f7f336955fa601fcd9ecb0e30911e6543882b2027dcbd27ac307d25fabd342db

Analysis

max time kernel
27s
max time network
36s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22-03-2023 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Meta Unban/Cleaners/EventCleaner.exe
Size

219KB
MD5

9353ed7c3ba8e2417ce2664ae7afac16
SHA1

05699a2a2792795db1d8f59273172ad80bdc8b06
SHA256

069b31cb7f9054647b684da4fc5263fa690e32d75729ec6b5c808b0c532b9628
SHA512

cb456c14c9ef6f49a92c989668bedb423e4020b761e627c4d67f90e855e9385d58cf0d1e024a0c728126cccdad2836615d23cd3011a8447470482ca939795262
SSDEEP

6144:Qtzsb5Uh28+V1WW69B9VjMdxPedN9ug0z9TB9SmDqzW:QtzE5elwLz9TrVeW

Score

9^/10

evasion ransomware

Malware Config

Signatures

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal on Host

T1070

Processes:

wevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

pid	process
2044	wevtutil.exe
324	wevtutil.exe
576	wevtutil.exe
864	wevtutil.exe
916	wevtutil.exe
2016	wevtutil.exe
1824	wevtutil.exe
1620	wevtutil.exe
584	wevtutil.exe
436	wevtutil.exe
1572	wevtutil.exe
1316	wevtutil.exe
844	wevtutil.exe
780	wevtutil.exe
1936	wevtutil.exe
1564	wevtutil.exe
1312	wevtutil.exe
956	wevtutil.exe
900	wevtutil.exe
672	wevtutil.exe
1620	wevtutil.exe
1180	wevtutil.exe
1868	wevtutil.exe
928	wevtutil.exe
1364	wevtutil.exe
876	wevtutil.exe
1176	wevtutil.exe
1920	wevtutil.exe
436	wevtutil.exe
880	wevtutil.exe
1888	wevtutil.exe
1440	wevtutil.exe
1624	wevtutil.exe
576	wevtutil.exe
1240	wevtutil.exe
1700	wevtutil.exe
1380	wevtutil.exe
1312	wevtutil.exe
1936	wevtutil.exe
1620	wevtutil.exe
1500	wevtutil.exe
324	wevtutil.exe
2044	wevtutil.exe
660	wevtutil.exe
1576	wevtutil.exe
560	wevtutil.exe
332	wevtutil.exe
364	wevtutil.exe
1628	wevtutil.exe
1440	wevtutil.exe
584	wevtutil.exe
780	wevtutil.exe
1416	wevtutil.exe
1564	wevtutil.exe
1220	wevtutil.exe
1212	wevtutil.exe
844	wevtutil.exe
1508	wevtutil.exe
436	wevtutil.exe
1668	wevtutil.exe
780	wevtutil.exe
1888	wevtutil.exe
864	wevtutil.exe
1312	wevtutil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeSecurityPrivilege	1904	wevtutil.exe
Token: SeBackupPrivilege	1904	wevtutil.exe
Token: SeSecurityPrivilege	524	wevtutil.exe
Token: SeBackupPrivilege	524	wevtutil.exe
Token: SeSecurityPrivilege	672	wevtutil.exe
Token: SeBackupPrivilege	672	wevtutil.exe
Token: SeSecurityPrivilege	908	wevtutil.exe
Token: SeBackupPrivilege	908	wevtutil.exe
Token: SeSecurityPrivilege	876	wevtutil.exe
Token: SeBackupPrivilege	876	wevtutil.exe
Token: SeSecurityPrivilege	880	wevtutil.exe
Token: SeBackupPrivilege	880	wevtutil.exe
Token: SeSecurityPrivilege	1748	wevtutil.exe
Token: SeBackupPrivilege	1748	wevtutil.exe
Token: SeSecurityPrivilege	628	wevtutil.exe
Token: SeBackupPrivilege	628	wevtutil.exe
Token: SeSecurityPrivilege	1592	wevtutil.exe
Token: SeBackupPrivilege	1592	wevtutil.exe
Token: SeSecurityPrivilege	2016	wevtutil.exe
Token: SeBackupPrivilege	2016	wevtutil.exe
Token: SeSecurityPrivilege	1852	wevtutil.exe
Token: SeBackupPrivilege	1852	wevtutil.exe
Token: SeSecurityPrivilege	884	wevtutil.exe
Token: SeBackupPrivilege	884	wevtutil.exe
Token: SeSecurityPrivilege	1624	wevtutil.exe
Token: SeBackupPrivilege	1624	wevtutil.exe
Token: SeSecurityPrivilege	1540	wevtutil.exe
Token: SeBackupPrivilege	1540	wevtutil.exe
Token: SeSecurityPrivilege	1788	wevtutil.exe
Token: SeBackupPrivilege	1788	wevtutil.exe
Token: SeSecurityPrivilege	892	wevtutil.exe
Token: SeBackupPrivilege	892	wevtutil.exe
Token: SeSecurityPrivilege	832	wevtutil.exe
Token: SeBackupPrivilege	832	wevtutil.exe
Token: SeSecurityPrivilege	108	wevtutil.exe
Token: SeBackupPrivilege	108	wevtutil.exe
Token: SeSecurityPrivilege	1668	wevtutil.exe
Token: SeBackupPrivilege	1668	wevtutil.exe
Token: SeSecurityPrivilege	1328	wevtutil.exe
Token: SeBackupPrivilege	1328	wevtutil.exe
Token: SeSecurityPrivilege	1824	wevtutil.exe
Token: SeBackupPrivilege	1824	wevtutil.exe
Token: SeSecurityPrivilege	1100	wevtutil.exe
Token: SeBackupPrivilege	1100	wevtutil.exe
Token: SeSecurityPrivilege	1996	wevtutil.exe
Token: SeBackupPrivilege	1996	wevtutil.exe
Token: SeSecurityPrivilege	1124	wevtutil.exe
Token: SeBackupPrivilege	1124	wevtutil.exe
Token: SeSecurityPrivilege	780	wevtutil.exe
Token: SeBackupPrivilege	780	wevtutil.exe
Token: SeSecurityPrivilege	1936	wevtutil.exe
Token: SeBackupPrivilege	1936	wevtutil.exe
Token: SeSecurityPrivilege	948	wevtutil.exe
Token: SeBackupPrivilege	948	wevtutil.exe
Token: SeSecurityPrivilege	900	wevtutil.exe
Token: SeBackupPrivilege	900	wevtutil.exe
Token: SeSecurityPrivilege	1084	wevtutil.exe
Token: SeBackupPrivilege	1084	wevtutil.exe
Token: SeSecurityPrivilege	1444	wevtutil.exe
Token: SeBackupPrivilege	1444	wevtutil.exe
Token: SeSecurityPrivilege	1008	wevtutil.exe
Token: SeBackupPrivilege	1008	wevtutil.exe
Token: SeSecurityPrivilege	324	wevtutil.exe
Token: SeBackupPrivilege	324	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EventCleaner.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2036 wrote to memory of 1680	2036	EventCleaner.exe	cmd.exe
PID 2036 wrote to memory of 1680	2036	EventCleaner.exe	cmd.exe
PID 2036 wrote to memory of 1680	2036	EventCleaner.exe	cmd.exe
PID 1680 wrote to memory of 688	1680	cmd.exe	cmd.exe
PID 1680 wrote to memory of 688	1680	cmd.exe	cmd.exe
PID 1680 wrote to memory of 688	1680	cmd.exe	cmd.exe
PID 688 wrote to memory of 332	688	cmd.exe	bcdedit.exe
PID 688 wrote to memory of 332	688	cmd.exe	bcdedit.exe
PID 688 wrote to memory of 332	688	cmd.exe	bcdedit.exe
PID 1680 wrote to memory of 984	1680	cmd.exe	cmd.exe
PID 1680 wrote to memory of 984	1680	cmd.exe	cmd.exe
PID 1680 wrote to memory of 984	1680	cmd.exe	cmd.exe
PID 984 wrote to memory of 1904	984	cmd.exe	wevtutil.exe
PID 984 wrote to memory of 1904	984	cmd.exe	wevtutil.exe
PID 984 wrote to memory of 1904	984	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 524	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 524	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 524	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 672	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 672	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 672	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 908	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 908	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 908	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 876	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 876	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 876	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 880	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 880	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 880	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 1748	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 1748	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 1748	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 628	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 628	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 628	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 1592	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 1592	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 1592	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 2016	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 2016	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 2016	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 1852	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 1852	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 1852	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 884	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 884	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 884	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 1624	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 1624	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 1624	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 1540	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 1540	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 1540	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 1788	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 1788	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 1788	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 892	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 892	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 892	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 832	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 832	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 832	1680	cmd.exe	wevtutil.exe
PID 1680 wrote to memory of 108	1680	cmd.exe	wevtutil.exe

C:\Users\Admin\AppData\Local\Temp\Meta Unban\Cleaners\EventCleaner.exe
"C:\Users\Admin\AppData\Local\Temp\Meta Unban\Cleaners\EventCleaner.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\2492.tmp\2493.tmp\2494.bat "C:\Users\Admin\AppData\Local\Temp\Meta Unban\Cleaners\EventCleaner.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit
3⤵
- Suspicious use of WriteProcessMemory
PID:688

C:\Windows\system32\bcdedit.exe
bcdedit
4⤵
PID:332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil.exe el
3⤵
- Suspicious use of WriteProcessMemory
PID:984

C:\Windows\system32\wevtutil.exe
wevtutil.exe el
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Analytic"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Application"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:672

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "DebugChannel"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "DirectShowFilterGraph"
3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:876

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "DirectShowPluginControl"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:880

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Els_Hyphenation/Analytic"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "EndpointMapper"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "ForwardedEvents"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "HardwareEvents"
3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Internet Explorer"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Key Management Service"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:884

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Media Center"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationDeviceProxy"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPerformance"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPipeline"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:832

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPlatform"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:108

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-IE/Diagnostic"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-IEDVTOOL/Diagnostic"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:780

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-API-Tracing/Operational"
3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1084

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AltTab/Diagnostic"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1444

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:324

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
3⤵
PID:1240

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
3⤵
PID:1512

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
3⤵
PID:436

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
3⤵
- Clears Windows event logs
PID:1888

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
3⤵
PID:1800

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"
3⤵
PID:1268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
3⤵
PID:1740

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
3⤵
PID:1352

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
3⤵
PID:1356

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"
3⤵
PID:928

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
3⤵
PID:584

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
3⤵
PID:688

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
3⤵
PID:1904

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
3⤵
- Clears Windows event logs
PID:1576

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
3⤵
PID:1700

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
3⤵
PID:1704

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
3⤵
PID:596

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Backup"
3⤵
PID:864

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
3⤵
- Clears Windows event logs
PID:576

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
3⤵
- Clears Windows event logs
PID:2044

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
3⤵
PID:916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
3⤵
PID:1508

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
3⤵
PID:956

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
3⤵
PID:328

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
3⤵
PID:1436

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
3⤵
PID:1916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
3⤵
PID:660

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
3⤵
PID:1316

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
3⤵
PID:1552

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
3⤵
PID:844

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
3⤵
PID:272

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
3⤵
PID:240

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
3⤵
PID:1564

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Calculator/Debug"
3⤵
- Clears Windows event logs
PID:1620

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Calculator/Diagnostic"
3⤵
PID:1220

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
3⤵
PID:1180

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
3⤵
PID:1484

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
3⤵
PID:1868

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
3⤵
PID:1044

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
3⤵
PID:1956

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
3⤵
PID:1536

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
3⤵
- Clears Windows event logs
PID:1212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
3⤵
PID:980

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
3⤵
PID:1064

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
3⤵
PID:1360

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
3⤵
PID:1872

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
3⤵
PID:1632

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
3⤵
PID:1664

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
3⤵
- Clears Windows event logs
PID:560

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
3⤵
PID:1820

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
3⤵
PID:1256

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
3⤵
PID:1096

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
3⤵
- Clears Windows event logs
PID:1380

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
3⤵
PID:1736

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
3⤵
PID:2000

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
3⤵
PID:2012

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
3⤵
- Clears Windows event logs
PID:1416

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
3⤵
- Clears Windows event logs
PID:332

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
3⤵
PID:1412

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
3⤵
- Clears Windows event logs
PID:364

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
3⤵
PID:1604

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
3⤵
PID:1908

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
3⤵
PID:1596

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
3⤵
PID:524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
3⤵
- Clears Windows event logs
PID:672

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
3⤵
PID:908

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DhcpNap/Admin"
3⤵
PID:876

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DhcpNap/Operational"
3⤵
- Clears Windows event logs
PID:880

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
3⤵
PID:1748

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
3⤵
PID:628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
3⤵
PID:1592

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
3⤵
PID:2016

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
3⤵
PID:1852

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
3⤵
PID:884

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
3⤵
PID:1556

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
3⤵
PID:1540

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
3⤵
PID:1788

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
3⤵
PID:1440

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
3⤵
PID:608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
3⤵
PID:1544

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
3⤵
PID:1628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
3⤵
PID:616

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
3⤵
PID:836

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
3⤵
PID:1488

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
3⤵
PID:1496

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
3⤵
PID:1148

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
3⤵
PID:1636

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
3⤵
- Clears Windows event logs
PID:1176

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-TaskManager/Debug"
3⤵
PID:1944

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
3⤵
- Clears Windows event logs
PID:1920

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
3⤵
PID:1656

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
3⤵
PID:1688

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
3⤵
PID:2008

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
3⤵
PID:1400

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
3⤵
- Clears Windows event logs
PID:1240

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
3⤵
PID:1036

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
3⤵
PID:848

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
3⤵
PID:1172

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
3⤵
- Clears Windows event logs
PID:1500

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
3⤵
PID:1312

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
3⤵
PID:1740

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
3⤵
PID:1384

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
3⤵
PID:1364

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
3⤵
PID:928

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
3⤵
PID:584

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectWrite-FontCache/Tracing"
3⤵
PID:688

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectWrite/Tracing"
3⤵
PID:1904

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
3⤵
PID:1576

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
3⤵
PID:1700

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
3⤵
PID:1704

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
3⤵
PID:596

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
3⤵
PID:864

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
3⤵
PID:576

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
3⤵
PID:2044

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
3⤵
PID:916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
3⤵
- Clears Windows event logs
PID:1508

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
3⤵
PID:956

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
3⤵
PID:328

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxpTaskRingtone/Analytic"
3⤵
PID:1436

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
3⤵
PID:1916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
3⤵
PID:660

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
3⤵
PID:1316

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
3⤵
PID:1552

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
3⤵
PID:844

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
3⤵
PID:272

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
3⤵
PID:240

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
3⤵
- Clears Windows event logs
PID:1564

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
3⤵
- Clears Windows event logs
PID:1620

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
3⤵
PID:1220

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
3⤵
- Clears Windows event logs
PID:1180

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
3⤵
PID:1484

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
3⤵
PID:1868

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
3⤵
PID:780

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
3⤵
PID:1936

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
3⤵
PID:948

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Feedback-Service-TriggerProvider"
3⤵
PID:900

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
3⤵
PID:1084

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
3⤵
PID:1444

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
3⤵
PID:1008

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
3⤵
- Clears Windows event logs
PID:324

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
3⤵
PID:636

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-GettingStarted/Diagnostic"
3⤵
PID:1512

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
3⤵
PID:436

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
3⤵
PID:1888

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
3⤵
PID:2028

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
3⤵
PID:1172

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
3⤵
PID:1500

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Help/Operational"
3⤵
- Clears Windows event logs
PID:1312

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
3⤵
PID:1740

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
3⤵
PID:1384

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
3⤵
PID:1364

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
3⤵
PID:928

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
3⤵
- Clears Windows event logs
PID:584

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"
3⤵
PID:688

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HotStart/Diagnostic"
3⤵
PID:1904

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
3⤵
PID:1576

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
3⤵
PID:1700

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
3⤵
PID:1704

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IPBusEnum/Tracing"
3⤵
PID:596

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
3⤵
PID:864

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
3⤵
PID:576

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-International/Operational"
3⤵
PID:2044

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
3⤵
PID:916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
3⤵
PID:1508

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
3⤵
- Clears Windows event logs
PID:956

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
3⤵
PID:328

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
3⤵
PID:1436

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
3⤵
PID:1916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
3⤵
PID:660

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
3⤵
- Clears Windows event logs
PID:1316

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
3⤵
PID:1552

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
3⤵
PID:844

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
3⤵
PID:272

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
3⤵
PID:240

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Diagnostic"
3⤵
PID:1564

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
3⤵
PID:1620

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
3⤵
PID:1220

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
3⤵
PID:1180

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
3⤵
PID:1484

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
3⤵
PID:1868

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
3⤵
PID:780

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
3⤵
PID:1936

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
3⤵
PID:948

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
3⤵
PID:900

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
3⤵
PID:1084

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
3⤵
PID:1444

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
3⤵
PID:1008

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
3⤵
PID:324

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
3⤵
PID:636

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
3⤵
PID:1512

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"
3⤵
- Clears Windows event logs
PID:436

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"
3⤵
PID:1888

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
3⤵
PID:2028

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"
3⤵
PID:1172

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"
3⤵
PID:1500

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
3⤵
PID:1312

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MCT/Operational"
3⤵
PID:1740

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
3⤵
PID:1384

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"
3⤵
PID:1364

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"
3⤵
- Clears Windows event logs
PID:928

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"
3⤵
PID:584

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"
3⤵
PID:688

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"
3⤵
PID:1904

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
3⤵
PID:1576

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"
3⤵
PID:1700

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Debug"
3⤵
PID:1704

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
3⤵
PID:596

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
3⤵
- Clears Windows event logs
PID:864

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
3⤵
PID:576

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
3⤵
PID:2044

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
3⤵
PID:916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
3⤵
PID:1508

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"
3⤵
PID:956

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"
3⤵
PID:328

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"
3⤵
PID:1436

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
3⤵
PID:1916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
3⤵
PID:660

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"
3⤵
PID:1316

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"
3⤵
PID:1552

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"
3⤵
- Clears Windows event logs
PID:844

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"
3⤵
PID:272

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"
3⤵
PID:240

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"
3⤵
PID:1564

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
3⤵
PID:1620

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/Operational"
3⤵
PID:1220

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/WHC"
3⤵
PID:1180

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"
3⤵
PID:1484

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"
3⤵
PID:1868

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"
3⤵
PID:780

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
3⤵
PID:1936

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"
3⤵
PID:948

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"
3⤵
PID:900

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"
3⤵
PID:1084

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"
3⤵
PID:1444

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OOBE-Machine/Diagnostic"
3⤵
PID:1008

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"
3⤵
- Clears Windows event logs
PID:324

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"
3⤵
PID:636

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"
3⤵
PID:1512

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"
3⤵
PID:436

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"
3⤵
PID:1888

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"
3⤵
PID:2028

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"
3⤵
PID:1172

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"
3⤵
PID:1500

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
3⤵
- Clears Windows event logs
PID:1312

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PeopleNearMe/Operational"
3⤵
PID:1740

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
3⤵
PID:1384

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
3⤵
PID:1364

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"
3⤵
PID:928

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"
3⤵
PID:584

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
3⤵
PID:688

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"
3⤵
PID:1904

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"
3⤵
PID:1576

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"
3⤵
- Clears Windows event logs
PID:1700

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"
3⤵
PID:1704

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"
3⤵
PID:596

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"
3⤵
PID:864

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Debug"
3⤵
- Clears Windows event logs
PID:576

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"
3⤵
- Clears Windows event logs
PID:2044

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"
3⤵
PID:916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"
3⤵
PID:1508

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RPC/Debug"
3⤵
PID:956

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"
3⤵
PID:328

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"
3⤵
PID:1436

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"
3⤵
PID:1916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"
3⤵
PID:660

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"
3⤵
PID:1316

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Recovery/Operational"
3⤵
PID:1552

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReliabilityAnalysisComponent/Operational"
3⤵
- Clears Windows event logs
PID:844

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
3⤵
PID:272

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"
3⤵
PID:240

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"
3⤵
PID:1564

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"
3⤵
PID:1620

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
3⤵
PID:1220

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
3⤵
PID:1180

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Remotefs-UTProvider/Diagnostic"
3⤵
PID:1484

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
3⤵
PID:1868

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
3⤵
PID:780

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Resource-Leak-Diagnostic/Operational"
3⤵
- Clears Windows event logs
PID:1936

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"
3⤵
PID:948

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"
3⤵
PID:900

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"
3⤵
PID:1084

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
3⤵
PID:1444

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
3⤵
PID:1008

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
3⤵
PID:324

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"
3⤵
PID:636

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"
3⤵
PID:1512

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sens/Debug"
3⤵
PID:436

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"
3⤵
- Clears Windows event logs
PID:1888

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"
3⤵
PID:2028

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"
3⤵
PID:1172

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"
3⤵
PID:1500

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"
3⤵
- Clears Windows event logs
PID:1312

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"
3⤵
PID:1740

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"
3⤵
PID:1384

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
3⤵
PID:1364

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
3⤵
PID:928

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
3⤵
PID:584

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
3⤵
PID:688

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
3⤵
PID:1904

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic"
3⤵
PID:1576

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
3⤵
PID:1700

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"
3⤵
PID:1704

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
3⤵
PID:596

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"
3⤵
- Clears Windows event logs
PID:864

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
3⤵
PID:576

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"
3⤵
PID:2044

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sidebar/Diagnostic"
3⤵
PID:916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"
3⤵
PID:1508

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"
3⤵
PID:956

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"
3⤵
PID:328

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StickyNotes/Admin"
3⤵
PID:1436

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StickyNotes/Debug"
3⤵
PID:1916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StickyNotes/Diagnostic"
3⤵
- Clears Windows event logs
PID:660

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"
3⤵
PID:1316

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"
3⤵
PID:1552

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"
3⤵
PID:844

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"
3⤵
PID:272

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Superfetch/Main"
3⤵
PID:240

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"
3⤵
- Clears Windows event logs
PID:1564

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"
3⤵
- Clears Windows event logs
PID:1620

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SystemHealthAgent/Diagnostic"
3⤵
- Clears Windows event logs
PID:1220

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"
3⤵
PID:1180

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"
3⤵
PID:1484

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"
3⤵
PID:1868

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"
3⤵
- Clears Windows event logs
PID:780

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"
3⤵
PID:1936

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"
3⤵
PID:948

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug"
3⤵
PID:900

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic"
3⤵
PID:1084

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational"
3⤵
PID:1444

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic"
3⤵
PID:1008

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
3⤵
PID:324

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
3⤵
PID:636

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
3⤵
PID:1512

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
3⤵
- Clears Windows event logs
PID:436

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
3⤵
PID:1888

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
3⤵
PID:2028

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
3⤵
PID:1172

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
3⤵
PID:1500

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
3⤵
PID:1312

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
3⤵
PID:1740

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
3⤵
PID:1384

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
3⤵
PID:1364

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
3⤵
PID:928

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
3⤵
PID:584

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"
3⤵
PID:688

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"
3⤵
PID:1904

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
3⤵
PID:1576

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"
3⤵
PID:1700

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
3⤵
PID:1704

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"
3⤵
PID:596

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"
3⤵
PID:864

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
3⤵
PID:576

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"
3⤵
PID:2044

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"
3⤵
PID:916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"
3⤵
PID:1508

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"
3⤵
PID:956

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ThemeCPL/Diagnostic"
3⤵
PID:328

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ThemeUI/Diagnostic"
3⤵
PID:1436

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TunnelDriver"
3⤵
PID:1916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UAC-FileVirtualization/Operational"
3⤵
PID:660

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UAC/Operational"
3⤵
PID:1316

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UIAnimation/Diagnostic"
3⤵
PID:1552

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Debug"
3⤵
PID:844

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Diagnostic"
3⤵
PID:272

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Perf"
3⤵
PID:240

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UIRibbon/Diagnostic"
3⤵
PID:1564

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-USB-USBHUB/Diagnostic"
3⤵
PID:1620

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-USB-USBPORT/Diagnostic"
3⤵
PID:1220

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-User Control Panel Performance/Diagnostic"
3⤵
PID:1180

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-User Profile Service/Diagnostic"
3⤵
PID:1484

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-User Profile Service/Operational"
3⤵
- Clears Windows event logs
PID:1868

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-User-Loader/Analytic"
3⤵
PID:780

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UserModePowerService/Diagnostic"
3⤵
PID:1936

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"
3⤵
PID:948

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceNotifications"
3⤵
- Clears Windows event logs
PID:900

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UserPnp/Performance"
3⤵
PID:1084

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UserPnp/SchedulerOperations"
3⤵
PID:1444

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UxTheme/Diagnostic"
3⤵
PID:1008

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VAN/Diagnostic"
3⤵
PID:324

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VDRVROOT/Operational"
3⤵
PID:636

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VHDMP/Operational"
3⤵
PID:1512

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VWiFi/Diagnostic"
3⤵
- Clears Windows event logs
PID:436

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VolumeControl/Performance"
3⤵
PID:1888

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Operational"
3⤵
PID:2028

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WABSyncProvider/Analytic"
3⤵
PID:1172

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"
3⤵
PID:1500

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WER-Diag/Operational"
3⤵
PID:1312

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WFP/Analytic"
3⤵
PID:1740

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WFP/Operational"
3⤵
PID:1384

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WLAN-AutoConfig/Operational"
3⤵
- Clears Windows event logs
PID:1364

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"
3⤵
PID:928

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WLANConnectionFlow/Diagnostic"
3⤵
PID:584

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Trace"
3⤵
PID:688

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMPDMCCore/Diagnostic"
3⤵
PID:1904

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMPDMCUI/Diagnostic"
3⤵
PID:1576

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"
3⤵
PID:1700

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Diagnostic"
3⤵
PID:1704

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMPNSSUI/Diagnostic"
3⤵
PID:596

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Analytic"
3⤵
PID:864

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Operational"
3⤵
PID:576

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"
3⤵
PID:2044

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Operational"
3⤵
PID:916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Operational"
3⤵
PID:1556

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WSC-SRV/Diagnostic"
3⤵
PID:1540

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WUSA/Debug"
3⤵
PID:1788

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WWAN-MM-Events/Diagnostic"
3⤵
- Clears Windows event logs
PID:1440

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic"
3⤵
- Clears Windows event logs
PID:1668

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WWAN-SVC-Events/Diagnostic"
3⤵
PID:1544

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WWAN-UI-Events/Diagnostic"
3⤵
PID:1628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WebIO-NDF/Diagnostic"
3⤵
PID:1100

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WebIO/Diagnostic"
3⤵
PID:836

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WebServices/Tracing"
3⤵
PID:1488

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Win32k/Concurrency"
3⤵
PID:1572

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Win32k/Power"
3⤵
PID:1564

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Win32k/Render"
3⤵
PID:1620

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Win32k/Tracing"
3⤵
PID:1220

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Win32k/UIPI"
3⤵
PID:1180

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinHTTP-NDF/Diagnostic"
3⤵
PID:1484

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinHttp/Diagnostic"
3⤵
PID:1868

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinINet/Analytic"
3⤵
- Clears Windows event logs
PID:780

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinRM/Analytic"
3⤵
PID:1936

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinRM/Debug"
3⤵
PID:948

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinRM/Operational"
3⤵
PID:900

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windeploy/Analytic"
3⤵
PID:1084

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windows Defender/Operational"
3⤵
PID:1444

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windows Defender/WHC"
3⤵
PID:1008

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity"
3⤵
PID:324

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose"
3⤵
PID:636

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"
3⤵
PID:1512

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose"
3⤵
PID:436

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WindowsBackup/ActionCenter"
3⤵
PID:1888

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Debug"
3⤵
PID:2028

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Operational"
3⤵
PID:1172

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Operational"
3⤵
PID:1500

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Tracing"
3⤵
PID:1312

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WindowsUpdateClient/Operational"
3⤵
PID:1740

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Wininit/Diagnostic"
3⤵
PID:1384

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Winlogon/Diagnostic"
3⤵
PID:1364

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Winlogon/Operational"
3⤵
PID:928

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Winsock-AFD/Operational"
3⤵
- Clears Windows event logs
PID:584

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Winsock-WS2HELP/Operational"
3⤵
PID:688

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Winsrv/Analytic"
3⤵
PID:1904

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Diagnostic"
3⤵
PID:1576

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Operational"
3⤵
PID:1700

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Wordpad/Admin"
3⤵
PID:1704

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Wordpad/Debug"
3⤵
PID:596

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Wordpad/Diagnostic"
3⤵
PID:864

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-mobsync/Diagnostic"
3⤵
PID:576

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ntshrui"
3⤵
PID:2044

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-osk/Diagnostic"
3⤵
- Clears Windows event logs
PID:916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-stobject/Diagnostic"
3⤵
PID:1556

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "OAlerts"
3⤵
PID:1540

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Security"
3⤵
PID:1788

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Setup"
3⤵
- Clears Windows event logs
PID:1440

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "System"
3⤵
PID:1668

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "TabletPC_InputPanel_Channel"
3⤵
PID:1544

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "WINDOWS_MP4SDECD_CHANNEL"
3⤵
- Clears Windows event logs
PID:1628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "WINDOWS_MSMPEG2VDEC_CHANNEL"
3⤵
PID:1100

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "WINDOWS_WMPHOTO_CHANNEL"
3⤵
PID:836

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "WMPSetup"
3⤵
PID:1488

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "WMPSyncEngine"
3⤵
- Clears Windows event logs
PID:1572

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Windows PowerShell"
3⤵
PID:1564

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager/Admin"
3⤵
PID:1620

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "muxencode"
3⤵
PID:1220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal on Host

T1070

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2492.tmp\2493.tmp\2494.bat

Filesize
679B

MD5
064bb52705e97caeee4dcbb5c72c1413

SHA1
13107d14185397ad662c08dda51a0ebe7583fbe8

SHA256
a8ef3b7eaef87d32ea17f27c2f9ad0eb46d394fc6f381972657dbae63d0bbb26

SHA512
af599892866fd6bfbe067ee1b2f15e9d201401adedf9db624d0f31d7181754a03cb4ea0fa1fb666598cdb601f212ee79a1c4b437d7e9a25dba901c8c481dc095

Download Submit