5cb223d0a5a81088111c79b03def6e2b5bb20701689fe069cc1e649af6a63f29

Analysis

max time kernel
122s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-04-2023 05:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

win_clean.exe
Size

539KB
MD5

c95eca96375b48080ee4c65ad277b1f4
SHA1

d2f90ceb9ccb67c662d3a7030754179491437cde
SHA256

5cb223d0a5a81088111c79b03def6e2b5bb20701689fe069cc1e649af6a63f29
SHA512

7f9722dbe571f934137eaf649cf961985d8c8c6a34a0746866007ea8656b6ca23ede2c9fb4f589f74c830f933ace59bc3684e9b2e172e90a80735fedeb01b399
SSDEEP

12288:NcrNS33L10QdrX5T+tkDnCuZwFxfYYzwBHZulEEon8g+R:wNA3R5drXzDLmrftzEHZcpon1O

Score

9^/10

evasion ransomware

Malware Config

Signatures

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal on Host

T1070

pid	Process
1880	wevtutil.exe
2152	wevtutil.exe
488	wevtutil.exe
4184	Process not Found
1772	wevtutil.exe
4972	wevtutil.exe
4488	Process not Found
2848	wevtutil.exe
4556	wevtutil.exe
4012	wevtutil.exe
3588	wevtutil.exe
3744	wevtutil.exe
1312	wevtutil.exe
1216	wevtutil.exe
636	wevtutil.exe
2724	wevtutil.exe
4116	wevtutil.exe
5056	wevtutil.exe
2704	wevtutil.exe
1776	wevtutil.exe
2008	wevtutil.exe
1004	wevtutil.exe
2720	wevtutil.exe
3972	Process not Found
4784	wevtutil.exe
2848	wevtutil.exe
4668	wevtutil.exe
436	wevtutil.exe
3864	Process not Found
3108	Process not Found
3452	Process not Found
3904	Process not Found
4016	wevtutil.exe
3128	wevtutil.exe
3868	wevtutil.exe
4200	wevtutil.exe
3128	wevtutil.exe
3144	wevtutil.exe
224	wevtutil.exe
3360	wevtutil.exe
4992	wevtutil.exe
2880	wevtutil.exe
2008	wevtutil.exe
1520	wevtutil.exe
652	wevtutil.exe
2856	wevtutil.exe
3752	wevtutil.exe
5064	wevtutil.exe
3268	wevtutil.exe
924	wevtutil.exe
4204	wevtutil.exe
484	wevtutil.exe
4292	wevtutil.exe
3588	Process not Found
1472	Process not Found
3124	wevtutil.exe
408	wevtutil.exe
3800	Process not Found
236	wevtutil.exe
316	wevtutil.exe
1160	wevtutil.exe
4896	wevtutil.exe
1040	Process not Found
1432	wevtutil.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	win_clean.exe

Executes dropped EXE 3 IoCs

pid	Process
3968	EventCleaner.exe
5040	phant0mx64.exe
3240	FileWiper.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\winevt\logs\security.evtx	EventCleaner.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
2472	timeout.exe
4200	Process not Found
4284	timeout.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3968	EventCleaner.exe
3968	EventCleaner.exe
3968	EventCleaner.exe
3968	EventCleaner.exe
5040	phant0mx64.exe
5040	phant0mx64.exe
1156	powershell.exe
1156	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3968	EventCleaner.exe
Token: SeDebugPrivilege	5040	phant0mx64.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeSecurityPrivilege	408	wevtutil.exe
Token: SeBackupPrivilege	408	wevtutil.exe
Token: SeSecurityPrivilege	4484	wevtutil.exe
Token: SeBackupPrivilege	4484	wevtutil.exe
Token: SeSecurityPrivilege	1504	wevtutil.exe
Token: SeBackupPrivilege	1504	wevtutil.exe
Token: SeSecurityPrivilege	2160	wevtutil.exe
Token: SeBackupPrivilege	2160	wevtutil.exe
Token: SeSecurityPrivilege	4024	wevtutil.exe
Token: SeBackupPrivilege	4024	wevtutil.exe
Token: SeSecurityPrivilege	3704	wevtutil.exe
Token: SeBackupPrivilege	3704	wevtutil.exe
Token: SeSecurityPrivilege	3448	wevtutil.exe
Token: SeBackupPrivilege	3448	wevtutil.exe
Token: SeSecurityPrivilege	1388	wevtutil.exe
Token: SeBackupPrivilege	1388	wevtutil.exe
Token: SeSecurityPrivilege	4172	wevtutil.exe
Token: SeBackupPrivilege	4172	wevtutil.exe
Token: SeSecurityPrivilege	4156	wevtutil.exe
Token: SeBackupPrivilege	4156	wevtutil.exe
Token: SeSecurityPrivilege	1040	wevtutil.exe
Token: SeBackupPrivilege	1040	wevtutil.exe
Token: SeSecurityPrivilege	4396	wevtutil.exe
Token: SeBackupPrivilege	4396	wevtutil.exe
Token: SeSecurityPrivilege	3320	wevtutil.exe
Token: SeBackupPrivilege	3320	wevtutil.exe
Token: SeSecurityPrivilege	3904	wevtutil.exe
Token: SeBackupPrivilege	3904	wevtutil.exe
Token: SeSecurityPrivilege	1276	wevtutil.exe
Token: SeBackupPrivilege	1276	wevtutil.exe
Token: SeSecurityPrivilege	4488	wevtutil.exe
Token: SeBackupPrivilege	4488	wevtutil.exe
Token: SeSecurityPrivilege	3868	wevtutil.exe
Token: SeBackupPrivilege	3868	wevtutil.exe
Token: SeSecurityPrivilege	4000	wevtutil.exe
Token: SeBackupPrivilege	4000	wevtutil.exe
Token: SeSecurityPrivilege	3720	wevtutil.exe
Token: SeBackupPrivilege	3720	wevtutil.exe
Token: SeSecurityPrivilege	2224	wevtutil.exe
Token: SeBackupPrivilege	2224	wevtutil.exe
Token: SeSecurityPrivilege	552	wevtutil.exe
Token: SeBackupPrivilege	552	wevtutil.exe
Token: SeSecurityPrivilege	4468	wevtutil.exe
Token: SeBackupPrivilege	4468	wevtutil.exe
Token: SeSecurityPrivilege	1644	wevtutil.exe
Token: SeBackupPrivilege	1644	wevtutil.exe
Token: SeSecurityPrivilege	3388	wevtutil.exe
Token: SeBackupPrivilege	3388	wevtutil.exe
Token: SeSecurityPrivilege	3412	wevtutil.exe
Token: SeBackupPrivilege	3412	wevtutil.exe
Token: SeSecurityPrivilege	648	wevtutil.exe
Token: SeBackupPrivilege	648	wevtutil.exe
Token: SeSecurityPrivilege	4300	wevtutil.exe
Token: SeBackupPrivilege	4300	wevtutil.exe
Token: SeSecurityPrivilege	2380	wevtutil.exe
Token: SeBackupPrivilege	2380	wevtutil.exe
Token: SeSecurityPrivilege	2276	wevtutil.exe
Token: SeBackupPrivilege	2276	wevtutil.exe
Token: SeSecurityPrivilege	2296	wevtutil.exe
Token: SeBackupPrivilege	2296	wevtutil.exe
Token: SeSecurityPrivilege	3404	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 2732	4736	win_clean.exe	83
PID 4736 wrote to memory of 2732	4736	win_clean.exe	83
PID 4736 wrote to memory of 2732	4736	win_clean.exe	83
PID 2732 wrote to memory of 3968	2732	cmd.exe	86
PID 2732 wrote to memory of 3968	2732	cmd.exe	86
PID 2732 wrote to memory of 3860	2732	cmd.exe	87
PID 2732 wrote to memory of 3860	2732	cmd.exe	87
PID 2732 wrote to memory of 3860	2732	cmd.exe	87
PID 2732 wrote to memory of 2960	2732	cmd.exe	88
PID 2732 wrote to memory of 2960	2732	cmd.exe	88
PID 2732 wrote to memory of 2960	2732	cmd.exe	88
PID 2732 wrote to memory of 2932	2732	cmd.exe	92
PID 2732 wrote to memory of 2932	2732	cmd.exe	92
PID 2732 wrote to memory of 2932	2732	cmd.exe	92
PID 2732 wrote to memory of 5040	2732	cmd.exe	93
PID 2732 wrote to memory of 5040	2732	cmd.exe	93
PID 3860 wrote to memory of 2752	3860	cmd.exe	95
PID 3860 wrote to memory of 2752	3860	cmd.exe	95
PID 3860 wrote to memory of 2752	3860	cmd.exe	95
PID 2732 wrote to memory of 1156	2732	cmd.exe	96
PID 2732 wrote to memory of 1156	2732	cmd.exe	96
PID 2732 wrote to memory of 1156	2732	cmd.exe	96
PID 2732 wrote to memory of 3240	2732	cmd.exe	102
PID 2732 wrote to memory of 3240	2732	cmd.exe	102
PID 2732 wrote to memory of 3240	2732	cmd.exe	102
PID 2960 wrote to memory of 4284	2960	cmd.exe	97
PID 2960 wrote to memory of 4284	2960	cmd.exe	97
PID 2960 wrote to memory of 4284	2960	cmd.exe	97
PID 2732 wrote to memory of 2472	2732	cmd.exe	99
PID 2732 wrote to memory of 2472	2732	cmd.exe	99
PID 2732 wrote to memory of 2472	2732	cmd.exe	99
PID 3860 wrote to memory of 1876	3860	cmd.exe	98
PID 3860 wrote to memory of 1876	3860	cmd.exe	98
PID 3860 wrote to memory of 1876	3860	cmd.exe	98
PID 2932 wrote to memory of 4128	2932	cmd.exe	100
PID 2932 wrote to memory of 4128	2932	cmd.exe	100
PID 2932 wrote to memory of 4128	2932	cmd.exe	100
PID 3860 wrote to memory of 464	3860	cmd.exe	103
PID 3860 wrote to memory of 464	3860	cmd.exe	103
PID 3860 wrote to memory of 464	3860	cmd.exe	103
PID 3860 wrote to memory of 1616	3860	cmd.exe	104
PID 3860 wrote to memory of 1616	3860	cmd.exe	104
PID 3860 wrote to memory of 1616	3860	cmd.exe	104
PID 2960 wrote to memory of 4556	2960	cmd.exe	108
PID 2960 wrote to memory of 4556	2960	cmd.exe	108
PID 2960 wrote to memory of 4556	2960	cmd.exe	108
PID 4556 wrote to memory of 408	4556	cmd.exe	109
PID 4556 wrote to memory of 408	4556	cmd.exe	109
PID 4556 wrote to memory of 408	4556	cmd.exe	109
PID 2960 wrote to memory of 4484	2960	cmd.exe	110
PID 2960 wrote to memory of 4484	2960	cmd.exe	110
PID 2960 wrote to memory of 4484	2960	cmd.exe	110
PID 2960 wrote to memory of 1504	2960	cmd.exe	111
PID 2960 wrote to memory of 1504	2960	cmd.exe	111
PID 2960 wrote to memory of 1504	2960	cmd.exe	111
PID 2960 wrote to memory of 2160	2960	cmd.exe	112
PID 2960 wrote to memory of 2160	2960	cmd.exe	112
PID 2960 wrote to memory of 2160	2960	cmd.exe	112
PID 2960 wrote to memory of 4024	2960	cmd.exe	113
PID 2960 wrote to memory of 4024	2960	cmd.exe	113
PID 2960 wrote to memory of 4024	2960	cmd.exe	113
PID 2960 wrote to memory of 3704	2960	cmd.exe	114
PID 2960 wrote to memory of 3704	2960	cmd.exe	114
PID 2960 wrote to memory of 3704	2960	cmd.exe	114

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1616	attrib.exe

C:\Users\Admin\AppData\Local\Temp\win_clean.exe
"C:\Users\Admin\AppData\Local\Temp\win_clean.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\x.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\EventCleaner.exe
    EventCleaner.exe closehandle
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K rdp.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3860
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
      4⤵
      PID:2752
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
      4⤵
      PID:1876
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
      4⤵
      PID:464
  - - C:\Windows\SysWOW64\attrib.exe
      attrib Default.rdp -s -h
      4⤵
      Views/modifies file attributes
      PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K logkiller.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 5
      4⤵
      Delays execution with timeout.exe
      PID:4284
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c wevtutil.exe el
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4556
    - - C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe el
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:408
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "AMSI/Debug"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4484
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "AirSpaceChannel"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1504
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Analytic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2160
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Application"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4024
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "DirectShowFilterGraph"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3704
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "DirectShowPluginControl"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3448
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Els_Hyphenation/Analytic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1388
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "EndpointMapper"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4172
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "FirstUXPerf-Analytic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4156
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "ForwardedEvents"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1040
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "General Logging"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4396
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "HardwareEvents"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3320
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "IHM_DebugChannel"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3904
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1276
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4488
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3868
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4000
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3720
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2224
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Internet Explorer"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:552
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Key Management Service"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4468
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "MF_MediaFoundationDeviceMFT"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1644
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3388
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "MF_MediaFoundationFrameServer"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3412
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "MedaFoundationVideoProc"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:648
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "MedaFoundationVideoProcD3D"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4300
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "MediaFoundationAsyncWrapper"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2380
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "MediaFoundationContentProtection"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2276
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "MediaFoundationDS"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2296
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "MediaFoundationDeviceProxy"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3404
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "MediaFoundationMP4"
      4⤵
      PID:3588
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "MediaFoundationMediaEngine"
      4⤵
      PID:3364
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "MediaFoundationPerformance"
      4⤵
      PID:1892
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "MediaFoundationPerformanceCore"
      4⤵
      PID:1600
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "MediaFoundationPipeline"
      4⤵
      PID:1848
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "MediaFoundationPlatform"
      4⤵
      PID:1912
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "MediaFoundationSrcPrefetch"
      4⤵
      PID:4204
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"
      4⤵
      PID:4228
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-AppV-Client/Admin"
      4⤵
      PID:3532
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-AppV-Client/Debug"
      4⤵
      PID:2608
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-AppV-Client/Operational"
      4⤵
      PID:2900
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"
      4⤵
      PID:3924
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"
      4⤵
      PID:3168
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"
      4⤵
      PID:3964
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"
      4⤵
      PID:4972
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"
      4⤵
      PID:4996
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-IE/Diagnostic"
      4⤵
      PID:236
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
      4⤵
      PID:224
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
      4⤵
      PID:2324
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"
      4⤵
      PID:4528
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
      4⤵
      PID:3968
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
      4⤵
      PID:3128
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-Admin/Debug"
      4⤵
      PID:4308
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"
      4⤵
      PID:1880
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"
      4⤵
      PID:4744
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Analytic"
      4⤵
      PID:2580
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Debug"
      4⤵
      PID:1844
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Operational"
      4⤵
      Clears Windows event logs
      PID:4016
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-IPC/Operational"
      4⤵
      PID:464
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
      4⤵
      PID:1004
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
      4⤵
      PID:4824
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
      4⤵
      PID:1576
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AAD/Analytic"
      4⤵
      PID:4520
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AAD/Operational"
      4⤵
      PID:1356
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
      4⤵
      PID:3808
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ASN1/Operational"
      4⤵
      PID:3768
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
      4⤵
      PID:5000
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
      4⤵
      PID:1916
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
      4⤵
      PID:1156
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-All-User-Install-Agent/Admin"
      4⤵
      PID:2008
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AllJoyn/Debug"
      4⤵
      PID:4928
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AllJoyn/Operational"
      4⤵
      PID:4840
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppHost/Admin"
      4⤵
      PID:4556
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppHost/ApplicationTracing"
      4⤵
      PID:4484
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppHost/Diagnostic"
      4⤵
      PID:1504
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppHost/Internal"
      4⤵
      PID:2160
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
      4⤵
      PID:4024
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
      4⤵
      PID:3704
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
      4⤵
      PID:3448
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"
      4⤵
      PID:4340
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Execution"
      4⤵
      PID:3172
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Admin"
      4⤵
      Clears Windows event logs
      PID:652
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Analytic"
      4⤵
      PID:3496
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Debug"
      4⤵
      PID:4896
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"
      4⤵
      Clears Windows event logs
      PID:4784
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppModel-State/Debug"
      4⤵
      PID:3904
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppModel-State/Diagnostic"
      4⤵
      PID:1276
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppReadiness/Admin"
      4⤵
      PID:4488
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppReadiness/Debug"
      4⤵
      PID:4012
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppReadiness/Operational"
      4⤵
      PID:4900
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppSruProv"
      4⤵
      PID:4504
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Diagnostic"
      4⤵
      PID:2976
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Operational"
      4⤵
      PID:4808
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Debug"
      4⤵
      PID:1776
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:1312
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Operational"
      4⤵
      PID:2152
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Restricted"
      4⤵
      PID:4268
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Analytic"
      4⤵
      PID:4720
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Operational"
      4⤵
      PID:2052
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
      4⤵
      PID:3212
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
      4⤵
      PID:3428
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
      4⤵
      PID:1344
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
      4⤵
      PID:2820
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"
      4⤵
      Clears Windows event logs
      PID:2848
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
      4⤵
      PID:1836
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"
      4⤵
      PID:3112
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"
      4⤵
      PID:2396
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
      4⤵
      PID:4292
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
      4⤵
      PID:2704
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
      4⤵
      PID:2748
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Steps-Recorder"
      4⤵
      PID:4612
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Debug"
      4⤵
      Clears Windows event logs
      PID:3144
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Operational"
      4⤵
      PID:4512
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Performance"
      4⤵
      PID:4492
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Admin"
      4⤵
      PID:4704
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Operational"
      4⤵
      PID:100
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Admin"
      4⤵
      Clears Windows event logs
      PID:236
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Operational"
      4⤵
      Clears Windows event logs
      PID:224
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AsynchronousCausality/Causality"
      4⤵
      PID:2324
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
      4⤵
      PID:4528
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audio/GlitchDetection"
      4⤵
      PID:3968
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audio/Informational"
      4⤵
      Clears Windows event logs
      PID:3128
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
      4⤵
      PID:4308
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
      4⤵
      Clears Windows event logs
      PID:1880
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audio/PlaybackManager"
      4⤵
      PID:4744
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
      4⤵
      PID:2580
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
      4⤵
      PID:1844
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"
      4⤵
      PID:880
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUser-Client"
      4⤵
      PID:4120
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"
      4⤵
      PID:4412
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"
      4⤵
      PID:4824
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
      4⤵
      PID:1576
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/HCI"
      4⤵
      PID:4112
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/L2CAP"
      4⤵
      PID:2360
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Diagnostic"
      4⤵
      PID:4500
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Performance"
      4⤵
      PID:4064
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"
      4⤵
      PID:4656
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"
      4⤵
      PID:4844
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"
      4⤵
      PID:4864
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Backup"
      4⤵
      PID:4284
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"
      4⤵
      PID:3744
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"
      4⤵
      PID:4176
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Battery/Diagnostic"
      4⤵
      PID:2192
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Biometrics/Analytic"
      4⤵
      PID:3520
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
      4⤵
      PID:2700
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
      4⤵
      PID:4216
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
      4⤵
      PID:4336
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BitLocker-Driver-Performance/Operational"
      4⤵
      PID:5024
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Management"
      4⤵
      PID:3680
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Operational"
      4⤵
      PID:1388
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BitLocker/Tracing"
      4⤵
      PID:4340
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
      4⤵
      PID:3172
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
      4⤵
      PID:652
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"
      4⤵
      PID:3496
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Bluetooth-Bthmini/Operational"
      4⤵
      PID:4896
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
      4⤵
      PID:4784
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Bluetooth-Policy/Operational"
      4⤵
      PID:3904
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
      4⤵
      PID:1276
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
      4⤵
      PID:1988
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
      4⤵
      PID:676
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCacheMonitoring/Analytic"
      4⤵
      PID:1748
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
      4⤵
      Clears Windows event logs
      PID:3868
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
      4⤵
      PID:4244
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CAPI2/Catalog Database Debug"
      4⤵
      PID:400
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
      4⤵
      PID:3800
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
      4⤵
      PID:4628
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
      4⤵
      PID:936
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COM/ApartmentInitialize"
      4⤵
      PID:4380
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COM/ApartmentUninitialize"
      4⤵
      PID:1776
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COM/Call"
      4⤵
      PID:1312
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COM/CreateInstance"
      4⤵
      PID:2152
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COM/ExtensionCatalog"
      4⤵
      PID:3420
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COM/FreeUnusedLibrary"
      4⤵
      PID:3232
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COM/RundownInstrumentation"
      4⤵
      PID:4224
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COMRuntime/Activations"
      4⤵
      PID:2476
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COMRuntime/MessageProcessing"
      4⤵
      PID:1572
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
      4⤵
      PID:1760
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
      4⤵
      PID:3036
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
      4⤵
      PID:3044
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"
      4⤵
      PID:1524
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"
      4⤵
      PID:3120
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Cleanmgr/Diagnostic"
      4⤵
      PID:4908
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
      4⤵
      PID:3452
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CloudStore/Debug"
      4⤵
      PID:3568
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CloudStore/Operational"
      4⤵
      PID:4764
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
      4⤵
      PID:4776
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
      4⤵
      PID:3168
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
      4⤵
      PID:3964
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
      4⤵
      Clears Windows event logs
      PID:4116
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
      4⤵
      Clears Windows event logs
      PID:316
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Analytic"
      4⤵
      PID:4704
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Operational"
      4⤵
      PID:4252
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Debug"
      4⤵
      PID:4936
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Operational"
      4⤵
      PID:3392
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Debug"
      4⤵
      PID:3948
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Operational"
      4⤵
      PID:548
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Debug"
      4⤵
      PID:4528
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Operational"
      4⤵
      PID:3968
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CoreApplication/Diagnostic"
      4⤵
      PID:3128
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CoreApplication/Operational"
      4⤵
      PID:4308
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CoreApplication/Tracing"
      4⤵
      PID:1880
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"
      4⤵
      PID:4744
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"
      4⤵
      PID:2580
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CoreWindow/Analytic"
      4⤵
      PID:856
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CoreWindow/Debug"
      4⤵
      PID:4640
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
      4⤵
      PID:3752
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
      4⤵
      PID:5064
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crashdump/Operational"
      4⤵
      PID:3808
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
      4⤵
      PID:3768
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-BCRYPT/Analytic"
      4⤵
      PID:1016
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-CNG/Analytic"
      4⤵
      PID:4844
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"
      4⤵
      PID:4864
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Debug"
      4⤵
      PID:4616
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Operational"
      4⤵
      PID:4840
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-DSSEnh/Analytic"
      4⤵
      Clears Windows event logs
      PID:4556
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-NCrypt/Operational"
      4⤵
      PID:5056
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
      4⤵
      PID:1504
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-RSAEnh/Analytic"
      4⤵
      PID:2160
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
      4⤵
      PID:4024
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
      4⤵
      PID:3704
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Analytic"
      4⤵
      PID:3448
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Operational"
      4⤵
      PID:3380
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DAMM/Diagnostic"
      4⤵
      PID:1980
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
      4⤵
      PID:1040
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DDisplay/Analytic"
      4⤵
      PID:3024
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DDisplay/Logging"
      4⤵
      PID:1656
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DLNA-Namespace/Analytic"
      4⤵
      PID:4768
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
      4⤵
      PID:2596
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DSC/Admin"
      4⤵
      PID:4040
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DSC/Analytic"
      4⤵
      PID:3772
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DSC/Debug"
      4⤵
      PID:4532
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DSC/Operational"
      4⤵
      PID:1772
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
      4⤵
      PID:484
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
      4⤵
      PID:2092
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
      4⤵
      PID:3268
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
      4⤵
      PID:1468
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
      4⤵
      PID:3164
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Data-Pdf/Debug"
      4⤵
      PID:924
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/Admin"
      4⤵
      PID:4504
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/CrashRecovery"
      4⤵
      Clears Windows event logs
      PID:4200
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
      4⤵
      PID:4380
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
      4⤵
      PID:1776
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
      4⤵
      PID:1312
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Deduplication/Diagnostic"
      4⤵
      PID:2152
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Deduplication/Operational"
      4⤵
      PID:3420
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Deduplication/Performance"
      4⤵
      PID:3232
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Deduplication/Scrubbing"
      4⤵
      PID:4224
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Defrag-Core/Debug"
      4⤵
      PID:2476
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
      4⤵
      PID:1488
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DesktopActivityModerator/Diagnostic"
      4⤵
      PID:2044
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"
      4⤵
      PID:3112
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceAssociationService/Performance"
      4⤵
      PID:2396
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceConfidence/Analytic"
      4⤵
      PID:4228
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Operational"
      4⤵
      PID:2608
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Verbose"
      4⤵
      PID:2900
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"
      4⤵
      PID:3924
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug"
      4⤵
      PID:4612
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational"
      4⤵
      PID:3144
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Admin"
      4⤵
      PID:4512
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Analytic"
      4⤵
      PID:4972
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Debug"
      4⤵
      PID:220
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Operational"
      4⤵
      PID:4996
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
      4⤵
      PID:268
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
      4⤵
      PID:236
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceUpdateAgent/Operational"
      4⤵
      PID:3940
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
      4⤵
      PID:2324
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
      4⤵
      PID:3152
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Devices-Background/Operational"
      4⤵
      PID:1756
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
      4⤵
      PID:1956
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
      4⤵
      PID:1200
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
      4⤵
      Clears Windows event logs
      PID:1216
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
      4⤵
      PID:4668
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
      4⤵
      PID:2312
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic"
      4⤵
      PID:1744
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
      4⤵
      PID:2508
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
      4⤵
      PID:2176
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
      4⤵
      PID:1100
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
      4⤵
      PID:436
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
      4⤵
      PID:2260
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
      4⤵
      PID:1356
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
      4⤵
      PID:2844
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
      4⤵
      PID:4064
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
      4⤵
      PID:4656
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
      4⤵
      PID:3312
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
      4⤵
      PID:2008
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
      4⤵
      PID:3828
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
      4⤵
      PID:408
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
      4⤵
      PID:3216
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
      4⤵
      PID:4484
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
      4⤵
      PID:3436
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
      4⤵
      PID:4164
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
      4⤵
      PID:1824
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
      4⤵
      Clears Windows event logs
      PID:3124
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
      4⤵
      PID:3680
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
      4⤵
      PID:3400
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
      4⤵
      PID:4516
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
      4⤵
      PID:3792
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
      4⤵
      PID:4396
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
      4⤵
      PID:968
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
      4⤵
      PID:488
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
      4⤵
      PID:2696
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
      4⤵
      PID:4476
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
      4⤵
      Clears Windows event logs
      PID:3360
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
      4⤵
      PID:464
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
      4⤵
      PID:4040
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D12/Analytic"
      4⤵
      PID:3772
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D12/Logging"
      4⤵
      PID:4532
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D12/PerfTiming"
      4⤵
      PID:1772
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D9/Analytic"
      4⤵
      PID:484
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3DShaderCache/Default"
      4⤵
      PID:2092
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DirectComposition/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:3268
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DirectManipulation/Diagnostic"
      4⤵
      PID:4244
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
      4⤵
      PID:4636
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
      4⤵
      PID:2356
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
      4⤵
      PID:5104
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
      4⤵
      PID:936
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
      4⤵
      PID:3412
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
      4⤵
      PID:648
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dism-Api/Analytic"
      4⤵
      PID:4300
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dism-Api/ExternalAnalytic"
      4⤵
      PID:1632
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dism-Api/InternalAnalytic"
      4⤵
      PID:2052
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dism-Cli/Analytic"
      4⤵
      PID:3404
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
      4⤵
      PID:3588
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
      4⤵
      PID:2516
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
      4⤵
      PID:2848
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
      4⤵
      PID:3044
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dot3MM/Diagnostic"
      4⤵
      PID:3780
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
      4⤵
      PID:3112
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DucUpdateAgent/Operational"
      4⤵
      PID:2396
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dwm-API/Diagnostic"
      4⤵
      PID:4228
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dwm-Core/Diagnostic"
      4⤵
      PID:2608
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dwm-Dwm/Diagnostic"
      4⤵
      PID:2900
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dwm-Redir/Diagnostic"
      4⤵
      PID:2748
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dwm-Udwm/Diagnostic"
      4⤵
      PID:4916
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Admin"
      4⤵
      PID:3952
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Operational"
      4⤵
      PID:1540
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Contention"
      4⤵
      PID:4116
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
      4⤵
      PID:3996
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
      4⤵
      PID:4704
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Power"
      4⤵
      PID:4252
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
      4⤵
      PID:2856
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EDP-Application-Learning/Admin"
      4⤵
      PID:3392
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EDP-Audit-Regular/Admin"
      4⤵
      PID:3948
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EDP-Audit-TCB/Admin"
      4⤵
      PID:3956
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
      4⤵
      PID:4528
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ESE/IODiagnose"
      4⤵
      PID:4752
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ESE/Operational"
      4⤵
      PID:3128
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
      4⤵
      PID:4184
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
      4⤵
      PID:1880
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
      4⤵
      PID:4744
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapMethods-RasChap/Operational"
      4⤵
      PID:3188
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapMethods-RasTls/Operational"
      4⤵
      PID:4016
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapMethods-Sim/Operational"
      4⤵
      PID:1180
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapMethods-Ttls/Operational"
      4⤵
      PID:2880
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
      4⤵
      PID:4640
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/EventLog"
      4⤵
      PID:3752
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/Trace"
      4⤵
      PID:2360
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EnhancedStorage-EhStorTcgDrv/Analytic"
      4⤵
      PID:4500
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
      4⤵
      PID:3768
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
      4⤵
      PID:3488
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
      4⤵
      PID:2824
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
      4⤵
      PID:4864
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
      4⤵
      PID:4176
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
      4⤵
      PID:3828
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
      4⤵
      Clears Windows event logs
      PID:408
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
      4⤵
      PID:3216
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
      4⤵
      PID:4484
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
      4⤵
      PID:3436
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Analytic"
      4⤵
      PID:4164
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Operational"
      4⤵
      PID:5024
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Analytic"
      4⤵
      PID:3704
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Debug"
      4⤵
      PID:3448
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Analytic"
      4⤵
      PID:3380
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Debug"
      4⤵
      PID:1980
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Analytic"
      4⤵
      PID:1040
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Debug"
      4⤵
      PID:3496
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/WHC"
      4⤵
      PID:1656
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Analytic"
      4⤵
      PID:4768
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/BackupLog"
      4⤵
      Clears Windows event logs
      PID:4992
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Debug"
      4⤵
      PID:4120
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Analytic"
      4⤵
      PID:2520
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Debug"
      4⤵
      PID:2232
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Analytic"
      4⤵
      PID:1276
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Debug"
      4⤵
      PID:4488
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Analytic"
      4⤵
      Clears Windows event logs
      PID:4012
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Debug"
      4⤵
      PID:1748
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
      4⤵
      PID:2936
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
      4⤵
      PID:1700
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
      4⤵
      PID:3552
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
      4⤵
      PID:1476
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
      4⤵
      PID:3800
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-GPIO-ClassExtension/Analytic"
      4⤵
      PID:4628
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-GenericRoaming/Admin"
      4⤵
      PID:3388
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
      4⤵
      PID:1452
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
      4⤵
      PID:4380
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
      4⤵
      Clears Windows event logs
      PID:1776
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
      4⤵
      PID:2288
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
      4⤵
      PID:1840
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HelloForBusiness/Operational"
      4⤵
      PID:2296
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Help/Operational"
      4⤵
      PID:3212
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
      4⤵
      PID:4288
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
      4⤵
      PID:3364
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
      4⤵
      PID:1892
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
      4⤵
      PID:1836
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
      4⤵
      PID:1884
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"
      4⤵
      PID:3120
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Analytic"
      4⤵
      PID:4908
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Operational"
      4⤵
      PID:3452
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HttpService/Log"
      4⤵
      PID:3568
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
      4⤵
      PID:5072
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Admin"
      4⤵
      PID:3924
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic"
      4⤵
      PID:4612
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Debug"
      4⤵
      PID:3168
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose"
      4⤵
      PID:4512
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Operational"
      4⤵
      PID:228
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Admin"
      4⤵
      PID:224
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Analytic"
      4⤵
      PID:548
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Operational"
      4⤵
      PID:3936
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Hyper-V-NETVSC/Diagnostic"
      4⤵
      PID:3968
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Admin"
      4⤵
      PID:1160
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Analytic"
      4⤵
      PID:4308
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IE-SmartScreen"
      4⤵
      PID:1216
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
      4⤵
      PID:1060
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
      4⤵
      PID:728
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-Broker/Analytic"
      4⤵
      PID:4744
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-CandidateUI/Analytic"
      4⤵
      PID:3188
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManager/Debug"
      4⤵
      PID:4016
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManagerUI/Analytic"
      4⤵
      PID:1180
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-JPAPI/Analytic"
      4⤵
      Clears Windows event logs
      PID:2880
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-JPLMP/Analytic"
      4⤵
      PID:4640
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-JPPRED/Analytic"
      4⤵
      PID:3752
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-JPSetting/Analytic"
      4⤵
      PID:1424
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-JPTIP/Analytic"
      4⤵
      PID:1016
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-KRAPI/Analytic"
      4⤵
      PID:4240
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-KRTIP/Analytic"
      4⤵
      PID:4928
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-OEDCompiler/Analytic"
      4⤵
      PID:808
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-TCCORE/Analytic"
      4⤵
      PID:4616
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-TCTIP/Analytic"
      4⤵
      PID:4648
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-TIP/Analytic"
      4⤵
      PID:4452
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IPNAT/Diagnostic"
      4⤵
      PID:4964
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
      4⤵
      PID:2488
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Debug"
      4⤵
      PID:1592
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Operational"
      4⤵
      PID:3804
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IdCtrls/Analytic"
      4⤵
      PID:1292
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IdCtrls/Operational"
      4⤵
      PID:4172
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IndirectDisplays-ClassExtension-Events/Diagnostic"
      4⤵
      PID:4156
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Input-HIDCLASS-Analytic"
      4⤵
      PID:1908
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-InputSwitch/Diagnostic"
      4⤵
      PID:4516
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
      4⤵
      PID:3320
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
      4⤵
      PID:4396
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
      4⤵
      PID:4784
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
      4⤵
      PID:2596
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-KdsSvc/Operational"
      4⤵
      PID:2696
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kerberos/Operational"
      4⤵
      PID:4476
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
      4⤵
      PID:564
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/General"
      4⤵
      PID:464
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/Performance"
      4⤵
      PID:4040
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Analytic"
      4⤵
      PID:4000
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Debug"
      4⤵
      Clears Windows event logs
      PID:636
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Operational"
      4⤵
      PID:1772
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
      4⤵
      PID:484
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Operational"
      4⤵
      PID:2092
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
      4⤵
      PID:3304
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
      4⤵
      PID:400
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
      4⤵
      PID:4468
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
      4⤵
      PID:924
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
      4⤵
      PID:5104
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-IO/Operational"
      4⤵
      PID:4200
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Interrupt-Steering/Diagnostic"
      4⤵
      PID:3412
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-IoTrace/Diagnostic"
      4⤵
      PID:648
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Analytic"
      4⤵
      PID:4300
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Operational"
      4⤵
      PID:1632
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
      4⤵
      PID:2052
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
      4⤵
      PID:4224
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Pdc/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:3588
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Pep/Diagnostic"
      4⤵
      PID:1488
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Boot Diagnostic"
      4⤵
      PID:2044
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration"
      4⤵
      PID:3108
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration Diagnostic"
      4⤵
      PID:3780
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Device Enumeration Diagnostic"
      4⤵
      PID:3532
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Diagnostic"
      4⤵
      PID:2396
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Watchdog"
      4⤵
      PID:4228
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
      4⤵
      PID:2608
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
      4⤵
      PID:2900
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
      4⤵
      PID:2748
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
      4⤵
      PID:4776
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
      4⤵
      PID:3144
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
      4⤵
      PID:3964
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
      4⤵
      PID:1256
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Performance"
      4⤵
      PID:4536
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Debug"
      4⤵
      PID:3984
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Diagnostic"
      4⤵
      PID:1644
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Operational"
      4⤵
      PID:1512
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
      4⤵
      Clears Windows event logs
      PID:2856
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
      4⤵
      PID:3392
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
      4⤵
      PID:548
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
      4⤵
      PID:3936
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
      4⤵
      PID:3968
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
      4⤵
      Clears Windows event logs
      PID:1160
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
      4⤵
      PID:4308
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-XDV/Analytic"
      4⤵
      PID:1216
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Admin"
      4⤵
      PID:4668
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Operational"
      4⤵
      PID:2580
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Performance"
      4⤵
      PID:1744
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
      4⤵
      PID:2508
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"
      4⤵
      PID:2176
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"
      4⤵
      PID:5060
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LSA/Diagnostic"
      4⤵
      PID:1180
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LSA/Operational"
      4⤵
      PID:2880
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LSA/Performance"
      4⤵
      PID:4640
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:3752
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"
      4⤵
      PID:1424
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"
      4⤵
      PID:1016
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
      4⤵
      PID:4240
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LimitsManagement/Diagnostic"
      4⤵
      PID:4928
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Diagnostic"
      4⤵
      PID:808
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational"
      4⤵
      PID:4616
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LiveId/Analytic"
      4⤵
      PID:4648
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LiveId/Operational"
      4⤵
      PID:4452
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MPEG2-Video-Encoder-MFT_Analytic"
      4⤵
      PID:4964
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
      4⤵
      PID:2488
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"
      4⤵
      PID:1824
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"
      4⤵
      PID:3804
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MSFTEDIT/Diagnostic"
      4⤵
      PID:1292
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"
      4⤵
      PID:4172
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"
      4⤵
      PID:4156
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"
      4⤵
      PID:1908
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
      4⤵
      PID:4516
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"
      4⤵
      PID:3320
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MUI/Debug"
      4⤵
      PID:4396
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
      4⤵
      PID:4784
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMC"
      4⤵
      PID:2596
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMR"
      4⤵
      PID:2696
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Media-Streaming/MDE"
      4⤵
      PID:4476
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFCaptureEngine/MFCaptureEngine"
      4⤵
      PID:564
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
      4⤵
      PID:464
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
      4⤵
      PID:4040
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
      4⤵
      PID:4000
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MediaFoundation-Performance/SARStreamResource"
      4⤵
      PID:636
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
      4⤵
      Clears Windows event logs
      PID:1772
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
      4⤵
      PID:484
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Minstore/Analytic"
      4⤵
      PID:2092
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Minstore/Debug"
      4⤵
      PID:3304
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal/Analytic"
      4⤵
      PID:400
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api/Analytic"
      4⤵
      PID:4468
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Analytic"
      4⤵
      Clears Windows event logs
      PID:924
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational"
      4⤵
      PID:5104
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-SmsApi/Analytic"
      4⤵
      PID:4200
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"
      4⤵
      PID:3412
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Admin"
      4⤵
      Clears Windows event logs
      PID:2152
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot"
      4⤵
      PID:3008
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Debug"
      4⤵
      PID:4300
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/ManagementService"
      4⤵
      PID:1632
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Mprddm/Operational"
      4⤵
      PID:2476
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"
      4⤵
      PID:2516
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"
      4⤵
      Clears Windows event logs
      PID:2848
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
      4⤵
      PID:3044
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
      4⤵
      PID:3288
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:4204
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"
      4⤵
      PID:3112
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"
      4⤵
      PID:4188
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"
      4⤵
      PID:3532
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"
      4⤵
      PID:2396
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Ncasvc/Operational"
      4⤵
      PID:4228
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Diagnostic"
      4⤵
      PID:1096
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Operational"
      4⤵
      PID:2608
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NdisImPlatform/Operational"
      4⤵
      PID:4276
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Ndu/Diagnostic"
      4⤵
      PID:4916
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"
      4⤵
      PID:3628
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Network-Connection-Broker"
      4⤵
      PID:4612
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Network-DataUsage/Analytic"
      4⤵
      PID:3168
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Network-Setup/Diagnostic"
      4⤵
      PID:1628
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
      4⤵
      PID:4116
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkBridge/Diagnostic"
      4⤵
      PID:2352
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"
      4⤵
      PID:5052
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"
      4⤵
      PID:3996
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"
      4⤵
      PID:1036
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkProvider/Operational"
      4⤵
      PID:236
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Analytic"
      4⤵
      PID:2324
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Operational"
      4⤵
      PID:3152
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkSecurity/Debug"
      4⤵
      PID:4528
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkStatus/Analytic"
      4⤵
      PID:1864
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
      4⤵
      PID:4752
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Networking-RealTimeCommunication/Tracing"
      4⤵
      PID:4464
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"
      4⤵
      PID:4740
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"
      4⤵
      PID:1200
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Ntfs/Operational"
      4⤵
      PID:4184
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Ntfs/Performance"
      4⤵
      PID:4112
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Ntfs/WHC"
      4⤵
      PID:2312
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OLE/Clipboard-Performance"
      4⤵
      PID:880
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"
      4⤵
      Clears Windows event logs
      PID:1432
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"
      4⤵
      PID:5036
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OOBE-FirstLogonAnim/Diagnostic"
      4⤵
      PID:3012
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Core/Diagnostic"
      4⤵
      PID:2176
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Diagnostic"
      4⤵
      PID:5060
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Operational"
      4⤵
      PID:436
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Plugins-Wireless/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:5064
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OcpUpdateAgent/Operational"
      4⤵
      PID:5000
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"
      4⤵
      PID:1916
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"
      4⤵
      PID:4064
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"
      4⤵
      PID:4656
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"
      4⤵
      PID:4844
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OneBackup/Debug"
      4⤵
      Clears Windows event logs
      PID:2008
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"
      4⤵
      PID:2096
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OneX/Operational"
      4⤵
      PID:4176
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"
      4⤵
      PID:3520
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OtpCredentialProvider/Operational"
      4⤵
      Clears Windows event logs
      PID:5056
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"
      4⤵
      PID:2700
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Analytic"
      4⤵
      PID:4484
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Debug"
      4⤵
      PID:1592
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Operational"
      4⤵
      PID:3812
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"
      4⤵
      PID:1388
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Partition/Analytic"
      4⤵
      PID:4340
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Partition/Diagnostic"
      4⤵
      PID:3448
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
      4⤵
      PID:652
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PerceptionRuntime/Operational"
      4⤵
      PID:1980
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PerceptionSensorDataService/Operational"
      4⤵
      Clears Windows event logs
      PID:4896
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Analytic"
      4⤵
      PID:1004
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Diagnostic"
      4⤵
      PID:488
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Operational"
      4⤵
      PID:4768
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Analytic"
      4⤵
      PID:4992
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Diagnostic"
      4⤵
      PID:4120
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Operational"
      4⤵
      PID:1712
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Analytic"
      4⤵
      PID:2232
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Certification"
      4⤵
      PID:3772
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Diagnose"
      4⤵
      PID:4900
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Operational"
      4⤵
      PID:4012
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PhotoAcq/Analytic"
      4⤵
      PID:4000
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PlayToManager/Analytic"
      4⤵
      PID:636
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Policy/Analytic"
      4⤵
      PID:1772
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Policy/Operational"
      4⤵
      PID:484
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
      4⤵
      PID:2092
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
      4⤵
      PID:3304
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Power-Meter-Polling/Diagnostic"
      4⤵
      PID:400
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"
      4⤵
      PID:4468
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"
      4⤵
      PID:924
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
      4⤵
      PID:5104
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Analytic"
      4⤵
      PID:4200
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Debug"
      4⤵
      PID:3412
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational"
      4⤵
      PID:1776
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerShell/Admin"
      4⤵
      PID:2152
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"
      4⤵
      PID:3008
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerShell/Debug"
      4⤵
      PID:4300
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"
      4⤵
      PID:1632
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"
      4⤵
      PID:2476
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PrintBRM/Admin"
      4⤵
      PID:2516
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PrintService-USBMon/Debug"
      4⤵
      PID:2848
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"
      4⤵
      PID:3044
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"
      4⤵
      PID:3108
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"
      4⤵
      PID:3780
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Privacy-Auditing/Operational"
      4⤵
      PID:5044
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ProcessStateManager/Diagnostic"
      4⤵
      PID:4372
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Analytic"
      4⤵
      PID:3764
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade"
      4⤵
      PID:4944
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin"
      4⤵
      PID:4552
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/AutoPilot"
      4⤵
      PID:3944
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Debug"
      4⤵
      PID:4316
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/ManagementService"
      4⤵
      PID:3568
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Diagnostic"
      4⤵
      PID:4828
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Informational"
      4⤵
      PID:972
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Performance"
      4⤵
      PID:3976
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PushNotification-Developer/Debug"
      4⤵
      PID:4492
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PushNotification-InProc/Debug"
      4⤵
      PID:3952
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Admin"
      4⤵
      PID:1540
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Debug"
      4⤵
      PID:3144
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Operational"
      4⤵
      PID:4972
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"
      4⤵
      PID:3972
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"
      4⤵
      PID:4036
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"
      4⤵
      PID:2732
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RPC/Debug"
      4⤵
      PID:1644
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"
      4⤵
      PID:4780
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RRAS/Debug"
      4⤵
      PID:2856
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RRAS/Operational"
      4⤵
      PID:3948
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RadioManager/Analytic"
      4⤵
      PID:3956
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Ras-NdisWanPacketCapture/Diagnostic"
      4⤵
      PID:2752
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Debug"
      4⤵
      PID:2908
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Operational"
      4⤵
      PID:2180
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ReFS/Operational"
      4⤵
      PID:4348
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"
      4⤵
      PID:3128
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"
      4⤵
      PID:1160
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"
      4⤵
      PID:3408
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"
      4⤵
      PID:2408
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Regsvr32/Operational"
      4⤵
      Clears Windows event logs
      PID:4668
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
      4⤵
      PID:2580
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Operational"
      4⤵
      PID:2540
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"
      4⤵
      PID:1432
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"
      4⤵
      PID:5036
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"
      4⤵
      PID:3012
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
      4⤵
      PID:2176
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Debug"
      4⤵
      PID:5060
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
      4⤵
      PID:2968
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin"
      4⤵
      PID:2260
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-Kernel-Mode-Transport/Debug"
      4⤵
      PID:3808
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-User-Mode-Transport/Debug"
      4⤵
      PID:2844
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational"
      4⤵
      PID:1424
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Diagnostic"
      4⤵
      PID:3488
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Operational"
      4⤵
      PID:4240
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ResetEng-Trace/Diagnostic"
      4⤵
      PID:4928
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
      4⤵
      PID:560
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
      4⤵
      PID:2096
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"
      4⤵
      PID:4176
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"
      4⤵
      PID:3520
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RetailDemo/Admin"
      4⤵
      PID:5056
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RetailDemo/Operational"
      4⤵
      PID:2700
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Runtime-Graphics/Analytic"
      4⤵
      PID:4484
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Runtime-Networking-BackgroundTransfer/Tracing"
      4⤵
      PID:1592
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Runtime-Networking/Tracing"
      4⤵
      PID:4164
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Runtime-Web-Http/Tracing"
      4⤵
      PID:5024
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Runtime-WebAPI/Tracing"
      4⤵
      PID:3680
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTAdaptiveMediaSource"
      4⤵
      PID:3400
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTCaptureEngine"
      4⤵
      PID:3380
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTMediaStreamSource"
      4⤵
      PID:1908
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTTranscode"
      4⤵
      PID:4516
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Runtime/CreateInstance"
      4⤵
      PID:3320
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Runtime/Error"
      4⤵
      PID:4396
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBClient/Analytic"
      4⤵
      PID:4784
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBClient/HelperClassDiagnostic"
      4⤵
      PID:2596
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBClient/ObjectStateDiagnostic"
      4⤵
      PID:2696
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBClient/Operational"
      4⤵
      PID:2728
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBDirect/Admin"
      4⤵
      PID:1712
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBDirect/Debug"
      4⤵
      PID:2232
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBDirect/Netmon"
      4⤵
      PID:3772
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBServer/Analytic"
      4⤵
      PID:4900
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBServer/Audit"
      4⤵
      PID:4012
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBServer/Connectivity"
      4⤵
      PID:4000
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBServer/Diagnostic"
      4⤵
      PID:636
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBServer/Operational"
      4⤵
      PID:1772
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBServer/Performance"
      4⤵
      Clears Windows event logs
      PID:484
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBServer/Security"
      4⤵
      PID:2976
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Admin"
      4⤵
      PID:4504
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Informational"
      4⤵
      PID:3388
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SPB-ClassExtension/Analytic"
      4⤵
      PID:1452
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SPB-HIDI2C/Analytic"
      4⤵
      PID:4720
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Schannel-Events/Perf"
      4⤵
      PID:2544
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Sdbus/Analytic"
      4⤵
      PID:2512
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Sdbus/Debug"
      4⤵
      Clears Windows event logs
      PID:1520
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Sdstor/Analytic"
      4⤵
      PID:3420
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"
      4⤵
      PID:2172
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
      4⤵
      PID:3428
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SearchUI/Diagnostic"
      4⤵
      PID:1344
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SearchUI/Operational"
      4⤵
      PID:4288
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SecureAssessment/Operational"
      4⤵
      PID:1488
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-Adminless/Operational"
      4⤵
      PID:1892
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
      4⤵
      PID:4264
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
      4⤵
      PID:3044
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational"
      4⤵
      PID:3108
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational"
      4⤵
      PID:3780
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Performance"
      4⤵
      PID:5044
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"
      4⤵
      PID:4372
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-IdentityStore/Performance"
      4⤵
      PID:3764
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-LessPrivilegedAppContainer/Operational"
      4⤵
      PID:4944
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-Mitigations/KernelMode"
      4⤵
      PID:4552
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-Mitigations/UserMode"
      4⤵
      PID:4316
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-Netlogon/Operational"
      4⤵
      PID:3568
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GC/Analytic"
      4⤵
      PID:4828
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational"
      4⤵
      PID:972
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter"
      4⤵
      PID:3976
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX/Analytic"
      4⤵
      PID:4492
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"
      4⤵
      PID:3952
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-UserConsentVerifier/Audit"
      4⤵
      PID:1540
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-Vault/Performance"
      4⤵
      PID:3144
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Admin"
      4⤵
      Clears Windows event logs
      PID:4972
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Operational"
      4⤵
      PID:3972
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Perf"
      4⤵
      PID:4036
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SendTo/Diagnostic"
      4⤵
      PID:2732
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Sens/Debug"
      4⤵
      PID:1644
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Sensors/Debug"
      4⤵
      PID:1036
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Sensors/Performance"
      4⤵
      PID:236
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Serial-ClassExtension-V2/Analytic"
      4⤵
      PID:1756
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Serial-ClassExtension/Analytic"
      4⤵
      PID:4912
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"
      4⤵
      PID:1956
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"
      4⤵
      PID:1864
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"
      4⤵
      PID:3440
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Servicing/Debug"
      4⤵
      PID:4872
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SettingSync-Azure/Debug"
      4⤵
      PID:2588
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SettingSync-Azure/Operational"
      4⤵
      PID:1868
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Analytic"
      4⤵
      PID:1160
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Debug"
      4⤵
      PID:1216
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Operational"
      4⤵
      PID:3604
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SettingSync/Analytic"
      4⤵
      PID:2312
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SettingSync/Debug"
      4⤵
      PID:880
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SettingSync/Operational"
      4⤵
      PID:4744
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SettingSync/VerboseDebug"
      4⤵
      PID:3188
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"
      4⤵
      PID:4016
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"
      4⤵
      PID:1100
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SetupPlatform/Analytic"
      4⤵
      PID:776
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"
      4⤵
      PID:4124
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"
      4⤵
      PID:1580
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
      4⤵
      PID:4640
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-AppWizCpl/Diagnostic"
      4⤵
      PID:3752
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
      4⤵
      PID:4804
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
      4⤵
      PID:4064
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
      4⤵
      PID:4656
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredentialProviderUser/Diagnostic"
      4⤵
      PID:4844
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:2008
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-LogonUI/Diagnostic"
      4⤵
      PID:1284
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
      4⤵
      PID:808
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter"
      4⤵
      PID:408
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-Core/ActionCenter"
      4⤵
      PID:4556
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-Core/AppDefaults"
      4⤵
      PID:4648
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"
      4⤵
      PID:4216
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-Core/LogonTasksChannel"
      4⤵
      PID:4336
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-Core/Operational"
      4⤵
      PID:4860
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
      4⤵
      PID:3124
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-LockScreenContent/Diagnostic"
      4⤵
      PID:1292
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-OpenWith/Diagnostic"
      4⤵
      PID:4172
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"
      4⤵
      PID:4068
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
      4⤵
      PID:3480
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Diagnostic"
      4⤵
      PID:1980
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Operational"
      4⤵
      PID:4896
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:1004
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SleepStudy/Diagnostic"
      4⤵
      PID:1328
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SmartCard-Audit/Authentication"
      4⤵
      PID:4396
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SmartCard-DeviceEnum/Operational"
      4⤵
      PID:2400
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin"
      4⤵
      PID:1576
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational"
      4⤵
      PID:4992
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SmartScreen/Debug"
      4⤵
      PID:4140
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SmbClient/Audit"
      4⤵
      PID:2696
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SmbClient/Connectivity"
      4⤵
      PID:2728
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SmbClient/Diagnostic"
      4⤵
      PID:1712
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SmbClient/Security"
      4⤵
      PID:2232
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"
      4⤵
      PID:3772
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"
      4⤵
      PID:4900
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"
      4⤵
      PID:4012
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Spellchecking-Host/Analytic"
      4⤵
      PID:4000
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SruMon/Diagnostic"
      4⤵
      PID:636
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SrumTelemetry"
      4⤵
      PID:1772
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StateRepository/Debug"
      4⤵
      PID:484
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StateRepository/Diagnostic"
      4⤵
      PID:2976
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StateRepository/Operational"
      4⤵
      PID:4504
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StateRepository/Restricted"
      4⤵
      PID:432
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"
      4⤵
      PID:2308
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"
      4⤵
      PID:1312
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Admin"
      4⤵
      PID:648
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Analytic"
      4⤵
      PID:1352
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Debug"
      4⤵
      PID:2288
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Diagnose"
      4⤵
      PID:3232
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Operational"
      4⤵
      PID:1840
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Admin"
      4⤵
      PID:2216
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Analytic"
      4⤵
      PID:2296
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Debug"
      4⤵
      PID:1632
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Diagnose"
      4⤵
      PID:2476
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Operational"
      4⤵
      PID:1848
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Admin"
      4⤵
      PID:4272
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Analytic"
      4⤵
      PID:2876
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Debug"
      4⤵
      PID:1416
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Diagnose"
      4⤵
      PID:3484
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Operational"
      4⤵
      PID:1316
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Admin"
      4⤵
      PID:3780
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Analytic"
      4⤵
      PID:3120
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Debug"
      4⤵
      PID:5028
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Diagnose"
      4⤵
      PID:2684
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Health"
      4⤵
      PID:2740
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Operational"
      4⤵
      PID:3532
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Tiering-IoHeat/Heat"
      4⤵
      PID:3452
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Tiering/Admin"
      4⤵
      Clears Windows event logs
      PID:2724
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorageManagement/Debug"
      4⤵
      PID:1308
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorageManagement/Operational"
      4⤵
      PID:4836
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorageSettings/Diagnostic"
      4⤵
      PID:2900
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Diagnostic"
      4⤵
      PID:2748
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Operational"
      4⤵
      PID:4496
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Performance"
      4⤵
      PID:316
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorageSpaces-ManagementAgent/WHC"
      4⤵
      PID:4612
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic"
      4⤵
      PID:3168
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorageSpaces-SpaceManager/Operational"
      4⤵
      PID:1628
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Store/Operational"
      4⤵
      PID:2196
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storsvc/Diagnostic"
      4⤵
      PID:3984
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"
      4⤵
      PID:5052
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"
      4⤵
      PID:1512
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Superfetch/Main"
      4⤵
      PID:2228
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Superfetch/PfApLog"
      4⤵
      PID:4608
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"
      4⤵
      PID:2856
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Sysmon/Operational"
      4⤵
      PID:3936
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"
      4⤵
      PID:3152
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-System-Profile-HardwareId/Diagnostic"
      4⤵
      PID:2752
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SystemSettingsHandlers/Debug"
      4⤵
      PID:3968
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Debug"
      4⤵
      PID:4752
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Diagnostic"
      4⤵
      PID:4464
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Operational"
      4⤵
      PID:3128
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"
      4⤵
      PID:3900
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TCPIP/Operational"
      4⤵
      PID:2884
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"
      4⤵
      PID:4308
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"
      4⤵
      PID:4112
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"
      4⤵
      PID:1880
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"
      4⤵
      PID:1260
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TTS/Diagnostic"
      4⤵
      PID:1744
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TWinAPI/Diagnostic"
      4⤵
      PID:2840
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TWinUI/Diagnostic"
      4⤵
      PID:1056
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TWinUI/Operational"
      4⤵
      PID:3012
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TZSync/Analytic"
      4⤵
      PID:3888
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TZSync/Operational"
      4⤵
      PID:5004
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"
      4⤵
      Clears Windows event logs
      PID:436
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug"
      4⤵
      PID:2260
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic"
      4⤵
      PID:5000
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Maintenance"
      4⤵
      PID:1916
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational"
      4⤵
      PID:1156
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic"
      4⤵
      PID:4652
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
      4⤵
      PID:2824
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
      4⤵
      PID:4632
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
      4⤵
      Clears Windows event logs
      PID:3744
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
      4⤵
      PID:3828
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
      4⤵
      PID:4616
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
      4⤵
      PID:3216
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
      4⤵
      PID:2160
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
      4⤵
      PID:4024
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
      4⤵
      PID:2488
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
      4⤵
      PID:1824
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
      4⤵
      PID:3804
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
      4⤵
      PID:3704
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
      4⤵
      PID:3172
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Admin"
      4⤵
      PID:3448
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Analytic"
      4⤵
      PID:2168
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Debug"
      4⤵
      PID:3792
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Operational"
      4⤵
      PID:1040
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
      4⤵
      PID:968
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"
      4⤵
      Clears Windows event logs
      PID:488
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"
      4⤵
      PID:2208
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
      4⤵
      PID:4408
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"
      4⤵
      PID:4412
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
      4⤵
      PID:2556
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"
      4⤵
      PID:3904
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"
      4⤵
      PID:3864
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
      4⤵
      PID:3832
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"
      4⤵
      PID:464
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"
      4⤵
      PID:4488
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"
      4⤵
      PID:2344
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"
      4⤵
      PID:1748
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Tethering-Manager/Analytic"
      4⤵
      PID:2936
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Tethering-Station/Analytic"
      4⤵
      PID:3268
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ThemeCPL/Diagnostic"
      4⤵
      PID:3552
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ThemeUI/Diagnostic"
      4⤵
      PID:2092
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Threat-Intelligence/Analytic"
      4⤵
      PID:3800
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Time-Service-PTP-Provider/PTP-Operational"
      4⤵
      PID:4628
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Time-Service/Operational"
      4⤵
      PID:268
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Troubleshooting-Recommended/Admin"
      4⤵
      PID:3388
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Troubleshooting-Recommended/Operational"
      4⤵
      PID:924
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TunnelDriver"
      4⤵
      PID:3032
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UAC-FileVirtualization/Operational"
      4⤵
      PID:4200
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UAC/Operational"
      4⤵
      PID:2572
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UI-Shell/Diagnostic"
      4⤵
      PID:1776
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UIAnimation/Diagnostic"
      4⤵
      PID:2152
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Debug"
      4⤵
      PID:3404
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Diagnostic"
      4⤵
      PID:748
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Perf"
      4⤵
      PID:4224
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UIRibbon/Diagnostic"
      4⤵
      PID:4268
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-USB-MAUSBHOST-Analytic"
      4⤵
      PID:3588
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-USB-UCX-Analytic"
      4⤵
      PID:2516
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-USB-USBHUB/Diagnostic"
      4⤵
      PID:2848
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-USB-USBHUB3-Analytic"
      4⤵
      PID:4152
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-USB-USBPORT/Diagnostic"
      4⤵
      PID:3044
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-USB-USBXHCI-Analytic"
      4⤵
      PID:3108
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-USB-USBXHCI-Trustlet-Analytic"
      4⤵
      PID:3112
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UniversalTelemetryClient/Operational"
      4⤵
      Clears Windows event logs
      PID:4292
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-User Control Panel Performance/Diagnostic"
      4⤵
      PID:5044
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-User Control Panel Usage/Diagnostic"
      4⤵
      PID:3260
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-User Control Panel/Diagnostic"
      4⤵
      PID:1304
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-User Control Panel/Operational"
      4⤵
      Clears Windows event logs
      PID:2704
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-User Device Registration/Admin"
      4⤵
      Clears Windows event logs
      PID:2720
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-User Device Registration/Debug"
      4⤵
      PID:4944
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-User Profile Service/Diagnostic"
      4⤵
      PID:4764
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-User Profile Service/Operational"
      4⤵
      PID:2708
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-User-Loader/Analytic"
      4⤵
      PID:2956
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-User-Loader/Operational"
      4⤵
      PID:4276
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UserAccountControl/Diagnostic"
      4⤵
      PID:2240
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UserModePowerService/Diagnostic"
      4⤵
      PID:3976
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UserPnp/ActionCenter"
      4⤵
      PID:4512
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceInstall"
      4⤵
      PID:3964
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"
      4⤵
      PID:1256
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UserPnp/Performance"
      4⤵
      PID:4536
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UserPnp/SchedulerOperations"
      4⤵
      PID:2352
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UxInit/Diagnostic"
      4⤵
      PID:2600
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UxTheme/Diagnostic"
      4⤵
      PID:3984
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VAN/Diagnostic"
      4⤵
      PID:5052
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VDRVROOT/Operational"
      4⤵
      PID:1512
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VHDMP-Analytic"
      4⤵
      PID:2228
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VHDMP-Operational"
      4⤵
      PID:4608
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VIRTDISK-Analytic"
      4⤵
      PID:2856
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VPN-Client/Operational"
      4⤵
      PID:3936
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VPN/Operational"
      4⤵
      PID:3152
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VWiFi/Diagnostic"
      4⤵
      PID:2752
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VerifyHardwareSecurity/Admin"
      4⤵
      PID:3968
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VerifyHardwareSecurity/Operational"
      4⤵
      PID:4752
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Volume/Diagnostic"
      4⤵
      PID:4464
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VolumeControl/Performance"
      4⤵
      Clears Windows event logs
      PID:3128
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Analytic"
      4⤵
      PID:3900
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Operational"
      4⤵
      PID:2884
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WABSyncProvider/Analytic"
      4⤵
      PID:4308
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"
      4⤵
      PID:4112
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WCNWiz/Analytic"
      4⤵
      PID:1880
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WEPHOSTSVC/Operational"
      4⤵
      PID:1260
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WER-PayloadHealth/Operational"
      4⤵
      PID:1744
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WFP/Analytic"
      4⤵
      PID:2840
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WFP/Operational"
      4⤵
      PID:1056
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WLAN-AutoConfig/Operational"
      4⤵
      PID:3012
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"
      4⤵
      PID:3888
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WLAN-Driver/Analytic"
      4⤵
      PID:5004
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WLAN-MediaManager/Diagnostic"
      4⤵
      PID:5064
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WLANConnectionFlow/Diagnostic"
      4⤵
      PID:4640
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Debug"
      4⤵
      PID:3752
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Operational"
      4⤵
      PID:4804
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Trace"
      4⤵
      PID:1016
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WMPDMCUI/Diagnostic"
      4⤵
      PID:3312
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"
      4⤵
      PID:4864
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Diagnostic"
      4⤵
      PID:2008
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Operational"
      4⤵
      PID:2096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K putty.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\SimonTatham\PuTTY" /f
      4⤵
      PID:4128
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\phant0mx64.exe
    phant0mx64.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5040
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell .\rdp_reg_clear.ps1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1156
- - C:\Windows\SysWOW64\timeout.exe
    timeout 45
    3⤵
    - Delays execution with timeout.exe
    PID:2472
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\FileWiper.exe
    FileWiper.exe
    3⤵
    - Executes dropped EXE
    PID:3240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K extra.bat
    3⤵
    PID:232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Indicator Removal on Host

T1070

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\EventCleaner.exe

Filesize
302KB

MD5
694f6268d897b513c82faae3f260d893

SHA1
62824d85ea5e6d79386712e5ecf35aaf7868ecfa

SHA256
cb40e9c51f53066c2241e6abd5f642ce7d02ba577b2b693c48a0c47a4cfa8d96

SHA512
79200c4b566bf6891a5e352afec439f339ec075059a2210571357460f4b068ef70a09b7765032f8deedda1103febc3d0f45345984d0f9d3bfea16fd4aa07df70

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\EventCleaner.exe

Filesize
302KB

MD5
694f6268d897b513c82faae3f260d893

SHA1
62824d85ea5e6d79386712e5ecf35aaf7868ecfa

SHA256
cb40e9c51f53066c2241e6abd5f642ce7d02ba577b2b693c48a0c47a4cfa8d96

SHA512
79200c4b566bf6891a5e352afec439f339ec075059a2210571357460f4b068ef70a09b7765032f8deedda1103febc3d0f45345984d0f9d3bfea16fd4aa07df70

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\FileWiper.exe

Filesize
13KB

MD5
73b54e36c9eaf4108be0ea9149f92ae8

SHA1
2d359742c4aaef7d3a9ea95d3d18a16d063f46a1

SHA256
bc86839ffece0217c274d10235a77e8d87aaee2a81e0ed62d2c8b3f53df053df

SHA512
dcddd98091d5a6d089f90979c7fc2bbe2d87c69628a5de1e07ceef7e33e038554ffd2884f0e891d60cb12aae8502770c7a648edf3bdb80f475668bc8207a9afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\FileWiper.exe

Filesize
13KB

MD5
73b54e36c9eaf4108be0ea9149f92ae8

SHA1
2d359742c4aaef7d3a9ea95d3d18a16d063f46a1

SHA256
bc86839ffece0217c274d10235a77e8d87aaee2a81e0ed62d2c8b3f53df053df

SHA512
dcddd98091d5a6d089f90979c7fc2bbe2d87c69628a5de1e07ceef7e33e038554ffd2884f0e891d60cb12aae8502770c7a648edf3bdb80f475668bc8207a9afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\extra.bat

Filesize
334B

MD5
0108b8594448301a3219b355c868cdbd

SHA1
bd4afb88dcd973bdd63990b91297acc2da476f89

SHA256
12e04ca28b0275ddf3dd4f165139e85e948a03c12871fe65df034edd561c52d8

SHA512
9961369e9c2e2fbd1f1a89d1211a74796482b9c0039033b2e72462e970876d39bd4db913adc7b297177c16bf3d37e73494068bb2af43d14222d8d44c4923a34d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\logkiller.bat

Filesize
436B

MD5
d8cc45473b9d3f703f17cc838395c698

SHA1
47b5adffeae34e0b934364a1e74eef241774353c

SHA256
65f82ffb119de3b2ebac2bacbfe8c8667091b884a7553467d03df281b6d1fca5

SHA512
80b04979880873ef2dcc2fc6d7d0ff4241e1e4d40c9ef1e433acccc8f9ede04666eb9b7f05171aab86acaf6e1c181349c85789f9942c25d7a8004cf4bdafcf23

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\phant0mx64.exe

Filesize
125KB

MD5
174cf19b28154708db2ce660a9ba4cc6

SHA1
8945b29b6d6b171fe7dec5bc0a99e21f06801f3a

SHA256
c2efee00eb1323b0189e98713e13698ef573a420e448496584defed46d8255e4

SHA512
b1e74a9f3cce7dcf9912af1875564945c444d04ec01b6024aec6fb1f0e79ad9d08a6c255c0fe9638f01090578c7411af950cbbeeb1cf8bf3b94a32a5503c66c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\phant0mx64.exe

Filesize
125KB

MD5
174cf19b28154708db2ce660a9ba4cc6

SHA1
8945b29b6d6b171fe7dec5bc0a99e21f06801f3a

SHA256
c2efee00eb1323b0189e98713e13698ef573a420e448496584defed46d8255e4

SHA512
b1e74a9f3cce7dcf9912af1875564945c444d04ec01b6024aec6fb1f0e79ad9d08a6c255c0fe9638f01090578c7411af950cbbeeb1cf8bf3b94a32a5503c66c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\putty.bat

Filesize
60B

MD5
ca2791c7a8961e4f88e72c4ad78db80a

SHA1
35f26129e533b1af4b4b69e31b51ef43a72b21a8

SHA256
dc76c8e1a94260d0143efe3b537d4296776d9b6e3daad4dbc6d4e994891b481f

SHA512
53be91e8f8c890d8c6cf60d1f39475a0c79755b8250832d625e6755d0f8633aca2fbdfb5ff507c88995ee8d5407a8d8691e8b23b704bb4053b18198716673c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rdp.bat

Filesize
334B

MD5
7683eda9b2f40a6a7cb60cba03150b1e

SHA1
85930febb9f762b40e95b8cf70a8b237471515b7

SHA256
b884404ed849e707b415559240cfcd550c717301f0e0f2b8e2111ba9144d9f42

SHA512
c72e0c960872e4ff88d57e2289eb18773469789a890ac0cd3759874a7b99e807ff5396fd9bccb225729ed262ba66412e689777fc0e7fc0adbb770c0355527ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rdp_reg_clear.ps1

Filesize
726B

MD5
6569b2bab916886b6a324463328c2990

SHA1
61710d034bead7d3f0f6ac6cd1541b63ceca9ec0

SHA256
ff445e24d3e85ac237e8eb8f6b4c92afb3a99d1caa9a127115a8f974a94bf843

SHA512
4f7e3f4b4f17c19aae51d3ee8a8939f7c6ff78519039c7ca6f9c06a8071fc786098fcffe61f70b2a17a4b4032c5098edc45016fae71535a354854e2730dd1101

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\x.bat

Filesize
353B

MD5
cdbd558bbfcb4dc28fbff2ae78b7cf83

SHA1
f153ee902a5d4a10b7e7084584ef543b2a8e6a79

SHA256
1532958707f32b50577a32c9b6151330c6f72967d27f293216ffef3ed7f28c9f

SHA512
e88fb13f5bf515393f9adf34980245019fc7a04b770e8dc481a7c3062e049b0d9b0098aa666ccaa08c1f1939ee22f2d5844ae3caefea5630bf779e601c0461ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2qbajdy0.x5j.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1156-175-0x0000000005390000-0x00000000059B8000-memory.dmp

Filesize
6.2MB

Download
memory/1156-186-0x00000000029A0000-0x00000000029B0000-memory.dmp

Filesize
64KB

Download
memory/1156-172-0x00000000028D0000-0x0000000002906000-memory.dmp

Filesize
216KB

Download
memory/1156-176-0x0000000005310000-0x0000000005332000-memory.dmp

Filesize
136KB

Download
memory/1156-178-0x0000000005B30000-0x0000000005B96000-memory.dmp

Filesize
408KB

Download
memory/1156-184-0x0000000005BA0000-0x0000000005C06000-memory.dmp

Filesize
408KB

Download
memory/1156-192-0x00000000061D0000-0x00000000061EE000-memory.dmp

Filesize
120KB

Download
memory/1156-190-0x00000000029A0000-0x00000000029B0000-memory.dmp

Filesize
64KB

Download
memory/3240-174-0x0000000004B50000-0x0000000004BE2000-memory.dmp

Filesize
584KB

Download
memory/3240-191-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/3240-173-0x0000000005010000-0x00000000055B4000-memory.dmp

Filesize
5.6MB

Download
memory/3240-193-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/3240-177-0x0000000004C00000-0x0000000004C0A000-memory.dmp

Filesize
40KB

Download
memory/3240-197-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/3240-198-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/3240-171-0x0000000000190000-0x000000000019A000-memory.dmp

Filesize
40KB

Download