivilege	1620	wevtutil.exe
Token: SeBackupPrivilege	1620	wevtutil.exe
Token: SeSecurityPrivilege	2344	wevtutil.exe
Token: SeBackupPrivilege	2344	wevtutil.exe
Token: SeSecurityPrivilege	2340	wevtutil.exe
Token: SeBackupPrivilege	2340	wevtutil.exe
Token: SeSecurityPrivilege	628	wevtutil.exe
Token: SeBackupPrivilege	628	wevtutil.exe
Token: SeSecurityPrivilege	4304	wevtutil.exe
Token: SeBackupPrivilege	4304	wevtutil.exe
Token: SeSecurityPrivilege	2148	wevtutil.exe
Token: SeBackupPrivilege	2148	wevtutil.exe
Token: SeSecurityPrivilege	3416	wevtutil.exe
Token: SeBackupPrivilege	3416	wevtutil.exe
Token: SeSecurityPrivilege	5072	wevtutil.exe
Token: SeBackupPrivilege	5072	wevtutil.exe
Token: SeSecurityPrivilege	3920	wevtutil.exe
Token: SeBackupPrivilege	3920	wevtutil.exe
Token: SeSecurityPrivilege	4684	wevtutil.exe
Token: SeBackupPrivilege	4684	wevtutil.exe
Token: SeSecurityPrivilege	1496	wevtutil.exe
Token: SeBackupPrivilege	1496	wevtutil.exe
Token: SeSecurityPrivilege	3884	wevtutil.exe
Token: SeBackupPrivilege	3884	wevtutil.exe
Token: SeSecurityPrivilege	4328	wevtutil.exe
Token: SeBackupPrivilege	4328	wevtutil.exe
Token: SeSecurityPrivilege	3640	wevtutil.exe
Token: SeBackupPrivilege	3640	wevtutil.exe
Token: SeSecurityPrivilege	1028	wevtutil.exe
Token: SeBackupPrivilege	1028	wevtutil.exe
Token: SeSecurityPrivilege	1468	wevtutil.exe
Token: SeBackupPrivilege	1468	wevtutil.exe
Token: SeSecurityPrivilege	2104	wevtutil.exe
Token: SeBackupPrivilege	2104	wevtutil.exe
Token: SeSecurityPrivilege	1656	wevtutil.exe
Token: SeBackupPrivilege	1656	wevtutil.exe
Token: SeSecurityPrivilege	1292	wevtutil.exe
Token: SeBackupPrivilege	1292	wevtutil.exe
Token: SeSecurityPrivilege	4260	wevtutil.exe
Token: SeBackupPrivilege	4260	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EventCleaner.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4484 wrote to memory of 3872	4484	EventCleaner.exe	cmd.exe
PID 4484 wrote to memory of 3872	4484	EventCleaner.exe	cmd.exe
PID 3872 wrote to memory of 3228	3872	cmd.exe	cmd.exe
PID 3872 wrote to memory of 3228	3872	cmd.exe	cmd.exe
PID 3228 wrote to memory of 3124	3228	cmd.exe	bcdedit.exe
PID 3228 wrote to memory of 3124	3228	cmd.exe	bcdedit.exe
PID 3872 wrote to memory of 1836	3872	cmd.exe	cmd.exe
PID 3872 wrote to memory of 1836	3872	cmd.exe	cmd.exe
PID 1836 wrote to memory of 4560	1836	cmd.exe	wevtutil.exe
PID 1836 wrote to memory of 4560	1836	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 4128	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 4128	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 100	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 100	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 216	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 216	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 4768	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 4768	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 2664	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 2664	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 3808	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 3808	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 2772	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 2772	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 4776	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 4776	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 336	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 336	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 1324	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 1324	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 1892	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 1892	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 1620	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 1620	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 2344	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 2344	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 2340	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 2340	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 628	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 628	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 4304	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 4304	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 2148	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 2148	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 3416	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 3416	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 5072	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 5072	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 3920	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 3920	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 4684	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 4684	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 1496	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 1496	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 3884	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 3884	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 4328	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 4328	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 3640	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 3640	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 1028	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 1028	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 1468	3872	cmd.exe	wevtutil.exe
PID 3872 wrote to memory of 1468	3872	cmd.exe	wevtutil.exe

C:\Users\Admin\AppData\Local\Temp\Meta Unban\Cleaners\EventCleaner.exe
"C:\Users\Admin\AppData\Local\Temp\Meta Unban\Cleaners\EventCleaner.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4484

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7ED9.tmp\7EDA.tmp\7EDB.bat "C:\Users\Admin\AppData\Local\Temp\Meta Unban\Cleaners\EventCleaner.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:3872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit
3⤵
- Suspicious use of WriteProcessMemory
PID:3228

C:\Windows\system32\bcdedit.exe
bcdedit
4⤵
PID:3124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil.exe el
3⤵
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\system32\wevtutil.exe
wevtutil.exe el
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4560

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "AMSI/Debug"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4128

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "AirSpaceChannel"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:100

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Analytic"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Application"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4768

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "DirectShowFilterGraph"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2664

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "DirectShowPluginControl"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3808

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Els_Hyphenation/Analytic"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "EndpointMapper"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "FirstUXPerf-Analytic"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:336

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "ForwardedEvents"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "General Logging"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "HardwareEvents"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "IHM_DebugChannel"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2344

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"
3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"
3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:4304

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"
3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3416

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Internet Explorer"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3920

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Key Management Service"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4684

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MF_MediaFoundationDeviceMFT"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3884

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MF_MediaFoundationFrameServer"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4328

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MedaFoundationVideoProc"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MedaFoundationVideoProcD3D"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationAsyncWrapper"
3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1468

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationContentProtection"
3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2104

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationDS"
3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationDeviceProxy"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationMP4"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4260

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationMediaEngine"
3⤵
PID:3904

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPerformance"
3⤵
- Clears Windows event logs
PID:552

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPerformanceCore"
3⤵
PID:444

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPipeline"
3⤵
PID:2884

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPlatform"
3⤵
- Clears Windows event logs
PID:1372

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationSrcPrefetch"
3⤵
- Clears Windows event logs
PID:4756

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"
3⤵
- Clears Windows event logs
PID:3788

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client/Admin"
3⤵
- Clears Windows event logs
PID:3684

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client/Debug"
3⤵
- Clears Windows event logs
PID:4596

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client/Operational"
3⤵
PID:2548

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"
3⤵
PID:732

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"
3⤵
PID:3936

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"
3⤵
PID:2764

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"
3⤵
PID:3564

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"
3⤵
PID:1212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-IE/Diagnostic"
3⤵
PID:3992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
3⤵
PID:3272

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
3⤵
PID:1812

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"
3⤵
PID:1904

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
3⤵
PID:2280

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
3⤵
PID:3912

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-Admin/Debug"
3⤵
- Clears Windows event logs
PID:848

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"
3⤵
PID:4536

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"
3⤵
PID:2624

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Analytic"
3⤵
- Clears Windows event logs
PID:4800

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Debug"
3⤵
- Clears Windows event logs
PID:4764

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Operational"
3⤵
PID:5016

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-IPC/Operational"
3⤵
PID:4796

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
3⤵
- Clears Windows event logs
PID:4712

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
3⤵
PID:4788

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
3⤵
PID:4936

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AAD/Analytic"
3⤵
PID:3676

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AAD/Operational"
3⤵
PID:4032

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
3⤵
PID:3180

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ASN1/Operational"
3⤵
PID:4528

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
3⤵
- Clears Windows event logs
PID:1500

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
3⤵
- Clears Windows event logs
PID:1516

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
3⤵
- Clears Windows event logs
PID:4116

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-All-User-Install-Agent/Admin"
3⤵
PID:1348

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AllJoyn/Debug"
3⤵
- Clears Windows event logs
PID:3228

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AllJoyn/Operational"
3⤵
PID:1440

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppHost/Admin"
3⤵
PID:3940

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppHost/ApplicationTracing"
3⤵
PID:3816

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppHost/Diagnostic"
3⤵
- Clears Windows event logs
PID:3848

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppHost/Internal"
3⤵
PID:4128

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
3⤵
PID:524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
3⤵
PID:2452

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
3⤵
PID:100

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"
3⤵
PID:216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Execution"
3⤵
PID:1264

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Admin"
3⤵
PID:1480

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Analytic"
3⤵
PID:3384

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Debug"
3⤵
PID:1428

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"
3⤵
PID:2772

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-State/Debug"
3⤵
PID:4776

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-State/Diagnostic"
3⤵
PID:2100

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppReadiness/Admin"
3⤵
PID:1724

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppReadiness/Debug"
3⤵
PID:2740

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppReadiness/Operational"
3⤵
- Clears Windows event logs
PID:5096

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppSruProv"
3⤵
PID:3732

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Diagnostic"
3⤵
PID:2140

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Operational"
3⤵
PID:2020

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Debug"
3⤵
PID:4604

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"
3⤵
PID:3404

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Operational"
3⤵
PID:4152

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Restricted"
3⤵
- Clears Windows event logs
PID:876

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Analytic"
3⤵
PID:3576

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Operational"
3⤵
- Clears Windows event logs
PID:3832

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
3⤵
PID:3348

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
3⤵
PID:3452

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
3⤵
PID:5052

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
3⤵
PID:2236

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"
3⤵
- Clears Windows event logs
PID:1208

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
3⤵
PID:3796

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"
3⤵
PID:460

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"
3⤵
PID:3060

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
3⤵
- Clears Windows event logs
PID:4260

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
3⤵
PID:552

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
3⤵
- Clears Windows event logs
PID:444

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Steps-Recorder"
3⤵
PID:3888

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Debug"
3⤵
PID:2212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Operational"
3⤵
PID:1632

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Performance"
3⤵
PID:844

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Admin"
3⤵
PID:4856

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Operational"
3⤵
PID:448

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Admin"
3⤵
PID:3568

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Operational"
3⤵
PID:2160

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AsynchronousCausality/Causality"
3⤵
PID:1464

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
3⤵
PID:3424

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/GlitchDetection"
3⤵
PID:3324

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/Informational"
3⤵
PID:3040

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
3⤵
PID:4184

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
3⤵
PID:3792

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/PlaybackManager"
3⤵
PID:3224

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
3⤵
PID:2992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
3⤵
PID:4680

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"
3⤵
PID:3912

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUser-Client"
3⤵
PID:848

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"
3⤵
PID:4536

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"
3⤵
PID:2624

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
3⤵
PID:2620

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/HCI"
3⤵
PID:1672

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/L2CAP"
3⤵
- Clears Windows event logs
PID:3064

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Diagnostic"
3⤵
PID:1472

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Performance"
3⤵
PID:1748

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"
3⤵
PID:4788

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"
3⤵
PID:4936

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"
3⤵
PID:3676

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Backup"
3⤵
PID:4032

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"
3⤵
PID:3180

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"
3⤵
PID:4528

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Battery/Diagnostic"
3⤵
PID:1500

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Biometrics/Analytic"
3⤵
PID:1516

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
3⤵
PID:1864

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
3⤵
- Clears Windows event logs
PID:2064

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
3⤵
- Clears Windows event logs
PID:4136

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker-Driver-Performance/Operational"
3⤵
PID:1576

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Management"
3⤵
PID:1836

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Operational"
3⤵
PID:3816

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker/Tracing"
3⤵
- Clears Windows event logs
PID:2092

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
3⤵
- Clears Windows event logs
PID:428

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
3⤵
PID:4456

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"
3⤵
PID:4276

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bluetooth-Bthmini/Operational"
3⤵
PID:4900

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
3⤵
PID:3168

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bluetooth-Policy/Operational"
3⤵
- Clears Windows event logs
PID:4700

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
3⤵
PID:3736

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
3⤵
- Clears Windows event logs
PID:2452

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
3⤵
PID:1956

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheMonitoring/Analytic"
3⤵
PID:1964

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
3⤵
PID:3648

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
3⤵
PID:2428

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CAPI2/Catalog Database Debug"
3⤵
PID:760

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
3⤵
PID:1620

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
3⤵
PID:2344

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
3⤵
PID:2140

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/ApartmentInitialize"
3⤵
PID:2020

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/ApartmentUninitialize"
3⤵
PID:4604

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/Call"
3⤵
PID:3404

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/CreateInstance"
3⤵
PID:4152

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/ExtensionCatalog"
3⤵
- Clears Windows event logs
PID:876

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/FreeUnusedLibrary"
3⤵
PID:3576

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/RundownInstrumentation"
3⤵
PID:3832

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COMRuntime/Activations"
3⤵
PID:3348

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COMRuntime/MessageProcessing"
3⤵
PID:3452

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
3⤵
PID:5052

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
3⤵
- Clears Windows event logs
PID:2236

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
3⤵
PID:1208

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"
3⤵
PID:3796

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"
3⤵
PID:460

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Cleanmgr/Diagnostic"
3⤵
PID:3060

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
3⤵
- Clears Windows event logs
PID:4984

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CloudStore/Debug"
3⤵
PID:1232

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CloudStore/Operational"
3⤵
PID:4948

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
3⤵
PID:2884

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
3⤵
PID:1372

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
3⤵
PID:4756

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
3⤵
PID:3788

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
3⤵
PID:2468

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Analytic"
3⤵
- Clears Windows event logs
PID:4596

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Operational"
3⤵
PID:2548

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Debug"
3⤵
PID:2956

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Operational"
3⤵
PID:3936

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Debug"
3⤵
- Clears Windows event logs
PID:3424

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Operational"
3⤵
- Clears Windows event logs
PID:3324

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Debug"
3⤵
PID:3040

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Operational"
3⤵
PID:4184

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreApplication/Diagnostic"
3⤵
PID:3792

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreApplication/Operational"
3⤵
PID:1812

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreApplication/Tracing"
3⤵
PID:2992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"
3⤵
PID:2280

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"
3⤵
PID:872

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreWindow/Analytic"
3⤵
PID:1948

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreWindow/Debug"
3⤵
PID:2624

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
3⤵
PID:2620

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
3⤵
PID:1672

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crashdump/Operational"
3⤵
PID:4796

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
3⤵
PID:3704

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-BCRYPT/Analytic"
3⤵
- Clears Windows event logs
PID:4180

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-CNG/Analytic"
3⤵
PID:2316

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"
3⤵
- Clears Windows event logs
PID:4936

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Debug"
3⤵
PID:3676

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Operational"
3⤵
PID:4032

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-DSSEnh/Analytic"
3⤵
PID:3180

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-NCrypt/Operational"
3⤵
PID:4528

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
3⤵
PID:3836

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-RSAEnh/Analytic"
3⤵
PID:3120

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
3⤵
PID:3032

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
3⤵
PID:2512

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Analytic"
3⤵
- Clears Windows event logs
PID:3108

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Operational"
3⤵
PID:1052

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DAMM/Diagnostic"
3⤵
PID:3304

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
3⤵
PID:808

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DDisplay/Analytic"
3⤵
PID:1664

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DDisplay/Logging"
3⤵
PID:1840

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DLNA-Namespace/Analytic"
3⤵
PID:2436

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
3⤵
PID:1584

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DSC/Admin"
3⤵
PID:3400

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DSC/Analytic"
3⤵
PID:3896

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DSC/Debug"
3⤵
PID:1888

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DSC/Operational"
3⤵
PID:4128

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
3⤵
PID:3148

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
3⤵
- Clears Windows event logs
PID:2392

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
3⤵
PID:3384

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
3⤵
PID:2100

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
3⤵
PID:5092

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Data-Pdf/Debug"
3⤵
- Clears Windows event logs
PID:2740

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/Admin"
3⤵
PID:5096

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/CrashRecovery"
3⤵
PID:4288

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
3⤵
PID:628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
3⤵
PID:1896

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
3⤵
- Clears Windows event logs
PID:2148

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deduplication/Diagnostic"
3⤵
PID:3416

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deduplication/Operational"
3⤵
PID:5072

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deduplication/Performance"
3⤵
PID:3920

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deduplication/Scrubbing"
3⤵
PID:4684

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Defrag-Core/Debug"
3⤵
PID:1496

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
3⤵
PID:2472

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DesktopActivityModerator/Diagnostic"
3⤵
PID:4328

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"
3⤵
- Clears Windows event logs
PID:3100

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceAssociationService/Performance"
3⤵
PID:4432

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceConfidence/Analytic"
3⤵
PID:4376

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Operational"
3⤵
PID:3796

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Verbose"
3⤵
- Clears Windows event logs
PID:460

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"
3⤵
PID:3060

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug"
3⤵
PID:4984

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational"
3⤵
- Clears Windows event logs
PID:2208

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Admin"
3⤵
PID:3852

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Analytic"
3⤵
PID:2212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Debug"
3⤵
PID:1632

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Operational"
3⤵
PID:844

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
3⤵
PID:4856

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
3⤵
PID:448

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceUpdateAgent/Operational"
3⤵
PID:4664

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
3⤵
PID:2160

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
3⤵
- Clears Windows event logs
PID:1464

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Devices-Background/Operational"
3⤵
- Clears Windows event logs
PID:3412

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
3⤵
PID:1212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
3⤵
PID:3664

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
3⤵
PID:3272

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
3⤵
PID:3112

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
3⤵
PID:1816

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic"
3⤵
PID:2532

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
3⤵
PID:4680

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
3⤵
- Clears Windows event logs
PID:3912

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
3⤵
PID:4536

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
3⤵
PID:848

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
3⤵
PID:4740

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
3⤵
PID:4804

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
3⤵
PID:2516

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
3⤵
- Clears Windows event logs
PID:4048

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
3⤵
PID:3356

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
3⤵
PID:4368

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
3⤵
PID:4860

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
3⤵
PID:3068

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
3⤵
PID:1748

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
3⤵
PID:3704

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
3⤵
PID:4180

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
3⤵
PID:2316

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
3⤵
PID:4936

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
3⤵
PID:3676

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
3⤵
PID:4032

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
3⤵
PID:3180

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
3⤵
PID:4528

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
3⤵
PID:3836

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
3⤵
PID:3120

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
3⤵
PID:3032

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
3⤵
PID:2512

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
3⤵
PID:3956

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
3⤵
PID:1836

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
3⤵
PID:3856

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
3⤵
PID:808

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
3⤵
PID:1664

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
3⤵
PID:1840

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D12/Analytic"
3⤵
PID:2436

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D12/Logging"
3⤵
PID:1584

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D12/PerfTiming"
3⤵
PID:368

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D9/Analytic"
3⤵
- Clears Windows event logs
PID:212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3DShaderCache/Default"
3⤵
PID:1888

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectComposition/Diagnostic"
3⤵
PID:4128

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectManipulation/Diagnostic"
3⤵
PID:3148

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
3⤵
PID:2392

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
3⤵
PID:3384

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
3⤵
- Clears Windows event logs
PID:2428

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
3⤵
PID:5100

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
3⤵
- Clears Windows event logs
PID:1992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
3⤵
PID:5096

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dism-Api/Analytic"
3⤵
PID:4288

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dism-Api/ExternalAnalytic"
3⤵
PID:628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dism-Api/InternalAnalytic"
3⤵
PID:1896

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dism-Cli/Analytic"
3⤵
PID:4140

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
3⤵
PID:2876

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
3⤵
PID:3172

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
3⤵
- Clears Windows event logs
PID:1488

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
3⤵
PID:1728

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dot3MM/Diagnostic"
3⤵
PID:5032

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
3⤵
PID:3884

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DucUpdateAgent/Operational"
3⤵
PID:4540

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dwm-API/Diagnostic"
3⤵
PID:2116

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dwm-Core/Diagnostic"
3⤵
PID:4380

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dwm-Dwm/Diagnostic"
3⤵
PID:1136

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dwm-Redir/Diagnostic"
3⤵
PID:380

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dwm-Udwm/Diagnostic"
3⤵
PID:1292

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Admin"
3⤵
PID:396

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Operational"
3⤵
PID:716

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Contention"
3⤵
PID:552

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
3⤵
PID:444

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
3⤵
PID:3716

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Power"
3⤵
PID:2884

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
3⤵
PID:1372

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EDP-Application-Learning/Admin"
3⤵
PID:1112

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EDP-Audit-Regular/Admin"
3⤵
PID:2760

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EDP-Audit-TCB/Admin"
3⤵
PID:2468

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
3⤵
PID:3280

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ESE/IODiagnose"
3⤵
PID:3568

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ESE/Operational"
3⤵
PID:2956

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
3⤵
PID:2764

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
3⤵
PID:3564

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
3⤵
PID:3512

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapMethods-RasChap/Operational"
3⤵
- Clears Windows event logs
PID:3040

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapMethods-RasTls/Operational"
3⤵
PID:4184

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapMethods-Sim/Operational"
3⤵
- Clears Windows event logs
PID:4252

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapMethods-Ttls/Operational"
3⤵
PID:1812

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
3⤵
PID:2992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/EventLog"
3⤵
PID:2280

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/Trace"
3⤵
PID:872

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EnhancedStorage-EhStorTcgDrv/Analytic"
3⤵
PID:1948

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
3⤵
- Clears Windows event logs
PID:4668

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
3⤵
- Clears Windows event logs
PID:4616

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
3⤵
PID:4820

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
3⤵
PID:4800

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
3⤵
PID:2624

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
3⤵
PID:4764

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
3⤵
PID:3064

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
3⤵
PID:1672

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
3⤵
PID:2644

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
3⤵
PID:4452

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Analytic"
3⤵
PID:4788

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Operational"
3⤵
PID:4824

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Analytic"
3⤵
- Clears Windows event logs
PID:3144

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Debug"
3⤵
PID:2044

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Analytic"
3⤵
PID:4416

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Debug"
3⤵
PID:4028

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Analytic"
3⤵
PID:1124

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Debug"
3⤵
PID:2680

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/WHC"
3⤵
PID:1516

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Analytic"
3⤵
PID:1864

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/BackupLog"
3⤵
- Clears Windows event logs
PID:3552

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Debug"
3⤵
PID:3956

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Analytic"
3⤵
PID:1836

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Debug"
3⤵
PID:808

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Analytic"
3⤵
PID:4456

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Debug"
3⤵
PID:4276

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Analytic"
3⤵
PID:4900

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Debug"
3⤵
PID:3044

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
3⤵
PID:3896

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
3⤵
PID:2480

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
3⤵
PID:2000

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
3⤵
PID:2664

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
3⤵
- Clears Windows event logs
PID:1964

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-GPIO-ClassExtension/Analytic"
3⤵
PID:3384

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-GenericRoaming/Admin"
3⤵
PID:2428

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
3⤵
PID:5100

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
3⤵
PID:1992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
3⤵
PID:5096

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
3⤵
PID:4288

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal on Host

T1070

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ED9.tmp\7EDA.tmp\7EDB.bat
Filesize
679B

MD5
064bb52705e97caeee4dcbb5c72c1413

SHA1
13107d14185397ad662c08dda51a0ebe7583fbe8

SHA256
a8ef3b7eaef87d32ea17f27c2f9ad0eb46d394fc6f381972657dbae63d0bbb26

SHA512
af599892866fd6bfbe067ee1b2f15e9d201401adedf9db624d0f31d7181754a03cb4ea0fa1fb666598cdb601f212ee79a1c4b437d7e9a25dba901c8c481dc095

Download Submit